| Server IP : 178.212.43.201 / Your IP : 10.100.0.33 Web Server : Apache/2.4.37 (Oracle Linux Server) OpenSSL/1.1.1k System : Linux spa0007.srv.paxillus.pl 5.4.17-2136.355.3.1.el8uek.x86_64 #3 SMP Sat May 9 17:11:55 PDT 2026 x86_64 User : apache ( 48) PHP Version : 7.4.33 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : OFF | Sudo : ON | Pkexec : ON Directory : /usr/share/scap-security-guide/ansible/ |
Upload File : |
---
###############################################################################
#
# Ansible Playbook for Australian Cyber Security Centre (ACSC) ISM Official
#
# Profile Description:
# This profile contains configuration checks for Oracle Linux 9
# that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM).
# The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning
# Oracle Linux security controls with the ISM, which can be used to select controls
# specific to an organisation's security posture and risk profile.
# A copy of the ISM can be found at the ACSC website:
# https://www.cyber.gov.au/ism
#
# Profile ID: xccdf_org.ssgproject.content_profile_ism_o
# Benchmark ID: xccdf_org.ssgproject.content_benchmark_OL-9
# Benchmark Version: 0.1.80
# XCCDF Version: 1.2
#
# This file can be generated by OpenSCAP using:
# $ oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_ism_o --fix-type ansible ssg-ol9-ds.xml
#
# This Ansible Playbook is generated from an XCCDF profile without preliminary evaluation.
# It attempts to fix every selected rule, even if the system is already compliant.
#
# How to apply this Ansible Playbook:
# $ ansible-playbook -i "localhost," -c local playbook.yml
# $ ansible-playbook -i "192.168.1.155," playbook.yml
# $ ansible-playbook -i inventory.ini playbook.yml
#
###############################################################################
- name: Ansible Playbook for xccdf_org.ssgproject.content_profile_ism_o
hosts: all
vars:
var_system_crypto_policy: FIPS
var_authselect_profile: sssd
var_accounts_passwords_pam_faillock_deny: '3'
var_accounts_passwords_pam_faillock_fail_interval: '900'
var_accounts_passwords_pam_faillock_unlock_time: '0'
var_password_pam_minlen: '20'
var_accounts_maximum_age_login_defs: '60'
var_accounts_minimum_age_login_defs: '1'
var_accounts_password_warn_age_login_defs: '7'
rsyslog_remote_loghost_address: logcollector
sysctl_kernel_kptr_restrict_value: '1'
var_selinux_policy_name: targeted
var_selinux_state: enforcing
var_auditadm_exec_content: 'true'
var_multiple_time_servers: 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
firewalld_sshd_zone: public
sshd_max_auth_tries_value: '5'
var_accounts_passwords_pam_faillock_dir: /var/log/faillock
var_auditd_flush: incremental_async
var_auditd_freq: '50'
var_auditd_name_format: hostname
tasks:
- name: Gather the package facts
ansible.builtin.package_facts:
manager: auto
tags:
- always
- name: Ensure aide is installed
ansible.builtin.package:
name: aide
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.3
- DISA-STIG-OL09-00-000300
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_aide_installed
- name: Ensure sudo is installed
ansible.builtin.package:
name: sudo
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000230
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_sudo_installed
- name: Ensure rear is installed
ansible.builtin.package:
name: rear
state: present
when: not ( ( ( ansible_architecture == "aarch64" and ansible_distribution ==
'OracleLinux' and ansible_distribution_version is version('9.0', '>=') ) or
( ansible_architecture == "aarch64" and ansible_distribution == 'RedHat' and
ansible_distribution_version is version('9.0', '>=') ) or ( ansible_distribution
== 'RedHat' and ansible_distribution_version is version('8.4', '<=') and ansible_architecture
== "s390x" ) ) )
tags:
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_rear_installed
- name: Security patches are up to date
ansible.builtin.package:
name: '*'
state: latest
tags:
- CJIS-5.10.4.1
- DISA-STIG-OL09-00-000015
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-2(5)
- NIST-800-53-SI-2(c)
- PCI-DSS-Req-6.2
- PCI-DSSv4-6.3
- PCI-DSSv4-6.3.3
- high_disruption
- low_complexity
- medium_severity
- patch_strategy
- reboot_required
- security_patches_up_to_date
- skip_ansible_lint
- name: Ensure rsyslog is installed
ansible.builtin.package:
name: rsyslog
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000350
- NIST-800-53-CM-6(a)
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_rsyslog_installed
- name: Prevent non-Privileged Users from Modifying Network Interfaces using nmcli
- Ensure polkit-pkla-compat is installed
ansible.builtin.package:
name: polkit-pkla-compat
state: present
when: '"polkit" in ansible_facts.packages'
tags:
- NIST-800-171-3.1.16
- NIST-800-53-AC-18(4)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.8
- low_complexity
- low_disruption
- medium_severity
- network_nmcli_permissions
- no_reboot_needed
- restrict_strategy
- name: Ensure firewalld is installed
ansible.builtin.package:
name: firewalld
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000220
- NIST-800-53-CM-6(a)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_firewalld_installed
- name: Deactivate Wireless Network Interfaces - Ensure NetworkManager is installed
ansible.builtin.package:
name: '{{ item }}'
state: present
with_items:
- NetworkManager
when: ( not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman",
"container"] ) )
tags:
- DISA-STIG-OL09-00-006001
- NIST-800-171-3.1.16
- NIST-800-53-AC-18(3)
- NIST-800-53-AC-18(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- PCI-DSS-Req-1.3.3
- PCI-DSSv4-1.3
- PCI-DSSv4-1.3.3
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- wireless_disable_interfaces
- name: Enable the auditadm_exec_content SELinux Boolean - Ensure python3-libsemanage
Installed
ansible.builtin.package:
name: python3-libsemanage
state: present
when:
- ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline or lookup("env", "container") == "bwrap-osbuild"
or ansible_facts.selinux.status != "disabled" )
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-80424-5
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- sebool_auditadm_exec_content
- name: Ensure fapolicyd is installed
ansible.builtin.package:
name: fapolicyd
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000340
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-4(22)
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_fapolicyd_installed
- name: Ensure chrony is installed
ansible.builtin.package:
name: chrony
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000310
- PCI-DSS-Req-10.4
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_chrony_installed
- name: 'Uninstall telnet-server Package: Ensure telnet-server is removed'
ansible.builtin.package:
name: telnet-server
state: absent
tags:
- DISA-STIG-OL09-00-000110
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.2
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- package_telnet-server_removed
- name: 'Remove telnet Clients: Ensure telnet is removed'
ansible.builtin.package:
name: telnet
state: absent
tags:
- NIST-800-171-3.1.13
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_telnet_removed
- name: 'Uninstall squid Package: Ensure squid is removed'
ansible.builtin.package:
name: squid
state: absent
tags:
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- package_squid_removed
- unknown_severity
- name: Enable SSH Server firewalld Firewall Exception - Ensure firewalld and NetworkManager
packages are installed
ansible.builtin.package:
name: '{{ item }}'
state: present
with_items:
- firewalld
- NetworkManager
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- firewalld_sshd_port_enabled
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure usbguard is installed
ansible.builtin.package:
name: usbguard
state: present
when: ( ansible_architecture != "s390x" and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
tags:
- DISA-STIG-OL09-00-000320
- NIST-800-53-CM-8(3)
- NIST-800-53-IA-3
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_usbguard_installed
- name: Ensure audit is installed
ansible.builtin.package:
name: audit
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000440
- NIST-800-53-AC-7(a)
- NIST-800-53-AU-12(2)
- NIST-800-53-AU-14
- NIST-800-53-AU-2(a)
- NIST-800-53-AU-7(1)
- NIST-800-53-AU-7(2)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.1
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_audit_installed
- name: Gather the package facts
ansible.builtin.package_facts:
manager: auto
tags:
- always
- name: Enable rsyslog Service - Enable service rsyslog
block:
- name: Enable rsyslog Service - Enable Service rsyslog
ansible.builtin.systemd:
name: rsyslog
enabled: true
state: started
masked: false
when:
- '"rsyslog" in ansible_facts.packages'
tags:
- DISA-STIG-OL09-00-000351
- NIST-800-53-AU-4(1)
- NIST-800-53-CM-6(a)
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_rsyslog_enabled
- special_service_block
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- name: Verify firewalld Enabled - Enable service firewalld
block:
- name: Verify firewalld Enabled - Enable Service firewalld
ansible.builtin.systemd:
name: firewalld
enabled: true
state: started
masked: false
when:
- '"firewalld" in ansible_facts.packages'
tags:
- DISA-STIG-OL09-00-000221
- NIST-800-171-3.1.3
- NIST-800-171-3.4.7
- NIST-800-53-AC-4
- NIST-800-53-CA-3(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_firewalld_enabled
- special_service_block
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"firewalld" in ansible_facts.packages'
- name: Disable Avahi Server Software - Disable service avahi-daemon
block:
- name: Disable Avahi Server Software - Collect systemd Services Present in the
System
ansible.builtin.command: systemctl -q list-unit-files --type service
register: service_exists
changed_when: false
failed_when: service_exists.rc not in [0, 1]
check_mode: false
- name: Disable Avahi Server Software - Ensure avahi-daemon.service is Masked
ansible.builtin.systemd:
name: avahi-daemon.service
state: stopped
enabled: false
masked: true
when: service_exists.stdout_lines is search("avahi-daemon.service", multiline=True)
- name: Unit Socket Exists - avahi-daemon.socket
ansible.builtin.command: systemctl -q list-unit-files avahi-daemon.socket
register: socket_file_exists
changed_when: false
failed_when: socket_file_exists.rc not in [0, 1]
check_mode: false
- name: Disable Avahi Server Software - Disable Socket avahi-daemon
ansible.builtin.systemd:
name: avahi-daemon.socket
enabled: false
state: stopped
masked: true
when: socket_file_exists.stdout_lines is search("avahi-daemon.socket", multiline=True)
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_avahi-daemon_disabled
- special_service_block
when: ( "avahi" in ansible_facts.packages and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
- name: Enable the File Access Policy Service - Enable service fapolicyd
block:
- name: Enable the File Access Policy Service - Enable Service fapolicyd
ansible.builtin.systemd:
name: fapolicyd
enabled: true
state: started
masked: false
when:
- '"fapolicyd" in ansible_facts.packages'
tags:
- DISA-STIG-OL09-00-000341
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-4(22)
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_fapolicyd_enabled
- special_service_block
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- name: The Chronyd service is enabled - Enable service chronyd
block:
- name: The Chronyd service is enabled - Enable Service chronyd
ansible.builtin.systemd:
name: chronyd
enabled: true
state: started
masked: false
when:
- '"chrony" in ansible_facts.packages'
tags:
- DISA-STIG-OL09-00-000311
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_chronyd_enabled
- special_service_block
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"chrony" in ansible_facts.packages'
- name: Disable telnet Service - Disable service telnet
block:
- name: Disable telnet Service - Collect systemd Services Present in the System
ansible.builtin.command: systemctl -q list-unit-files --type service
register: service_exists
changed_when: false
failed_when: service_exists.rc not in [0, 1]
check_mode: false
- name: Disable telnet Service - Ensure telnet.service is Masked
ansible.builtin.systemd:
name: telnet.service
state: stopped
enabled: false
masked: true
when: service_exists.stdout_lines is search("telnet.service", multiline=True)
- name: Unit Socket Exists - telnet.socket
ansible.builtin.command: systemctl -q list-unit-files telnet.socket
register: socket_file_exists
changed_when: false
failed_when: socket_file_exists.rc not in [0, 1]
check_mode: false
- name: Disable telnet Service - Disable Socket telnet
ansible.builtin.systemd:
name: telnet.socket
enabled: false
state: stopped
masked: true
when: socket_file_exists.stdout_lines is search("telnet.socket", multiline=True)
tags:
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-5(1)(c)
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- service_telnet_disabled
- special_service_block
when: ( "telnet-server" in ansible_facts.packages and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
- name: Disable Squid - Disable service squid
block:
- name: Disable Squid - Collect systemd Services Present in the System
ansible.builtin.command: systemctl -q list-unit-files --type service
register: service_exists
changed_when: false
failed_when: service_exists.rc not in [0, 1]
check_mode: false
- name: Disable Squid - Ensure squid.service is Masked
ansible.builtin.systemd:
name: squid.service
state: stopped
enabled: false
masked: true
when: service_exists.stdout_lines is search("squid.service", multiline=True)
- name: Unit Socket Exists - squid.socket
ansible.builtin.command: systemctl -q list-unit-files squid.socket
register: socket_file_exists
changed_when: false
failed_when: socket_file_exists.rc not in [0, 1]
check_mode: false
- name: Disable Squid - Disable Socket squid
ansible.builtin.systemd:
name: squid.socket
enabled: false
state: stopped
masked: true
when: socket_file_exists.stdout_lines is search("squid.socket", multiline=True)
tags:
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- service_squid_disabled
- special_service_block
- unknown_severity
when: ( "squid" in ansible_facts.packages and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
- name: Disable snmpd Service - Disable service snmpd
block:
- name: Disable snmpd Service - Collect systemd Services Present in the System
ansible.builtin.command: systemctl -q list-unit-files --type service
register: service_exists
changed_when: false
failed_when: service_exists.rc not in [0, 1]
check_mode: false
- name: Disable snmpd Service - Ensure snmpd.service is Masked
ansible.builtin.systemd:
name: snmpd.service
state: stopped
enabled: false
masked: true
when: service_exists.stdout_lines is search("snmpd.service", multiline=True)
- name: Unit Socket Exists - snmpd.socket
ansible.builtin.command: systemctl -q list-unit-files snmpd.socket
register: socket_file_exists
changed_when: false
failed_when: socket_file_exists.rc not in [0, 1]
check_mode: false
- name: Disable snmpd Service - Disable Socket snmpd
ansible.builtin.systemd:
name: snmpd.socket
enabled: false
state: stopped
masked: true
when: socket_file_exists.stdout_lines is search("snmpd.socket", multiline=True)
tags:
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- service_snmpd_disabled
- special_service_block
when: ( "net-snmp" in ansible_facts.packages and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
- name: Enable the USBGuard Service - Enable service usbguard
block:
- name: Enable the USBGuard Service - Enable Service usbguard
ansible.builtin.systemd:
name: usbguard
enabled: true
state: started
masked: false
when:
- '"usbguard" in ansible_facts.packages'
tags:
- DISA-STIG-OL09-00-000321
- NIST-800-53-CM-8(3)(a)
- NIST-800-53-IA-3
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_usbguard_enabled
- special_service_block
when: ( ansible_architecture != "s390x" and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
- name: Enable auditd Service - Enable service auditd
block:
- name: Enable auditd Service - Enable Service auditd
ansible.builtin.systemd:
name: auditd
enabled: true
state: started
masked: false
when:
- '"audit" in ansible_facts.packages'
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000441
- NIST-800-171-3.3.1
- NIST-800-171-3.3.2
- NIST-800-171-3.3.6
- NIST-800-53-AC-2(g)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-10
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-14(1)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-3
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-4(23)
- PCI-DSS-Req-10.1
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_auditd_enabled
- special_service_block
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"audit" in ansible_facts.packages'
- name: Gather the service facts
ansible.builtin.service_facts: null
tags:
- always
- name: 'Set fact: Package manager reinstall command'
ansible.builtin.set_fact:
package_manager_reinstall_cmd: yum reinstall -y
when:
- not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline )
- ansible_distribution in [ "Fedora", "RedHat", "CentOS", "OracleLinux", "AlmaLinux"
]
tags:
- CJIS-5.10.4.1
- DISA-STIG-OL09-00-000243
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(c)
- NIST-800-53-CM-6(d)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- high_complexity
- high_severity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
- name: 'Set fact: Package manager reinstall command (zypper)'
ansible.builtin.set_fact:
package_manager_reinstall_cmd: zypper in -f -y
when:
- not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline )
- ansible_distribution == "SLES"
tags:
- CJIS-5.10.4.1
- DISA-STIG-OL09-00-000243
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(c)
- NIST-800-53-CM-6(d)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- high_complexity
- high_severity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
- name: Read files with incorrect hash
ansible.builtin.command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps
--nolinkto --nouser --nogroup --nomode --noghost --noconfig
register: files_with_incorrect_hash
changed_when: false
failed_when: files_with_incorrect_hash.rc > 1
check_mode: false
when:
- not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline )
- (package_manager_reinstall_cmd is defined)
tags:
- CJIS-5.10.4.1
- DISA-STIG-OL09-00-000243
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(c)
- NIST-800-53-CM-6(d)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- high_complexity
- high_severity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
- name: Create list of packages
ansible.builtin.command: rpm -qf "{{ item }}"
with_items: '{{ files_with_incorrect_hash.stdout_lines | map(''regex_findall'',
''^[.]+[5]+.* (\/.*)'', ''\1'') | map(''join'') | select(''match'', ''(\/.*)'')
| list | unique }}'
register: list_of_packages
changed_when: false
check_mode: false
when:
- not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline )
- files_with_incorrect_hash.stdout_lines is defined
- (files_with_incorrect_hash.stdout_lines | length > 0)
tags:
- CJIS-5.10.4.1
- DISA-STIG-OL09-00-000243
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(c)
- NIST-800-53-CM-6(d)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- high_complexity
- high_severity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
- name: Reinstall packages of files with incorrect hash
ansible.builtin.command: '{{ package_manager_reinstall_cmd }} ''{{ item }}'''
with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list
| unique }}'
when:
- not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline )
- files_with_incorrect_hash.stdout_lines is defined
- (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines
| length > 0))
tags:
- CJIS-5.10.4.1
- DISA-STIG-OL09-00-000243
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(c)
- NIST-800-53-CM-6(d)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- high_complexity
- high_severity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
- name: Read list of files with incorrect ownership
ansible.builtin.command: rpm -Va --nodeps --nosignature --nofiledigest --nosize
--nomtime --nordev --nocaps --nolinkto --nomode
register: files_with_incorrect_ownership
failed_when: files_with_incorrect_ownership.rc > 1
changed_when: false
check_mode: false
when: not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline )
tags:
- CJIS-5.10.4.1
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(c)
- NIST-800-53-CM-6(d)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- high_complexity
- high_severity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- rpm_verify_ownership
- name: Create list of packages
ansible.builtin.command: rpm -qf "{{ item }}"
with_items: '{{ files_with_incorrect_ownership.stdout_lines | map(''regex_findall'',
''^[.]+[U|G]+.* (\/.*)'', ''\1'') | map(''join'') | select(''match'', ''(\/.*)'')
| list | unique }}'
register: list_of_packages
changed_when: false
check_mode: false
when:
- not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline )
- (files_with_incorrect_ownership.stdout_lines | length > 0)
tags:
- CJIS-5.10.4.1
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(c)
- NIST-800-53-CM-6(d)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- high_complexity
- high_severity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- rpm_verify_ownership
- name: Correct file ownership with RPM
ansible.builtin.command: rpm --restore '{{ item }}'
with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list
| unique }}'
when:
- not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline )
- (files_with_incorrect_ownership.stdout_lines | length > 0)
tags:
- CJIS-5.10.4.1
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(c)
- NIST-800-53-CM-6(d)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- high_complexity
- high_severity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- rpm_verify_ownership
- name: Read list of files with incorrect permissions
ansible.builtin.command: rpm -Va --nodeps --nosignature --nofiledigest --nosize
--nomtime --nordev --nocaps --nolinkto --nouser --nogroup
register: files_with_incorrect_permissions
failed_when: files_with_incorrect_permissions.rc > 1
changed_when: false
check_mode: false
when: not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline )
tags:
- CJIS-5.10.4.1
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(c)
- NIST-800-53-CM-6(d)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- high_complexity
- high_severity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- rpm_verify_permissions
- name: Create list of packages
ansible.builtin.command: rpm -qf "{{ item }}"
with_items: '{{ files_with_incorrect_permissions.stdout_lines | map(''regex_findall'',
''^[.]+[M]+.* (\/.*)'', ''\1'') | map(''join'') | select(''match'', ''(\/.*)'')
| list | unique }}'
register: list_of_packages
changed_when: false
check_mode: false
when:
- not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline )
- (files_with_incorrect_permissions.stdout_lines | length > 0)
tags:
- CJIS-5.10.4.1
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(c)
- NIST-800-53-CM-6(d)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- high_complexity
- high_severity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- rpm_verify_permissions
- name: Correct file permissions with RPM
ansible.builtin.command: rpm --restore '{{ item }}'
with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list
| unique }}'
when:
- not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline )
- (files_with_incorrect_permissions.stdout_lines | length > 0)
tags:
- CJIS-5.10.4.1
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(c)
- NIST-800-53-CM-6(d)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- high_complexity
- high_severity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- rpm_verify_permissions
- name: Check to see the current status of FIPS mode
ansible.builtin.command: /usr/bin/fips-mode-setup --check
register: is_fips_enabled
changed_when: false
failed_when: false
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( lookup("env", "container")
== "bwrap-osbuild" ) and ("kernel" in ansible_facts.packages or "kernel-uek"
in ansible_facts.packages) )
tags:
- DISA-STIG-OL09-00-000070
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-7
- NIST-800-53-SC-12
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- enable_dracut_fips_module
- high_severity
- medium_complexity
- medium_disruption
- reboot_required
- restrict_strategy
- name: Enable FIPS mode
ansible.builtin.command: /usr/bin/fips-mode-setup --enable
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( lookup("env", "container")
== "bwrap-osbuild" ) and ("kernel" in ansible_facts.packages or "kernel-uek"
in ansible_facts.packages) )
- is_fips_enabled.stdout.find('FIPS mode is enabled.') == -1
tags:
- DISA-STIG-OL09-00-000070
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-7
- NIST-800-53-SC-12
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- enable_dracut_fips_module
- high_severity
- medium_complexity
- medium_disruption
- reboot_required
- restrict_strategy
- name: Enable Dracut FIPS Module
ansible.builtin.lineinfile:
path: /etc/dracut.conf.d/40-fips.conf
line: add_dracutmodules+=" fips "
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( lookup("env", "container")
== "bwrap-osbuild" ) and ("kernel" in ansible_facts.packages or "kernel-uek"
in ansible_facts.packages) )
tags:
- DISA-STIG-OL09-00-000070
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-7
- NIST-800-53-SC-12
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- enable_dracut_fips_module
- high_severity
- medium_complexity
- medium_disruption
- reboot_required
- restrict_strategy
- name: Configure System Cryptography Policy - Check current crypto policy (runtime)
ansible.builtin.command: /usr/bin/update-crypto-policies --show
register: current_crypto_policy
changed_when: false
failed_when: false
check_mode: false
tags:
- DISA-STIG-OL09-00-000070
- DISA-STIG-OL09-00-000241
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.7
- configure_crypto_policy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- name: Configure System Cryptography Policy - Get mtime of /etc/crypto-policies/config
ansible.builtin.stat:
path: /etc/crypto-policies/config
register: config_file_stat
changed_when: false
failed_when: false
check_mode: false
tags:
- DISA-STIG-OL09-00-000070
- DISA-STIG-OL09-00-000241
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.7
- configure_crypto_policy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- name: Configure System Cryptography Policy - Get mtime of /etc/crypto-policies/state/current
ansible.builtin.stat:
path: /etc/crypto-policies/state/current
register: current_file_stat
changed_when: false
failed_when: false
check_mode: false
tags:
- DISA-STIG-OL09-00-000070
- DISA-STIG-OL09-00-000241
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.7
- configure_crypto_policy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- name: Configure System Cryptography Policy - Check existence of /etc/crypto-policies/back-ends/nss.config
ansible.builtin.stat:
path: /etc/crypto-policies/back-ends/nss.config
register: nss_config_stat
changed_when: false
failed_when: false
check_mode: false
tags:
- DISA-STIG-OL09-00-000070
- DISA-STIG-OL09-00-000241
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.7
- configure_crypto_policy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- name: Configure System Cryptography Policy - Verify that Crypto Policy is Set
(runtime)
ansible.builtin.command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy
}}
when: (current_crypto_policy.stdout.strip() != var_system_crypto_policy) or (config_file_stat.stat.exists
and current_file_stat.stat.exists and config_file_stat.stat.mtime > current_file_stat.stat.mtime)
or (not nss_config_stat.stat.exists)
tags:
- DISA-STIG-OL09-00-000070
- DISA-STIG-OL09-00-000241
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.7
- configure_crypto_policy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- name: Find /etc/sudoers.d/ files
ansible.builtin.find:
paths:
- /etc/sudoers.d/
register: sudoers
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002362
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-11
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_remove_no_authenticate
- name: Remove lines containing !authenticate from sudoers files
ansible.builtin.replace:
regexp: (^(?!#).*[\s]+\!authenticate.*$)
replace: '# \g<1>'
path: '{{ item.path }}'
validate: /usr/sbin/visudo -cf %s
with_items:
- path: /etc/sudoers
- '{{ sudoers.files }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002362
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-11
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_remove_no_authenticate
- name: Find /etc/sudoers.d/ files
ansible.builtin.find:
paths:
- /etc/sudoers.d/
register: sudoers
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002363
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-11
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_remove_nopasswd
- name: Remove lines containing NOPASSWD from sudoers files
ansible.builtin.replace:
regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)
replace: '# \g<1>'
path: '{{ item.path }}'
validate: /usr/sbin/visudo -cf %s
with_items:
- path: /etc/sudoers
- '{{ sudoers.files }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002363
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-11
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_remove_nopasswd
- name: Find /etc/sudoers.d/ files
ansible.builtin.find:
paths:
- /etc/sudoers.d/
register: sudoers
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-11
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_require_authentication
- name: Remove lines containing NOPASSWD from sudoers files
ansible.builtin.replace:
regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)
replace: '# \g<1>'
path: '{{ item.path }}'
validate: /usr/sbin/visudo -cf %s
with_items:
- path: /etc/sudoers
- '{{ sudoers.files }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-11
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_require_authentication
- name: Find /etc/sudoers.d/ files
ansible.builtin.find:
paths:
- /etc/sudoers.d/
register: sudoers
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-11
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_require_authentication
- name: Remove lines containing !authenticate from sudoers files
ansible.builtin.replace:
regexp: (^(?!#).*[\s]+\!authenticate.*$)
replace: '# \g<1>'
path: '{{ item.path }}'
validate: /usr/sbin/visudo -cf %s
with_items:
- path: /etc/sudoers
- '{{ sudoers.files }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-11
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_require_authentication
- name: Ensure GPG check is globally activated
community.general.ini_file:
dest: /etc/yum.conf
section: main
option: gpgcheck
value: 1
no_extra_spaces: true
create: false
when: '"yum" in ansible_facts.packages'
tags:
- CJIS-5.10.4.1
- DISA-STIG-OL09-00-000497
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- PCI-DSSv4-6.3
- PCI-DSSv4-6.3.3
- configure_strategy
- ensure_gpgcheck_globally_activated
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- name: Ensure GPG check Enabled for Local Packages (yum)
block:
- name: Check stats of yum
ansible.builtin.stat:
path: /etc/yum.conf
register: pkg
- name: Check if config file of yum is a symlink
ansible.builtin.set_fact:
pkg_config_file_symlink: '{{ pkg.stat.lnk_target if pkg.stat.lnk_target is
match("^/.*") else "/etc/yum.conf" | dirname ~ "/" ~ pkg.stat.lnk_target
}}'
when: pkg.stat.lnk_target is defined
- name: Ensure GPG check Enabled for Local Packages (yum)
community.general.ini_file:
dest: '{{ pkg_config_file_symlink | default("/etc/yum.conf") }}'
section: main
option: localpkg_gpgcheck
value: 1
no_extra_spaces: true
create: true
when: '"yum" in ansible_facts.packages'
tags:
- DISA-STIG-OL09-00-000496
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- ensure_gpgcheck_local_packages
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Grep for yum repo section names
ansible.builtin.shell: |
set -o pipefail
grep -HEr '^\[.+\]' -r /etc/yum.repos.d/
register: repo_grep_results
failed_when: repo_grep_results.rc not in [0, 1]
changed_when: false
tags:
- CJIS-5.10.4.1
- DISA-STIG-OL09-00-000498
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- PCI-DSSv4-6.3
- PCI-DSSv4-6.3.3
- enable_strategy
- ensure_gpgcheck_never_disabled
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- name: Set gpgcheck=1 for each yum repo
community.general.ini_file:
path: '{{ item[0] }}'
section: '{{ item[1] }}'
option: gpgcheck
value: '1'
no_extra_spaces: true
loop: '{{ repo_grep_results.stdout |regex_findall( ''(.+\.repo):\[(.+)\]\n?''
) if repo_grep_results is not skipped else [] }}'
when: repo_grep_results is not skipped
tags:
- CJIS-5.10.4.1
- DISA-STIG-OL09-00-000498
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- PCI-DSSv4-6.3
- PCI-DSSv4-6.3.3
- enable_strategy
- ensure_gpgcheck_never_disabled
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- name: Ensure Oracle Linux GPG Key Installed - Read GPG key directory permission
ansible.builtin.stat:
path: /etc/pki/rpm-gpg/
register: gpg_key_directory_permission
check_mode: false
tags:
- DISA-STIG-OL09-00-000499
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_oracle_gpgkey_installed
- high_severity
- medium_complexity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- name: Ensure Oracle Linux GPG Key Installed - Retrieve GPG key fingerprints information
ansible.builtin.command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-oracle"
changed_when: false
register: gpg_fingerprints
check_mode: false
tags:
- DISA-STIG-OL09-00-000499
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_oracle_gpgkey_installed
- high_severity
- medium_complexity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- name: Ensure Oracle Linux GPG Key Installed - Set fact for installed fingerprints
ansible.builtin.set_fact:
gpg_installed_fingerprints: |-
{{ gpg_fingerprints.stdout | regex_findall('^pub.*
(?:^fpr[:]*)([0-9A-Fa-f]*)', '\1') | list }}
tags:
- DISA-STIG-OL09-00-000499
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_oracle_gpgkey_installed
- high_severity
- medium_complexity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- name: Ensure Oracle Linux GPG Key Installed - Set fact for valid fingerprints
ansible.builtin.set_fact:
gpg_valid_fingerprints:
- 3E6D826D3FBAB389C2F38E34BC4D06A08D8B756F
- 982231759C7467065D0CE9B2A7DD07088B4EFBE6
tags:
- DISA-STIG-OL09-00-000499
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_oracle_gpgkey_installed
- high_severity
- medium_complexity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- name: Ensure Oracle Linux GPG Key Installed - Import Oracle GPG key securely
ansible.builtin.rpm_key:
state: present
key: /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
when:
- gpg_key_directory_permission.stat.mode <= '0755'
- (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length ==
0
- gpg_installed_fingerprints | length > 0
tags:
- DISA-STIG-OL09-00-000499
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_oracle_gpgkey_installed
- high_severity
- medium_complexity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- name: Enable authselect - Check Current authselect Profile
ansible.builtin.command:
cmd: authselect current
register: result_authselect_current
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-needed_rules
- NIST-800-53-AC-3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- configure_strategy
- enable_authselect
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Enable authselect - Try to Select an authselect Profile
ansible.builtin.command:
cmd: authselect select "{{ var_authselect_profile }}"
register: result_authselect_select
changed_when: result_authselect_select.rc == 0
failed_when: false
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- result_authselect_current.rc != 0
tags:
- DISA-STIG-needed_rules
- NIST-800-53-AC-3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- configure_strategy
- enable_authselect
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Enable authselect - Verify If pam Has Been Altered
ansible.builtin.command:
cmd: rpm -qV pam
register: result_altered_authselect
changed_when: false
failed_when: false
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- result_authselect_select is not skipped
- result_authselect_select.rc != 0
tags:
- DISA-STIG-needed_rules
- NIST-800-53-AC-3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- configure_strategy
- enable_authselect
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Enable authselect - Informative Message Based on authselect Integrity Check
ansible.builtin.assert:
that:
- result_authselect_current.rc == 0 or result_altered_authselect is skipped
or result_altered_authselect.rc == 0
fail_msg:
- authselect is not used but files from the 'pam' package have been altered,
so the authselect configuration won't be forced.
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-needed_rules
- NIST-800-53-AC-3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- configure_strategy
- enable_authselect
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Enable authselect - Force authselect Profile Selection
ansible.builtin.command:
cmd: authselect select --force "{{ var_authselect_profile }}"
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- result_authselect_current.rc != 0
- result_authselect_select.rc != 0
- result_altered_authselect.rc == 0
tags:
- DISA-STIG-needed_rules
- NIST-800-53-AC-3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- configure_strategy
- enable_authselect
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Lock Accounts After Failed Password Attempts - Check if system relies on
authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- CJIS-5.5.3
- DISA-STIG-OL09-00-003020
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Lock Accounts After Failed Password Attempts - Remediation where authselect
tool is present
block:
- name: Lock Accounts After Failed Password Attempts - Check integrity of authselect
current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Lock Accounts After Failed Password Attempts - Informative message based
on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Lock Accounts After Failed Password Attempts - Get authselect current
features
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_check_cmd is success
- name: Lock Accounts After Failed Password Attempts - Ensure "with-faillock"
feature is enabled using authselect tool
ansible.builtin.command:
cmd: authselect enable-feature with-faillock
register: result_authselect_enable_feature_cmd
when:
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-faillock")
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- result_authselect_present.stat.exists
tags:
- CJIS-5.5.3
- DISA-STIG-OL09-00-003020
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Lock Accounts After Failed Password Attempts - Remediation where authselect
tool is not present
block:
- name: Lock Accounts After Failed Password Attempts - Check if pam_faillock.so
is already enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_is_enabled
- name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so
preauth editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so
authfail editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so
account section editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- not result_authselect_present.stat.exists
tags:
- CJIS-5.5.3
- DISA-STIG-OL09-00-003020
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Lock Accounts After Failed Password Attempts - Check the presence of /etc/security/faillock.conf
file
ansible.builtin.stat:
path: /etc/security/faillock.conf
register: result_faillock_conf_check
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- CJIS-5.5.3
- DISA-STIG-OL09-00-003020
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so
deny parameter in /etc/security/faillock.conf
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: ^\s*deny\s*=
line: deny = {{ var_accounts_passwords_pam_faillock_deny }}
state: present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- result_faillock_conf_check.stat.exists
tags:
- CJIS-5.5.3
- DISA-STIG-OL09-00-003020
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so
deny parameter not in PAM files
block:
- name: Lock Accounts After Failed Password Attempts - Check if /etc/pam.d/system-auth
file is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_auth_file_present
- name: Lock Accounts After Failed Password Attempts - Check the proper remediation
for the system
block:
- name: Lock Accounts After Failed Password Attempts - Define the PAM file to
be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Lock Accounts After Failed Password Attempts - Check if system relies
on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Lock Accounts After Failed Password Attempts - Ensure authselect custom
profile is used if authselect is present
block:
- name: Lock Accounts After Failed Password Attempts - Check integrity of
authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Lock Accounts After Failed Password Attempts - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile
was not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect
tool is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Lock Accounts After Failed Password Attempts - Get authselect current
profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Lock Accounts After Failed Password Attempts - Define the current
authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Lock Accounts After Failed Password Attempts - Define the new authselect
custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Lock Accounts After Failed Password Attempts - Get authselect current
features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Lock Accounts After Failed Password Attempts - Check if any custom
profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Lock Accounts After Failed Password Attempts - Create an authselect
custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Create an authselect
custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Lock Accounts After Failed Password Attempts - Ensure the authselect
custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Lock Accounts After Failed Password Attempts - Restore the authselect
features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Lock Accounts After Failed Password Attempts - Change the PAM file
to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Define a fact for control
already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Lock Accounts After Failed Password Attempts - Check if {{ pam_file_path
}} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Lock Accounts After Failed Password Attempts - Ensure the "deny" option
from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*auth.*pam_faillock.so.*)\bdeny\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_auth_file_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Check if /etc/pam.d/password-auth
file is present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_password_auth_file_present
- name: Lock Accounts After Failed Password Attempts - Check the proper remediation
for the system
block:
- name: Lock Accounts After Failed Password Attempts - Define the PAM file to
be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Lock Accounts After Failed Password Attempts - Check if system relies
on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Lock Accounts After Failed Password Attempts - Ensure authselect custom
profile is used if authselect is present
block:
- name: Lock Accounts After Failed Password Attempts - Check integrity of
authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Lock Accounts After Failed Password Attempts - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile
was not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect
tool is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Lock Accounts After Failed Password Attempts - Get authselect current
profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Lock Accounts After Failed Password Attempts - Define the current
authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Lock Accounts After Failed Password Attempts - Define the new authselect
custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Lock Accounts After Failed Password Attempts - Get authselect current
features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Lock Accounts After Failed Password Attempts - Check if any custom
profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Lock Accounts After Failed Password Attempts - Create an authselect
custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Create an authselect
custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Lock Accounts After Failed Password Attempts - Ensure the authselect
custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Lock Accounts After Failed Password Attempts - Restore the authselect
features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Lock Accounts After Failed Password Attempts - Change the PAM file
to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Define a fact for control
already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Lock Accounts After Failed Password Attempts - Check if {{ pam_file_path
}} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Lock Accounts After Failed Password Attempts - Ensure the "deny" option
from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*auth.*pam_faillock.so.*)\bdeny\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_password_auth_file_present.stat.exists
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- result_faillock_conf_check.stat.exists
tags:
- CJIS-5.5.3
- DISA-STIG-OL09-00-003020
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so
deny parameter in PAM files
block:
- name: Lock Accounts After Failed Password Attempts - Check if pam_faillock.so
deny parameter is already enabled in pam files
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail).*deny
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_deny_parameter_is_present
- name: Lock Accounts After Failed Password Attempts - Ensure the inclusion of
pam_faillock.so preauth deny parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
line: \1required\3 deny={{ var_accounts_passwords_pam_faillock_deny }}
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_deny_parameter_is_present.found == 0
- name: Lock Accounts After Failed Password Attempts - Ensure the inclusion of
pam_faillock.so authfail deny parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
line: \1required\3 deny={{ var_accounts_passwords_pam_faillock_deny }}
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_deny_parameter_is_present.found == 0
- name: Lock Accounts After Failed Password Attempts - Ensure the desired value
for pam_faillock.so preauth deny parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(deny)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_deny }}\5
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_deny_parameter_is_present.found > 0
- name: Lock Accounts After Failed Password Attempts - Ensure the desired value
for pam_faillock.so authfail deny parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(deny)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_deny }}\5
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_deny_parameter_is_present.found > 0
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- not result_faillock_conf_check.stat.exists
tags:
- CJIS-5.5.3
- DISA-STIG-OL09-00-003020
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account for Failed Password Attempts - Check if system
relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- DISA-STIG-OL09-00-003021
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_faillock_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account for Failed Password Attempts - Remediation where
authselect tool is present
block:
- name: Configure the root Account for Failed Password Attempts - Check integrity
of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Configure the root Account for Failed Password Attempts - Informative
message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Configure the root Account for Failed Password Attempts - Get authselect
current features
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_check_cmd is success
- name: Configure the root Account for Failed Password Attempts - Ensure "with-faillock"
feature is enabled using authselect tool
ansible.builtin.command:
cmd: authselect enable-feature with-faillock
register: result_authselect_enable_feature_cmd
when:
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-faillock")
- name: Configure the root Account for Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- result_authselect_present.stat.exists
tags:
- DISA-STIG-OL09-00-003021
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_faillock_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account for Failed Password Attempts - Remediation where
authselect tool is not present
block:
- name: Configure the root Account for Failed Password Attempts - Check if pam_faillock.so
is already enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_is_enabled
- name: Configure the root Account for Failed Password Attempts - Enable pam_faillock.so
preauth editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Configure the root Account for Failed Password Attempts - Enable pam_faillock.so
authfail editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Configure the root Account for Failed Password Attempts - Enable pam_faillock.so
account section editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- not result_authselect_present.stat.exists
tags:
- DISA-STIG-OL09-00-003021
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_faillock_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account for Failed Password Attempts - Check the presence
of /etc/security/faillock.conf file
ansible.builtin.stat:
path: /etc/security/faillock.conf
register: result_faillock_conf_check
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- DISA-STIG-OL09-00-003021
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_faillock_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account for Failed Password Attempts - Ensure the pam_faillock.so
even_deny_root parameter in /etc/security/faillock.conf
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: ^\s*even_deny_root
line: even_deny_root
state: present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- result_faillock_conf_check.stat.exists
tags:
- DISA-STIG-OL09-00-003021
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_faillock_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account for Failed Password Attempts - Ensure the pam_faillock.so
even_deny_root parameter not in PAM files
block:
- name: Configure the root Account for Failed Password Attempts - Check if /etc/pam.d/system-auth
file is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_auth_file_present
- name: Configure the root Account for Failed Password Attempts - Check the proper
remediation for the system
block:
- name: Configure the root Account for Failed Password Attempts - Define the
PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Configure the root Account for Failed Password Attempts - Check if system
relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Configure the root Account for Failed Password Attempts - Ensure authselect
custom profile is used if authselect is present
block:
- name: Configure the root Account for Failed Password Attempts - Check integrity
of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Configure the root Account for Failed Password Attempts - Informative
message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile
was not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect
tool is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Configure the root Account for Failed Password Attempts - Get authselect
current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Configure the root Account for Failed Password Attempts - Define the
current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Configure the root Account for Failed Password Attempts - Define the
new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Configure the root Account for Failed Password Attempts - Get authselect
current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Configure the root Account for Failed Password Attempts - Check if
any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Configure the root Account for Failed Password Attempts - Create an
authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Configure the root Account for Failed Password Attempts - Create an
authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Configure the root Account for Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Configure the root Account for Failed Password Attempts - Ensure the
authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Configure the root Account for Failed Password Attempts - Restore
the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Configure the root Account for Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Configure the root Account for Failed Password Attempts - Change the
PAM file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Configure the root Account for Failed Password Attempts - Define a fact
for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Configure the root Account for Failed Password Attempts - Check if {{
pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Configure the root Account for Failed Password Attempts - Ensure the
"even_deny_root" option from "pam_faillock.so" is not present in {{ pam_file_path
}}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Configure the root Account for Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_auth_file_present.stat.exists
- name: Configure the root Account for Failed Password Attempts - Check if /etc/pam.d/password-auth
file is present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_password_auth_file_present
- name: Configure the root Account for Failed Password Attempts - Check the proper
remediation for the system
block:
- name: Configure the root Account for Failed Password Attempts - Define the
PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Configure the root Account for Failed Password Attempts - Check if system
relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Configure the root Account for Failed Password Attempts - Ensure authselect
custom profile is used if authselect is present
block:
- name: Configure the root Account for Failed Password Attempts - Check integrity
of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Configure the root Account for Failed Password Attempts - Informative
message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile
was not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect
tool is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Configure the root Account for Failed Password Attempts - Get authselect
current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Configure the root Account for Failed Password Attempts - Define the
current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Configure the root Account for Failed Password Attempts - Define the
new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Configure the root Account for Failed Password Attempts - Get authselect
current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Configure the root Account for Failed Password Attempts - Check if
any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Configure the root Account for Failed Password Attempts - Create an
authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Configure the root Account for Failed Password Attempts - Create an
authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Configure the root Account for Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Configure the root Account for Failed Password Attempts - Ensure the
authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Configure the root Account for Failed Password Attempts - Restore
the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Configure the root Account for Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Configure the root Account for Failed Password Attempts - Change the
PAM file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Configure the root Account for Failed Password Attempts - Define a fact
for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Configure the root Account for Failed Password Attempts - Check if {{
pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Configure the root Account for Failed Password Attempts - Ensure the
"even_deny_root" option from "pam_faillock.so" is not present in {{ pam_file_path
}}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Configure the root Account for Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_password_auth_file_present.stat.exists
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- result_faillock_conf_check.stat.exists
tags:
- DISA-STIG-OL09-00-003021
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_faillock_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account for Failed Password Attempts - Ensure the pam_faillock.so
even_deny_root parameter in PAM files
block:
- name: Configure the root Account for Failed Password Attempts - Check if pam_faillock.so
even_deny_root parameter is already enabled in pam files
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail).*even_deny_root
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_even_deny_root_parameter_is_present
- name: Configure the root Account for Failed Password Attempts - Ensure the inclusion
of pam_faillock.so preauth even_deny_root parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
line: \1required\3 even_deny_root
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_even_deny_root_parameter_is_present.found == 0
- name: Configure the root Account for Failed Password Attempts - Ensure the inclusion
of pam_faillock.so authfail even_deny_root parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
line: \1required\3 even_deny_root
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_even_deny_root_parameter_is_present.found == 0
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- not result_faillock_conf_check.stat.exists
tags:
- DISA-STIG-OL09-00-003021
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_faillock_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Interval For Counting Failed Password Attempts - Check if system relies
on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- DISA-STIG-OL09-00-002416
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- accounts_passwords_pam_faillock_interval
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Interval For Counting Failed Password Attempts - Remediation where authselect
tool is present
block:
- name: Set Interval For Counting Failed Password Attempts - Check integrity of
authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set Interval For Counting Failed Password Attempts - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set Interval For Counting Failed Password Attempts - Get authselect current
features
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_check_cmd is success
- name: Set Interval For Counting Failed Password Attempts - Ensure "with-faillock"
feature is enabled using authselect tool
ansible.builtin.command:
cmd: authselect enable-feature with-faillock
register: result_authselect_enable_feature_cmd
when:
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-faillock")
- name: Set Interval For Counting Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- result_authselect_present.stat.exists
tags:
- DISA-STIG-OL09-00-002416
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- accounts_passwords_pam_faillock_interval
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Interval For Counting Failed Password Attempts - Remediation where authselect
tool is not present
block:
- name: Set Interval For Counting Failed Password Attempts - Check if pam_faillock.so
is already enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_is_enabled
- name: Set Interval For Counting Failed Password Attempts - Enable pam_faillock.so
preauth editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Set Interval For Counting Failed Password Attempts - Enable pam_faillock.so
authfail editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Set Interval For Counting Failed Password Attempts - Enable pam_faillock.so
account section editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- not result_authselect_present.stat.exists
tags:
- DISA-STIG-OL09-00-002416
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- accounts_passwords_pam_faillock_interval
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Interval For Counting Failed Password Attempts - Check the presence
of /etc/security/faillock.conf file
ansible.builtin.stat:
path: /etc/security/faillock.conf
register: result_faillock_conf_check
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- DISA-STIG-OL09-00-002416
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- accounts_passwords_pam_faillock_interval
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Interval For Counting Failed Password Attempts - Ensure the pam_faillock.so
fail_interval parameter in /etc/security/faillock.conf
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: ^\s*fail_interval\s*=
line: fail_interval = {{ var_accounts_passwords_pam_faillock_fail_interval }}
state: present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- result_faillock_conf_check.stat.exists
tags:
- DISA-STIG-OL09-00-002416
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- accounts_passwords_pam_faillock_interval
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Interval For Counting Failed Password Attempts - Ensure the pam_faillock.so
fail_interval parameter not in PAM files
block:
- name: Set Interval For Counting Failed Password Attempts - Check if /etc/pam.d/system-auth
file is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_auth_file_present
- name: Set Interval For Counting Failed Password Attempts - Check the proper
remediation for the system
block:
- name: Set Interval For Counting Failed Password Attempts - Define the PAM
file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Set Interval For Counting Failed Password Attempts - Check if system
relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Set Interval For Counting Failed Password Attempts - Ensure authselect
custom profile is used if authselect is present
block:
- name: Set Interval For Counting Failed Password Attempts - Check integrity
of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set Interval For Counting Failed Password Attempts - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile
was not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect
tool is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set Interval For Counting Failed Password Attempts - Get authselect
current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Set Interval For Counting Failed Password Attempts - Define the current
authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Set Interval For Counting Failed Password Attempts - Define the new
authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Set Interval For Counting Failed Password Attempts - Get authselect
current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Interval For Counting Failed Password Attempts - Check if any
custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Interval For Counting Failed Password Attempts - Create an authselect
custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Interval For Counting Failed Password Attempts - Create an authselect
custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Interval For Counting Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Interval For Counting Failed Password Attempts - Ensure the authselect
custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Interval For Counting Failed Password Attempts - Restore the authselect
features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Set Interval For Counting Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Set Interval For Counting Failed Password Attempts - Change the PAM
file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Set Interval For Counting Failed Password Attempts - Define a fact for
control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Set Interval For Counting Failed Password Attempts - Check if {{ pam_file_path
}} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Set Interval For Counting Failed Password Attempts - Ensure the "fail_interval"
option from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*auth.*pam_faillock.so.*)\bfail_interval\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Set Interval For Counting Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_auth_file_present.stat.exists
- name: Set Interval For Counting Failed Password Attempts - Check if /etc/pam.d/password-auth
file is present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_password_auth_file_present
- name: Set Interval For Counting Failed Password Attempts - Check the proper
remediation for the system
block:
- name: Set Interval For Counting Failed Password Attempts - Define the PAM
file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Set Interval For Counting Failed Password Attempts - Check if system
relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Set Interval For Counting Failed Password Attempts - Ensure authselect
custom profile is used if authselect is present
block:
- name: Set Interval For Counting Failed Password Attempts - Check integrity
of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set Interval For Counting Failed Password Attempts - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile
was not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect
tool is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set Interval For Counting Failed Password Attempts - Get authselect
current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Set Interval For Counting Failed Password Attempts - Define the current
authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Set Interval For Counting Failed Password Attempts - Define the new
authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Set Interval For Counting Failed Password Attempts - Get authselect
current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Interval For Counting Failed Password Attempts - Check if any
custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Interval For Counting Failed Password Attempts - Create an authselect
custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Interval For Counting Failed Password Attempts - Create an authselect
custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Interval For Counting Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Interval For Counting Failed Password Attempts - Ensure the authselect
custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Interval For Counting Failed Password Attempts - Restore the authselect
features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Set Interval For Counting Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Set Interval For Counting Failed Password Attempts - Change the PAM
file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Set Interval For Counting Failed Password Attempts - Define a fact for
control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Set Interval For Counting Failed Password Attempts - Check if {{ pam_file_path
}} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Set Interval For Counting Failed Password Attempts - Ensure the "fail_interval"
option from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*auth.*pam_faillock.so.*)\bfail_interval\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Set Interval For Counting Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_password_auth_file_present.stat.exists
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- result_faillock_conf_check.stat.exists
tags:
- DISA-STIG-OL09-00-002416
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- accounts_passwords_pam_faillock_interval
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Interval For Counting Failed Password Attempts - Ensure the pam_faillock.so
fail_interval parameter in PAM files
block:
- name: Set Interval For Counting Failed Password Attempts - Check if pam_faillock.so
fail_interval parameter is already enabled in pam files
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail).*fail_interval
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_fail_interval_parameter_is_present
- name: Set Interval For Counting Failed Password Attempts - Ensure the inclusion
of pam_faillock.so preauth fail_interval parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
line: \1required\3 fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
}}
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_fail_interval_parameter_is_present.found == 0
- name: Set Interval For Counting Failed Password Attempts - Ensure the inclusion
of pam_faillock.so authfail fail_interval parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
line: \1required\3 fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
}}
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_fail_interval_parameter_is_present.found == 0
- name: Set Interval For Counting Failed Password Attempts - Ensure the desired
value for pam_faillock.so preauth fail_interval parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(fail_interval)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_fail_interval
}}\5
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_fail_interval_parameter_is_present.found > 0
- name: Set Interval For Counting Failed Password Attempts - Ensure the desired
value for pam_faillock.so authfail fail_interval parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(fail_interval)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_fail_interval
}}\5
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_fail_interval_parameter_is_present.found > 0
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- not result_faillock_conf_check.stat.exists
tags:
- DISA-STIG-OL09-00-002416
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- accounts_passwords_pam_faillock_interval
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Check if system relies on
authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- CJIS-5.5.3
- DISA-STIG-OL09-00-002417
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Remediation where authselect
tool is present
block:
- name: Set Lockout Time for Failed Password Attempts - Check integrity of authselect
current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set Lockout Time for Failed Password Attempts - Informative message based
on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set Lockout Time for Failed Password Attempts - Get authselect current
features
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_check_cmd is success
- name: Set Lockout Time for Failed Password Attempts - Ensure "with-faillock"
feature is enabled using authselect tool
ansible.builtin.command:
cmd: authselect enable-feature with-faillock
register: result_authselect_enable_feature_cmd
when:
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-faillock")
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- result_authselect_present.stat.exists
tags:
- CJIS-5.5.3
- DISA-STIG-OL09-00-002417
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Remediation where authselect
tool is not present
block:
- name: Set Lockout Time for Failed Password Attempts - Check if pam_faillock.so
is already enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_is_enabled
- name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so
preauth editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so
authfail editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so
account section editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- not result_authselect_present.stat.exists
tags:
- CJIS-5.5.3
- DISA-STIG-OL09-00-002417
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Check the presence of /etc/security/faillock.conf
file
ansible.builtin.stat:
path: /etc/security/faillock.conf
register: result_faillock_conf_check
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- CJIS-5.5.3
- DISA-STIG-OL09-00-002417
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so
unlock_time parameter in /etc/security/faillock.conf
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: ^\s*unlock_time\s*=
line: unlock_time = {{ var_accounts_passwords_pam_faillock_unlock_time }}
state: present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- result_faillock_conf_check.stat.exists
tags:
- CJIS-5.5.3
- DISA-STIG-OL09-00-002417
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so
unlock_time parameter not in PAM files
block:
- name: Set Lockout Time for Failed Password Attempts - Check if /etc/pam.d/system-auth
file is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_auth_file_present
- name: Set Lockout Time for Failed Password Attempts - Check the proper remediation
for the system
block:
- name: Set Lockout Time for Failed Password Attempts - Define the PAM file
to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Set Lockout Time for Failed Password Attempts - Check if system relies
on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect custom
profile is used if authselect is present
block:
- name: Set Lockout Time for Failed Password Attempts - Check integrity of
authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set Lockout Time for Failed Password Attempts - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile
was not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect
tool is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set Lockout Time for Failed Password Attempts - Get authselect current
profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Set Lockout Time for Failed Password Attempts - Define the current
authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Define the new authselect
custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Get authselect current
features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Check if any custom
profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Create an authselect
custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Create an authselect
custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Lockout Time for Failed Password Attempts - Ensure the authselect
custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Lockout Time for Failed Password Attempts - Restore the authselect
features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Set Lockout Time for Failed Password Attempts - Change the PAM file
to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Define a fact for control
already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Set Lockout Time for Failed Password Attempts - Check if {{ pam_file_path
}} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Set Lockout Time for Failed Password Attempts - Ensure the "unlock_time"
option from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*auth.*pam_faillock.so.*)\bunlock_time\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_auth_file_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Check if /etc/pam.d/password-auth
file is present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_password_auth_file_present
- name: Set Lockout Time for Failed Password Attempts - Check the proper remediation
for the system
block:
- name: Set Lockout Time for Failed Password Attempts - Define the PAM file
to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Set Lockout Time for Failed Password Attempts - Check if system relies
on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect custom
profile is used if authselect is present
block:
- name: Set Lockout Time for Failed Password Attempts - Check integrity of
authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set Lockout Time for Failed Password Attempts - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile
was not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect
tool is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set Lockout Time for Failed Password Attempts - Get authselect current
profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Set Lockout Time for Failed Password Attempts - Define the current
authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Define the new authselect
custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Get authselect current
features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Check if any custom
profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Create an authselect
custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Create an authselect
custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Lockout Time for Failed Password Attempts - Ensure the authselect
custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Lockout Time for Failed Password Attempts - Restore the authselect
features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Set Lockout Time for Failed Password Attempts - Change the PAM file
to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Define a fact for control
already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Set Lockout Time for Failed Password Attempts - Check if {{ pam_file_path
}} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Set Lockout Time for Failed Password Attempts - Ensure the "unlock_time"
option from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*auth.*pam_faillock.so.*)\bunlock_time\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_password_auth_file_present.stat.exists
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- result_faillock_conf_check.stat.exists
tags:
- CJIS-5.5.3
- DISA-STIG-OL09-00-002417
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so
unlock_time parameter in PAM files
block:
- name: Set Lockout Time for Failed Password Attempts - Check if pam_faillock.so
unlock_time parameter is already enabled in pam files
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail).*unlock_time
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_unlock_time_parameter_is_present
- name: Set Lockout Time for Failed Password Attempts - Ensure the inclusion of
pam_faillock.so preauth unlock_time parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
line: \1required\3 unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
}}
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_unlock_time_parameter_is_present.found == 0
- name: Set Lockout Time for Failed Password Attempts - Ensure the inclusion of
pam_faillock.so authfail unlock_time parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
line: \1required\3 unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
}}
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_unlock_time_parameter_is_present.found == 0
- name: Set Lockout Time for Failed Password Attempts - Ensure the desired value
for pam_faillock.so preauth unlock_time parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(unlock_time)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_unlock_time }}\5
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_unlock_time_parameter_is_present.found > 0
- name: Set Lockout Time for Failed Password Attempts - Ensure the desired value
for pam_faillock.so authfail unlock_time parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(unlock_time)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_unlock_time }}\5
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_unlock_time_parameter_is_present.found > 0
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- not result_faillock_conf_check.stat.exists
tags:
- CJIS-5.5.3
- DISA-STIG-OL09-00-002417
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Find pwquality.conf.d
files
ansible.builtin.find:
paths: /etc/security/pwquality.conf.d/
patterns: '*.conf'
register: pwquality_conf_d_files
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL09-00-001105
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure minlen
is not set in pwquality.conf.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
regexp: ^\s*\bminlen\b.*
state: absent
with_items: '{{ pwquality_conf_d_files.files }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL09-00-001105
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check if /etc/pam.d/system-auth
file is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_auth_file_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL09-00-001105
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check the proper
remediation for the system
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Define the
PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check if
system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure authselect
custom profile is used if authselect is present
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check integrity
of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Informative
message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Get authselect
current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Define
the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Define
the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Get authselect
current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check if
any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Create
an authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Create
an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure
authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure
the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Restore
the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure
authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Change
the PAM file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Define a
fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check if
{{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure the
"minlen" option from "pam_pwquality.so" is not present in {{ pam_file_path
}}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwquality.so.*)\bminlen\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_pam_auth_file_present.stat.exists
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL09-00-001105
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check if /etc/pam.d/password-auth
file is present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_password_auth_file_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL09-00-001105
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check the proper
remediation for the system
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Define the
PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check if
system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure authselect
custom profile is used if authselect is present
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check integrity
of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Informative
message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Get authselect
current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Define
the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Define
the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Get authselect
current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check if
any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Create
an authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Create
an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure
authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure
the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Restore
the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure
authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Change
the PAM file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Define a
fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check if
{{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure the
"minlen" option from "pam_pwquality.so" is not present in {{ pam_file_path
}}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwquality.so.*)\bminlen\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_pam_password_auth_file_present.stat.exists
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL09-00-001105
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure PAM
variable minlen is set accordingly
ansible.builtin.lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*minlen
line: minlen = {{ var_password_pam_minlen }}
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL09-00-001105
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Require emergency mode password
ansible.builtin.blockinfile:
create: true
dest: /etc/systemd/system/emergency.service.d/10-oscap.conf
block: |-
[Service]
ExecStart=
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000025
- NIST-800-171-3.1.1
- NIST-800-171-3.4.5
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- require_emergency_target_auth
- restrict_strategy
- name: Require Authentication for Single User Mode - find files which already override
Execstart of rescue.service
ansible.builtin.find:
paths: /etc/systemd/system/rescue.service.d
patterns: '*.conf'
contains: ^\s*ExecStart=.*$
register: rescue_service_overrides_found
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000030
- NIST-800-171-3.1.1
- NIST-800-171-3.4.5
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- require_singleuser_auth
- restrict_strategy
- name: Require Authentication for Single User Mode - set files containing ExecStart
overrides as target
ansible.builtin.set_fact:
rescue_service_remediation_target_file: '{{ rescue_service_overrides_found.files
| map(attribute=''path'') | list }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- rescue_service_overrides_found.matched is defined and rescue_service_overrides_found.matched
> 0
tags:
- DISA-STIG-OL09-00-000030
- NIST-800-171-3.1.1
- NIST-800-171-3.4.5
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- require_singleuser_auth
- restrict_strategy
- name: Require Authentication for Single User Mode - set default target for rescue.service
override
ansible.builtin.set_fact:
rescue_service_remediation_target_file:
- /etc/systemd/system/rescue.service.d/10-oscap.conf
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- rescue_service_overrides_found.matched is defined and rescue_service_overrides_found.matched
== 0
tags:
- DISA-STIG-OL09-00-000030
- NIST-800-171-3.1.1
- NIST-800-171-3.4.5
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- require_singleuser_auth
- restrict_strategy
- name: Require Authentication for Single User Mode - Require emergency user mode
password
community.general.ini_file:
path: '{{ item }}'
section: Service
option: ExecStart
values:
- ''
- -/usr/lib/systemd/systemd-sulogin-shell rescue
loop: '{{ rescue_service_remediation_target_file }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000030
- NIST-800-171-3.1.1
- NIST-800-171-3.4.5
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- require_singleuser_auth
- restrict_strategy
- name: Set Password Maximum Age
ansible.builtin.lineinfile:
create: true
dest: /etc/login.defs
regexp: ^#?PASS_MAX_DAYS
line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }}
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"shadow-utils" in ansible_facts.packages'
tags:
- CJIS-5.6.2.1
- DISA-STIG-OL09-00-001095
- NIST-800-171-3.5.6
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.4
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.9
- accounts_maximum_age_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Password Minimum Age
ansible.builtin.lineinfile:
create: true
dest: /etc/login.defs
regexp: ^#?PASS_MIN_DAYS
line: PASS_MIN_DAYS {{ var_accounts_minimum_age_login_defs }}
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"shadow-utils" in ansible_facts.packages'
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL09-00-001085
- NIST-800-171-3.5.8
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-IA-5(f)
- accounts_minimum_age_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Password Warning Age
ansible.builtin.lineinfile:
dest: /etc/login.defs
regexp: ^PASS_WARN_AGE *[0-9]*
state: present
line: PASS_WARN_AGE {{ var_accounts_password_warn_age_login_defs }}
create: true
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"shadow-utils" in ansible_facts.packages'
tags:
- NIST-800-171-3.5.8
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.4
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.9
- accounts_password_warn_age_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Prevent Login to Accounts With Empty Password - Check if system relies on
authselect
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.2
- DISA-STIG-OL09-00-001110
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- configure_strategy
- high_severity
- low_complexity
- medium_disruption
- no_empty_passwords
- no_reboot_needed
- name: Prevent Login to Accounts With Empty Password - Remediate using authselect
block:
- name: Prevent Login to Accounts With Empty Password - Check integrity of authselect
current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Prevent Login to Accounts With Empty Password - Informative message based
on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Prevent Login to Accounts With Empty Password - Get authselect current
features
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_check_cmd is success
- name: Prevent Login to Accounts With Empty Password - Ensure "without-nullok"
feature is enabled using authselect tool
ansible.builtin.command:
cmd: authselect enable-feature without-nullok
register: result_authselect_enable_feature_cmd
when:
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("without-nullok")
- name: Prevent Login to Accounts With Empty Password - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- result_authselect_present.stat.exists
tags:
- CJIS-5.5.2
- DISA-STIG-OL09-00-001110
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- configure_strategy
- high_severity
- low_complexity
- medium_disruption
- no_empty_passwords
- no_reboot_needed
- name: Prevent Login to Accounts With Empty Password - Remediate directly editing
PAM files
ansible.builtin.replace:
dest: '{{ item }}'
regexp: nullok
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- not result_authselect_present.stat.exists
tags:
- CJIS-5.5.2
- DISA-STIG-OL09-00-001110
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- configure_strategy
- high_severity
- low_complexity
- medium_disruption
- no_empty_passwords
- no_reboot_needed
- name: Get all /etc/passwd file entries
ansible.builtin.getent:
database: passwd
split: ':'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-003000
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-6(5)
- NIST-800-53-IA-2
- NIST-800-53-IA-4(b)
- PCI-DSS-Req-8.5
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.1
- accounts_no_uid_except_zero
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- name: Lock the password of the user accounts other than root with uid 0
ansible.builtin.command: passwd -l {{ item.key }}
loop: '{{ getent_passwd | dict2items | rejectattr(''key'', ''search'', ''root'')
| list }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- item.value.1 == '0'
tags:
- DISA-STIG-OL09-00-003000
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-6(5)
- NIST-800-53-IA-2
- NIST-800-53-IA-4(b)
- PCI-DSS-Req-8.5
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.1
- accounts_no_uid_except_zero
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- name: Ensure that System Accounts Do Not Run a Shell Upon Login - Get All Local
Users From /etc/passwd
ansible.builtin.getent:
database: passwd
split: ':'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-003051
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.2
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- no_shelllogin_for_systemaccounts
- restrict_strategy
- name: Ensure that System Accounts Do Not Run a Shell Upon Login - Create local_users
Variable From getent_passwd Facts
ansible.builtin.set_fact:
local_users: '{{ ansible_facts.getent_passwd | dict2items }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-003051
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.2
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- no_shelllogin_for_systemaccounts
- restrict_strategy
- name: Ensure that System Accounts Do Not Run a Shell Upon Login - Disable Login
Shell for System Accounts
ansible.builtin.user:
name: '{{ item.key }}'
shell: /sbin/nologin
loop: '{{ local_users }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- item.key not in ['root']
- item.value[1]|int < 1000
- item.value[5] not in ['/sbin/shutdown', '/sbin/halt', '/bin/sync']
tags:
- DISA-STIG-OL09-00-003051
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.2
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- no_shelllogin_for_systemaccounts
- restrict_strategy
- name: Ensure cron Is Logging To Rsyslog - Ensure /etc/rsyslog.conf exists
ansible.builtin.file:
path: /etc/rsyslog.conf
state: touch
modification_time: preserve
access_time: preserve
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-005010
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_cron_logging
- name: Ensure cron Is Logging To Rsyslog - Ensure /etc/rsyslog.d directory exists
ansible.builtin.file:
path: /etc/rsyslog.d
state: directory
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-005010
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_cron_logging
- name: Ensure cron Is Logging To Rsyslog - Remove multilined cron.* action() entries
from rsyslog.conf
ansible.builtin.shell: sed -i '/^[[:space:]]*cron\.\*.*action(/,/)/d' /etc/rsyslog.conf
changed_when: true
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-005010
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_cron_logging
- name: Ensure cron Is Logging To Rsyslog - Remove multilined cron.* action() entries
from rsyslog.d/*.conf
ansible.builtin.shell: find /etc/rsyslog.d -type f -name "*.conf" -exec sed -i
'/^[[:space:]]*cron\.\*.*action(/,/)/d' {} +
changed_when: true
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-005010
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_cron_logging
- name: Remove *.* entries pointing to /var/log/cron from rsyslog.conf
ansible.builtin.lineinfile:
path: /etc/rsyslog.conf
create: false
regexp: (?i)^\s*\*\.\*\s+/var/log/cron\s*$
state: absent
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-005010
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_cron_logging
- name: Ensure cron Is Logging To Rsyslog - Remove *.* entries pointing to /var/log/cron
from rsyslog.d/*.conf
ansible.builtin.shell: find /etc/rsyslog.d -type f -name "*.conf" -exec sed -i
'\|^\s*\*\.\*\s\+/var/log/cron\s*$|d' {} +
changed_when: true
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-005010
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_cron_logging
- name: Ensure cron Is Logging To Rsyslog - Check if the parameter cron.* is configured
ansible.builtin.find:
paths:
- /etc/rsyslog.conf
- /etc/rsyslog.d
contains: ^\s*{{ "cron.*"| regex_escape }}
register: _sshd_config_has_parameter
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-005010
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_cron_logging
- name: Ensure cron Is Logging To Rsyslog - Check if the parameter cron.* is configured
correctly
ansible.builtin.find:
paths:
- /etc/rsyslog.conf
- /etc/rsyslog.d
contains: ^\s*{{ "cron.*"| regex_escape }}/var/log/cron$
register: _sshd_config_correctly
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-005010
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_cron_logging
- name: Ensure cron Is Logging To Rsyslog
block:
- name: Deduplicate values from /etc/rsyslog.conf
ansible.builtin.lineinfile:
path: /etc/rsyslog.conf
create: false
regexp: (?i)^\s*{{ "cron.*"| regex_escape }}
state: absent
- name: Check if /etc/rsyslog.d exists
ansible.builtin.stat:
path: /etc/rsyslog.d
register: _etc_rsyslog_d_exists
- name: Check if the parameter cron.* is present in /etc/rsyslog.d
ansible.builtin.find:
paths: /etc/rsyslog.d
recurse: 'yes'
follow: 'no'
contains: ^\s*{{ "cron.*"| regex_escape }}
register: _etc_rsyslog_d_has_parameter
when: _etc_rsyslog_d_exists.stat.isdir is defined and _etc_rsyslog_d_exists.stat.isdir
- name: Remove parameter from files in /etc/rsyslog.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)^\s*{{ "cron.*"| regex_escape }}
state: absent
with_items: '{{ _etc_rsyslog_d_has_parameter.files }}'
when: _etc_rsyslog_d_has_parameter.matched > 0
- name: Insert correct line to /etc/rsyslog.d/cron.conf
ansible.builtin.lineinfile:
path: /etc/rsyslog.d/cron.conf
create: true
regexp: (?i)^\s*{{ "cron.*"| regex_escape }}
line: cron.* /var/log/cron
state: present
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched !=
1
tags:
- DISA-STIG-OL09-00-005010
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_cron_logging
- name: Ensure cron Is Logging To Rsyslog - Restart the rsyslog service now
ansible.builtin.service:
name: rsyslog
state: restarted
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-005010
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_cron_logging
- name: Ensure Log Files Are Owned By Appropriate Group - Set rsyslog logfile configuration
facts
ansible.builtin.set_fact:
rsyslog_etc_config: /etc/rsyslog.conf
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_groupownership
- name: Ensure Log Files Are Owned By Appropriate Group - Get IncludeConfig directive
ansible.builtin.shell: |
set -o pipefail
grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true
register: rsyslog_old_inc
changed_when: false
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_groupownership
- name: Ensure Log Files Are Owned By Appropriate Group - Get include files directives
ansible.builtin.shell: |
set -o pipefail
awk '/)/{f=0} /include\(/{f=1} f{ nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){ print nf }}' {{ rsyslog_etc_config }} || true
register: rsyslog_new_inc
changed_when: false
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_groupownership
- name: Ensure Log Files Are Owned By Appropriate Group - Aggregate rsyslog includes
ansible.builtin.set_fact:
include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines
}}'
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- rsyslog_old_inc is not skipped and rsyslog_new_inc is not skipped
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_groupownership
- name: Ensure Log Files Are Owned By Appropriate Group - List all config files
ansible.builtin.find:
paths: '{{ item | dirname }}'
patterns: '{{ item | basename }}'
hidden: false
follow: true
loop: '{{ include_config_output | list + [rsyslog_etc_config] }}'
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- include_config_output is defined
register: rsyslog_config_files
failed_when: false
changed_when: false
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_groupownership
- name: Ensure Log Files Are Owned By Appropriate Group - Extract log files old
format
ansible.builtin.shell: |
set -o pipefail
grep -oP '^[^(\s|#|\$)]+[\s]*.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item.1.path }} | \
awk '{print $NF}' | \
sed -e 's/^-//' || true
loop: '{{ rsyslog_config_files.results | default([]) | subelements(''files'')
}}'
register: log_files_old
changed_when: false
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- rsyslog_config_files is not skipped
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_groupownership
- name: Ensure Log Files Are Owned By Appropriate Group - Extract log files new
format
ansible.builtin.shell: |
set -o pipefail
grep -iozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | \
grep -iaoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \
grep -oE "\"([/[:alnum:][:punct:]]*)\"" | \
tr -d "\"" | \
grep -v '^/dev/' || true
loop: '{{ rsyslog_config_files.results | default([]) | subelements(''files'')
}}'
register: log_files_new
changed_when: false
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- rsyslog_config_files is not skipped
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_groupownership
- name: Ensure Log Files Are Owned By Appropriate Group - Sum all log files found
ansible.builtin.set_fact:
log_files: '{{ log_files_new.results | map(attribute=''stdout_lines'') | list
| flatten | unique + log_files_old.results | map(attribute=''stdout_lines'')
| list | flatten | unique }}'
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_groupownership
- name: Ensure Log Files Are Owned By Appropriate Group -Setup log files attribute
ansible.builtin.file:
path: '{{ item }}'
group: root
state: file
loop: '{{ log_files | list | flatten | unique }}'
failed_when: false
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_groupownership
- name: Ensure Log Files Are Owned By Appropriate User - Set rsyslog logfile configuration
facts
ansible.builtin.set_fact:
rsyslog_etc_config: /etc/rsyslog.conf
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_ownership
- name: Ensure Log Files Are Owned By Appropriate User - Get IncludeConfig directive
ansible.builtin.shell: |
set -o pipefail
grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true
register: rsyslog_old_inc
changed_when: false
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_ownership
- name: Ensure Log Files Are Owned By Appropriate User - Get include files directives
ansible.builtin.shell: |
set -o pipefail
awk '/)/{f=0} /include\(/{f=1} f{ nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){ print nf }}' {{ rsyslog_etc_config }} || true
register: rsyslog_new_inc
changed_when: false
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_ownership
- name: Ensure Log Files Are Owned By Appropriate User - Aggregate rsyslog includes
ansible.builtin.set_fact:
include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines
}}'
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- rsyslog_old_inc is not skipped and rsyslog_new_inc is not skipped
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_ownership
- name: Ensure Log Files Are Owned By Appropriate User - List all config files
ansible.builtin.find:
paths: '{{ item | dirname }}'
patterns: '{{ item | basename }}'
hidden: false
follow: true
loop: '{{ include_config_output | list + [rsyslog_etc_config] }}'
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- include_config_output is defined
register: rsyslog_config_files
failed_when: false
changed_when: false
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_ownership
- name: Ensure Log Files Are Owned By Appropriate User - Extract log files old format
ansible.builtin.shell: |
set -o pipefail
grep -oP '^[^(\s|#|\$)]+[\s]*.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item.1.path }} | \
awk '{print $NF}' | \
sed -e 's/^-//' || true
loop: '{{ rsyslog_config_files.results | default([]) | subelements(''files'')
}}'
register: log_files_old
changed_when: false
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- rsyslog_config_files is not skipped
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_ownership
- name: Ensure Log Files Are Owned By Appropriate User - Extract log files new format
ansible.builtin.shell: |
set -o pipefail
grep -iozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | \
grep -iaoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \
grep -oE "\"([/[:alnum:][:punct:]]*)\"" | \
tr -d "\"" | \
grep -v '^/dev/' || true
loop: '{{ rsyslog_config_files.results | default([]) | subelements(''files'')
}}'
register: log_files_new
changed_when: false
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- rsyslog_config_files is not skipped
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_ownership
- name: Ensure Log Files Are Owned By Appropriate User - Sum all log files found
ansible.builtin.set_fact:
log_files: '{{ log_files_new.results | map(attribute=''stdout_lines'') | list
| flatten | unique + log_files_old.results | map(attribute=''stdout_lines'')
| list | flatten | unique }}'
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_ownership
- name: Ensure Log Files Are Owned By Appropriate User -Setup log files attribute
ansible.builtin.file:
path: '{{ item }}'
owner: root
state: file
loop: '{{ log_files | list | flatten | unique }}'
failed_when: false
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_ownership
- name: Ensure System Log Files Have Correct Permissions - Set rsyslog logfile configuration
facts
ansible.builtin.set_fact:
rsyslog_etc_config: /etc/rsyslog.conf
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_permissions
- name: Ensure System Log Files Have Correct Permissions - Get IncludeConfig directive
ansible.builtin.shell: |
set -o pipefail
grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true
register: rsyslog_old_inc
changed_when: false
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_permissions
- name: Ensure System Log Files Have Correct Permissions - Get include files directives
ansible.builtin.shell: |
set -o pipefail
awk '/)/{f=0} /include\(/{f=1} f{ nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){ print nf }}' {{ rsyslog_etc_config }} || true
register: rsyslog_new_inc
changed_when: false
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_permissions
- name: Ensure System Log Files Have Correct Permissions - Aggregate rsyslog includes
ansible.builtin.set_fact:
include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines
}}'
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- rsyslog_old_inc is not skipped and rsyslog_new_inc is not skipped
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_permissions
- name: Ensure System Log Files Have Correct Permissions - List all config files
ansible.builtin.find:
paths: '{{ item | dirname }}'
patterns: '{{ item | basename }}'
hidden: false
follow: true
loop: '{{ include_config_output | list + [rsyslog_etc_config] }}'
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- include_config_output is defined
register: rsyslog_config_files
failed_when: false
changed_when: false
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_permissions
- name: Ensure System Log Files Have Correct Permissions - Extract log files old
format
ansible.builtin.shell: |
set -o pipefail
grep -oP '^[^(\s|#|\$)]+[\s]*.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item.1.path }} | \
awk '{print $NF}' | \
sed -e 's/^-//' || true
loop: '{{ rsyslog_config_files.results | default([]) | subelements(''files'')
}}'
register: log_files_old
changed_when: false
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- rsyslog_config_files is not skipped
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_permissions
- name: Ensure System Log Files Have Correct Permissions - Extract log files new
format
ansible.builtin.shell: |
set -o pipefail
grep -iozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | \
grep -iaoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \
grep -oE "\"([/[:alnum:][:punct:]]*)\"" | \
tr -d "\"" | \
grep -v '^/dev/' || true
loop: '{{ rsyslog_config_files.results | default([]) | subelements(''files'')
}}'
register: log_files_new
changed_when: false
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- rsyslog_config_files is not skipped
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_permissions
- name: Ensure System Log Files Have Correct Permissions - Sum all log files found
ansible.builtin.set_fact:
log_files: '{{ log_files_new.results | map(attribute=''stdout_lines'') | list
| flatten | unique + log_files_old.results | map(attribute=''stdout_lines'')
| list | flatten | unique }}'
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_permissions
- name: Ensure System Log Files Have Correct Permissions -Setup log files attribute
ansible.builtin.file:
path: '{{ item }}'
mode: '0640'
state: file
loop: '{{ log_files | list | flatten | unique }}'
failed_when: false
when:
- '"rsyslog" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_permissions
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Define Rsyslog Config Lines Regex in Legacy Syntax
ansible.builtin.set_fact:
rsyslog_listen_legacy_regex: ^\s*\$(((Input(TCP|RELP)|UDP)ServerRun)|ModLoad\s+(imtcp|imudp|imrelp))
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-005030
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Search for Legacy Config Lines in Rsyslog Main Config File
ansible.builtin.find:
paths: /etc
pattern: rsyslog.conf
contains: '{{ rsyslog_listen_legacy_regex }}'
register: rsyslog_listen_legacy_main_file
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-005030
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Search for Legacy Config Lines in Rsyslog Include Files
ansible.builtin.find:
paths: /etc/rsyslog.d/
pattern: '*.conf'
contains: '{{ rsyslog_listen_legacy_regex }}'
register: rsyslog_listen_legacy_include_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-005030
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Assemble List of Config Files With Listen Lines in Legacy Syntax
ansible.builtin.set_fact:
rsyslog_legacy_remote_listen_files: '{{ rsyslog_listen_legacy_main_file.files
| map(attribute=''path'') | list + rsyslog_listen_legacy_include_files.files
| map(attribute=''path'') | list }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-005030
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Comment Listen Config Lines Wherever Defined Using Legacy Syntax
ansible.builtin.replace:
path: '{{ item }}'
regexp: '{{ rsyslog_listen_legacy_regex }}'
replace: '# \1'
loop: '{{ rsyslog_legacy_remote_listen_files }}'
register: rsyslog_listen_legacy_comment
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- rsyslog_legacy_remote_listen_files | length > 0
tags:
- DISA-STIG-OL09-00-005030
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Define Rsyslog Config Lines Regex in RainerScript Syntax
ansible.builtin.set_fact:
rsyslog_listen_rainer_regex: ^\s*(module|input)\((load|type)="(imtcp|imudp)".*$
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-005030
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Search for RainerScript Config Lines in Rsyslog Main Config File
ansible.builtin.find:
paths: /etc
pattern: rsyslog.conf
contains: '{{ rsyslog_listen_rainer_regex }}'
register: rsyslog_rainer_remote_main_file
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-005030
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Search for RainerScript Config Lines in Rsyslog Include Files
ansible.builtin.find:
paths: /etc/rsyslog.d/
pattern: '*.conf'
contains: '{{ rsyslog_listen_rainer_regex }}'
register: rsyslog_rainer_remote_include_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-005030
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Assemble List of Config Files With Listen Lines in RainerScript
ansible.builtin.set_fact:
rsyslog_rainer_remote_listen_files: '{{ rsyslog_rainer_remote_main_file.files
| map(attribute=''path'') | list + rsyslog_rainer_remote_include_files.files
| map(attribute=''path'') | list }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-005030
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Comment Listen Config Lines Wherever Defined Using RainerScript
ansible.builtin.replace:
path: '{{ item }}'
regexp: '{{ rsyslog_listen_rainer_regex }}'
replace: '# \1'
loop: '{{ rsyslog_rainer_remote_listen_files }}'
register: rsyslog_listen_rainer_comment
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- rsyslog_rainer_remote_listen_files | length > 0
tags:
- DISA-STIG-OL09-00-005030
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Restart Rsyslog if Any Line Were Commented Out
ansible.builtin.service:
name: rsyslog
state: restarted
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- rsyslog_listen_legacy_comment is changed or rsyslog_listen_rainer_comment is
changed
tags:
- DISA-STIG-OL09-00-005030
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Set rsyslog remote loghost
ansible.builtin.lineinfile:
dest: /etc/rsyslog.conf
regexp: ^\*\.\*
line: '*.* @@{{ rsyslog_remote_loghost_address }}'
create: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-005005
- NIST-800-53-AU-4(1)
- NIST-800-53-AU-9(2)
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- rsyslog_remote_loghost
- name: 'Configure TLS for rsyslog remote logging: search for omfwd action directive
in rsyslog include files'
ansible.builtin.find:
paths: /etc/rsyslog.d/
pattern: '*.conf'
contains: ^\s*action\s*\(\s*type\s*=\s*"omfwd".*
register: rsyslog_includes_with_directive
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_remote_tls
- name: 'Configure TLS for rsyslog remote logging: search for omfwd action directive
in rsyslog main config file'
ansible.builtin.find:
paths: /etc
pattern: rsyslog.conf
contains: ^\s*action\s*\(\s*type\s*=\s*"omfwd".*
register: rsyslog_main_file_with_directive
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_remote_tls
- name: 'Configure TLS for rsyslog remote logging: declare Rsyslog option parameters
to be inserted if entirely missing'
ansible.builtin.set_fact:
rsyslog_parameters_to_add_if_missing:
- protocol
- target
- port
- StreamDriver
- StreamDriverMode
- StreamDriverAuthMode
- streamdriver.CheckExtendedKeyPurpose
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_remote_tls
- name: 'Configure TLS for rsyslog remote logging: declare Rsyslog option values
to be inserted if entirely missing'
ansible.builtin.set_fact:
rsyslog_values_to_add_if_missing:
- tcp
- '{{ rsyslog_remote_loghost_address }}'
- '6514'
- gtls
- '1'
- x509/name
- 'on'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_remote_tls
- name: 'Configure TLS for rsyslog remote logging: declare Rsyslog option parameters
to be replaced if defined with wrong values'
ansible.builtin.set_fact:
rsyslog_parameters_to_replace_if_wrong_value:
- protocol
- StreamDriver
- StreamDriverMode
- StreamDriverAuthMode
- streamdriver.CheckExtendedKeyPurpose
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_remote_tls
- name: 'Configure TLS for rsyslog remote logging: declare Rsyslog option values
to be replaced when having wrong value'
ansible.builtin.set_fact:
rsyslog_values_to_replace_if_wrong_value:
- tcp
- gtls
- '1'
- x509/name
- 'on'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_remote_tls
- name: 'Configure TLS for rsyslog remote logging: assemble list of files with existing
directives'
ansible.builtin.set_fact:
rsyslog_files: '{{ rsyslog_includes_with_directive.files | map(attribute=''path'')
| list + rsyslog_main_file_with_directive.files | map(attribute=''path'')
| list }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_remote_tls
- name: 'Configure TLS for rsyslog remote logging: try to fix existing directives'
block:
- name: 'Configure TLS for rsyslog remote logging: Fix existing omfwd directives
by adjusting the value'
ansible.builtin.replace:
path: '{{ item[0] }}'
regexp: (?i)^(\s*action\s*\(\s*type\s*=\s*"omfwd"[\s\S]*)({{ item[1][0] |
regex_escape() }}\s*=\s*"\S*")([\s\S]*\))$
replace: \1{{ item[1][0] }}="{{ item[1][1] }}"\3
loop: '{{ rsyslog_files | product (rsyslog_parameters_to_replace_if_wrong_value
| zip(rsyslog_values_to_replace_if_wrong_value)) | list }}'
- name: 'Configure TLS for rsyslog remote logging: Fix existing omfwd directives
by adding parameter and value'
ansible.builtin.replace:
path: '{{ item[0] }}'
regexp: (?i)^(\s*action\s*\(\s*type\s*=\s*"omfwd"(?:[\s\S](?!{{ item[1][0]
| regex_escape() }}))*.)(\))$
replace: \1 {{ item[1][0] }}="{{ item[1][1] }}" \2
loop: '{{ rsyslog_files | product (rsyslog_parameters_to_add_if_missing | zip(rsyslog_values_to_add_if_missing))
| list }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- rsyslog_includes_with_directive.matched or rsyslog_main_file_with_directive.matched
tags:
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_remote_tls
- name: 'Configure TLS for rsyslog remote logging: Add missing rsyslog directive'
ansible.builtin.lineinfile:
dest: /etc/rsyslog.conf
line: action(type="omfwd" protocol="tcp" Target="{{ rsyslog_remote_loghost_address
}}" port="6514" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name"
streamdriver.CheckExtendedKeyPurpose="on")
create: true
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- not rsyslog_includes_with_directive.matched and not rsyslog_main_file_with_directive.matched
tags:
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_remote_tls
- name: Prevent non-Privileged Users from Modifying Network Interfaces using nmcli
- Ensure non-privileged users do not have access to nmcli
community.general.ini_file:
path: /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla
section: Disable General User Access to NetworkManager
option: '{{ item.option }}'
value: '{{ item.value }}'
no_extra_spaces: true
create: true
loop:
- option: Identity
value: default
- option: Action
value: org.freedesktop.NetworkManager.*
- option: ResultAny
value: 'no'
- option: ResultInactive
value: 'no'
- option: ResultActive
value: auth_admin
when: '"polkit" in ansible_facts.packages'
tags:
- NIST-800-171-3.1.16
- NIST-800-53-AC-18(4)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.8
- low_complexity
- low_disruption
- medium_severity
- network_nmcli_permissions
- no_reboot_needed
- restrict_strategy
- name: Ensure System is Not Acting as a Network Sniffer - Gather network interfaces
ansible.builtin.command:
cmd: ip -o link show
register: network_interfaces
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
"container"]
tags:
- DISA-STIG-OL09-00-006004
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(2)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MA-3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- low_complexity
- low_disruption
- medium_severity
- network_sniffer_disabled
- no_reboot_needed
- restrict_strategy
- name: Ensure System is Not Acting as a Network Sniffer - Disable promiscuous mode
ansible.builtin.command:
cmd: ip link set dev {{ (item.split(':')[1] | trim).split('@')[0] }} multicast
off promisc off
loop: '{{ network_interfaces.stdout_lines }}'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- network_interfaces.stdout_lines is defined and item.split(':') | length >= 3
tags:
- DISA-STIG-OL09-00-006004
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(2)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MA-3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- low_complexity
- low_disruption
- medium_severity
- network_sniffer_disabled
- no_reboot_needed
- restrict_strategy
- name: Deactivate Wireless Network Interfaces - NetworkManager Deactivate Wireless
Network Interfaces
ansible.builtin.command: nmcli radio wifi off
when:
- ( not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman",
"container"] ) )
- '''NetworkManager'' in ansible_facts.packages'
- ansible_facts.services['NetworkManager.service'].state == 'running'
tags:
- DISA-STIG-OL09-00-006001
- NIST-800-171-3.1.16
- NIST-800-53-AC-18(3)
- NIST-800-53-AC-18(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- PCI-DSS-Req-1.3.3
- PCI-DSSv4-1.3
- PCI-DSSv4-1.3.3
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- wireless_disable_interfaces
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Define
Excluded (Non-Local) File Systems and Paths
ansible.builtin.set_fact:
excluded_fstypes:
- afs
- autofs
- ceph
- cifs
- smb3
- smbfs
- sshfs
- ncpfs
- ncp
- nfs
- nfs4
- gfs
- gfs2
- glusterfs
- gpfs
- pvfs2
- ocfs2
- lustre
- davfs
- fuse.sshfs
excluded_paths:
- dev
- proc
- run
- sys
search_paths: []
tags:
- DISA-STIG-OL09-00-002510
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Find Relevant
Root Directories Ignoring Pre-Defined Excluded Paths
ansible.builtin.find:
paths: /
file_type: directory
excludes: '{{ excluded_paths }}'
hidden: true
recurse: false
register: result_relevant_root_dirs
tags:
- DISA-STIG-OL09-00-002510
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Include
Relevant Root Directories in a List of Paths to be Searched
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.path]) }}'
loop: '{{ result_relevant_root_dirs.files }}'
tags:
- DISA-STIG-OL09-00-002510
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Increment
Search Paths List with Local Partitions Mount Points
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.mount]) }}'
loop: '{{ ansible_mounts }}'
when:
- item.fstype not in excluded_fstypes
- item.mount != '/'
tags:
- DISA-STIG-OL09-00-002510
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Increment
Search Paths List with Local NFS File System Targets
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.device.split('':'')[1]]) }}'
loop: '{{ ansible_mounts }}'
when: item.device is search("localhost:")
tags:
- DISA-STIG-OL09-00-002510
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Define
Rule Specific Facts
ansible.builtin.set_fact:
world_writable_dirs: []
tags:
- DISA-STIG-OL09-00-002510
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Find All
Uncompliant Directories in Local File Systems
ansible.builtin.command:
cmd: find {{ item }} -xdev -type d ( -perm -0002 -a ! -perm -1000 )
loop: '{{ search_paths }}'
changed_when: false
register: result_found_dirs
tags:
- DISA-STIG-OL09-00-002510
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Create
List of World Writable Directories Without Sticky Bit
ansible.builtin.set_fact:
world_writable_dirs: '{{ world_writable_dirs | union(item.stdout_lines) | list
}}'
loop: '{{ result_found_dirs.results }}'
when: result_found_dirs is not skipped and item is not skipped
tags:
- DISA-STIG-OL09-00-002510
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Ensure
Sticky Bit is Set on Local World Writable Directories
ansible.builtin.file:
path: '{{ item }}'
mode: a+t
loop: '{{ world_writable_dirs }}'
tags:
- DISA-STIG-OL09-00-002510
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Read list of system executables without root ownership
ansible.builtin.command: find /bin/ /usr/bin/ /usr/local/bin/ /sbin/ /usr/sbin/
/usr/local/sbin/ /usr/libexec \! -user root
register: no_root_system_executables
changed_when: false
failed_when: false
check_mode: false
tags:
- DISA-STIG-OL09-00-002505
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- file_ownership_binary_dirs
- medium_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set ownership to root of system executables
ansible.builtin.file:
path: '{{ item }}'
owner: root
with_items: '{{ no_root_system_executables.stdout_lines }}'
when: no_root_system_executables.stdout_lines | length > 0
tags:
- DISA-STIG-OL09-00-002505
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- file_ownership_binary_dirs
- medium_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set the file_ownership_library_dirs_newown variable if represented by uid
ansible.builtin.set_fact:
file_ownership_library_dirs_newown: '0'
tags:
- DISA-STIG-OL09-00-002524
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- configure_strategy
- file_ownership_library_dirs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /lib/ file(s) matching ^.*\.so.*$ recursively
ansible.builtin.command: find -P /lib/ -type f ! -user 0 -regextype posix-extended
-regex "^.*\.so.*$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
tags:
- DISA-STIG-OL09-00-002524
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- configure_strategy
- file_ownership_library_dirs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /lib/ file(s) matching ^.*\.so.*$
ansible.builtin.file:
path: '{{ item }}'
follow: false
owner: '{{ file_ownership_library_dirs_newown }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
tags:
- DISA-STIG-OL09-00-002524
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- configure_strategy
- file_ownership_library_dirs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /lib64/ file(s) matching ^.*\.so.*$ recursively
ansible.builtin.command: find -P /lib64/ -type f ! -user 0 -regextype posix-extended
-regex "^.*\.so.*$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
tags:
- DISA-STIG-OL09-00-002524
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- configure_strategy
- file_ownership_library_dirs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /lib64/ file(s) matching ^.*\.so.*$
ansible.builtin.file:
path: '{{ item }}'
follow: false
owner: '{{ file_ownership_library_dirs_newown }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
tags:
- DISA-STIG-OL09-00-002524
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- configure_strategy
- file_ownership_library_dirs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /usr/lib/ file(s) matching ^.*\.so.*$ recursively
ansible.builtin.command: find -P /usr/lib/ -type f ! -user 0 -regextype posix-extended
-regex "^.*\.so.*$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
tags:
- DISA-STIG-OL09-00-002524
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- configure_strategy
- file_ownership_library_dirs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /usr/lib/ file(s) matching ^.*\.so.*$
ansible.builtin.file:
path: '{{ item }}'
follow: false
owner: '{{ file_ownership_library_dirs_newown }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
tags:
- DISA-STIG-OL09-00-002524
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- configure_strategy
- file_ownership_library_dirs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /usr/lib64/ file(s) matching ^.*\.so.*$ recursively
ansible.builtin.command: find -P /usr/lib64/ -type f ! -user 0 -regextype posix-extended
-regex "^.*\.so.*$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
tags:
- DISA-STIG-OL09-00-002524
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- configure_strategy
- file_ownership_library_dirs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /usr/lib64/ file(s) matching ^.*\.so.*$
ansible.builtin.file:
path: '{{ item }}'
follow: false
owner: '{{ file_ownership_library_dirs_newown }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
tags:
- DISA-STIG-OL09-00-002524
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- configure_strategy
- file_ownership_library_dirs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Read list of world and group writable system executables
ansible.builtin.command: find -L /bin /usr/bin /usr/local/bin /sbin /usr/sbin
/usr/local/sbin /usr/libexec -perm /022 \( -type l -o -type f \)
register: world_writable_library_files
changed_when: false
failed_when: false
check_mode: false
tags:
- DISA-STIG-OL09-00-002506
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- file_permissions_binary_dirs
- medium_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Remove world/group writability of system executables
ansible.builtin.file:
path: '{{ item }}'
mode: go-w
state: file
with_items: '{{ world_writable_library_files.stdout_lines }}'
when: world_writable_library_files.stdout_lines | length > 0
tags:
- DISA-STIG-OL09-00-002506
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- file_permissions_binary_dirs
- medium_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Find /lib/ file(s) recursively
ansible.builtin.command: find -P /lib/ -perm /g+w,o+w -type f -regextype posix-extended
-regex "^.*\.so.*$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
tags:
- DISA-STIG-OL09-00-002525
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- configure_strategy
- file_permissions_library_dirs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /lib/ file(s)
ansible.builtin.file:
path: '{{ item }}'
mode: g-w,o-w
state: file
with_items:
- '{{ files_found.stdout_lines }}'
tags:
- DISA-STIG-OL09-00-002525
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- configure_strategy
- file_permissions_library_dirs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /lib64/ file(s) recursively
ansible.builtin.command: find -P /lib64/ -perm /g+w,o+w -type f -regextype posix-extended
-regex "^.*\.so.*$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
tags:
- DISA-STIG-OL09-00-002525
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- configure_strategy
- file_permissions_library_dirs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /lib64/ file(s)
ansible.builtin.file:
path: '{{ item }}'
mode: g-w,o-w
state: file
with_items:
- '{{ files_found.stdout_lines }}'
tags:
- DISA-STIG-OL09-00-002525
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- configure_strategy
- file_permissions_library_dirs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /usr/lib/ file(s) recursively
ansible.builtin.command: find -P /usr/lib/ -perm /g+w,o+w -type f -regextype
posix-extended -regex "^.*\.so.*$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
tags:
- DISA-STIG-OL09-00-002525
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- configure_strategy
- file_permissions_library_dirs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /usr/lib/ file(s)
ansible.builtin.file:
path: '{{ item }}'
mode: g-w,o-w
state: file
with_items:
- '{{ files_found.stdout_lines }}'
tags:
- DISA-STIG-OL09-00-002525
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- configure_strategy
- file_permissions_library_dirs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /usr/lib64/ file(s) recursively
ansible.builtin.command: find -P /usr/lib64/ -perm /g+w,o+w -type f -regextype
posix-extended -regex "^.*\.so.*$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
tags:
- DISA-STIG-OL09-00-002525
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- configure_strategy
- file_permissions_library_dirs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /usr/lib64/ file(s)
ansible.builtin.file:
path: '{{ item }}'
mode: g-w,o-w
state: file
with_items:
- '{{ files_found.stdout_lines }}'
tags:
- DISA-STIG-OL09-00-002525
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-5(6)
- NIST-800-53-CM-5(6).1
- NIST-800-53-CM-6(a)
- configure_strategy
- file_permissions_library_dirs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: 'Add nodev Option to /dev/shm: Check information associated to mountpoint'
ansible.builtin.command: findmnt '/dev/shm'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- DISA-STIG-OL09-00-002040
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nodev
- no_reboot_needed
- name: 'Add nodev Option to /dev/shm: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- DISA-STIG-OL09-00-002040
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nodev
- no_reboot_needed
- name: 'Add nodev Option to /dev/shm: If /dev/shm not mounted, craft mount_info
manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /dev/shm
- tmpfs
- tmpfs
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- ("" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- DISA-STIG-OL09-00-002040
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nodev
- no_reboot_needed
- name: 'Add nodev Option to /dev/shm: Make sure nodev option is part of the to
/dev/shm options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nodev''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "nodev" not in (mount_info.options | default(''))
tags:
- DISA-STIG-OL09-00-002040
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nodev
- no_reboot_needed
- name: 'Add nodev Option to /dev/shm: Ensure /dev/shm is mounted with nodev option'
ansible.posix.mount:
path: /dev/shm
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or (""
| length == 0)
tags:
- DISA-STIG-OL09-00-002040
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nodev
- no_reboot_needed
- name: 'Add noexec Option to /dev/shm: Check information associated to mountpoint'
ansible.builtin.command: findmnt '/dev/shm'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- DISA-STIG-OL09-00-002041
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_noexec
- no_reboot_needed
- name: 'Add noexec Option to /dev/shm: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- DISA-STIG-OL09-00-002041
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_noexec
- no_reboot_needed
- name: 'Add noexec Option to /dev/shm: If /dev/shm not mounted, craft mount_info
manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /dev/shm
- tmpfs
- tmpfs
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- ("" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- DISA-STIG-OL09-00-002041
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_noexec
- no_reboot_needed
- name: 'Add noexec Option to /dev/shm: Make sure noexec option is part of the to
/dev/shm options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''noexec''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "noexec" not in (mount_info.options | default(''))
tags:
- DISA-STIG-OL09-00-002041
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_noexec
- no_reboot_needed
- name: 'Add noexec Option to /dev/shm: Ensure /dev/shm is mounted with noexec option'
ansible.posix.mount:
path: /dev/shm
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or (""
| length == 0)
tags:
- DISA-STIG-OL09-00-002041
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_noexec
- no_reboot_needed
- name: 'Add nosuid Option to /dev/shm: Check information associated to mountpoint'
ansible.builtin.command: findmnt '/dev/shm'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- DISA-STIG-OL09-00-002042
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /dev/shm: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- DISA-STIG-OL09-00-002042
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /dev/shm: If /dev/shm not mounted, craft mount_info
manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /dev/shm
- tmpfs
- tmpfs
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- ("" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- DISA-STIG-OL09-00-002042
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /dev/shm: Make sure nosuid option is part of the to
/dev/shm options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nosuid''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "nosuid" not in (mount_info.options | default(''))
tags:
- DISA-STIG-OL09-00-002042
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /dev/shm: Ensure /dev/shm is mounted with nosuid option'
ansible.posix.mount:
path: /dev/shm
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or (""
| length == 0)
tags:
- DISA-STIG-OL09-00-002042
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nosuid
- no_reboot_needed
- name: Restrict Access to Kernel Message Buffer - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002406
- NIST-800-171-3.1.5
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_dmesg_restrict
- name: Restrict Access to Kernel Message Buffer - Find all files that contain kernel.dmesg_restrict
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.dmesg_restrict\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002406
- NIST-800-171-3.1.5
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_dmesg_restrict
- name: Restrict Access to Kernel Message Buffer - Find all files that set kernel.dmesg_restrict
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.dmesg_restrict\s*=\s*1$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002406
- NIST-800-171-3.1.5
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_dmesg_restrict
- name: Restrict Access to Kernel Message Buffer - Comment out any occurrences of
kernel.dmesg_restrict from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.dmesg_restrict
replace: '#kernel.dmesg_restrict'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL09-00-002406
- NIST-800-171-3.1.5
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_dmesg_restrict
- name: Restrict Access to Kernel Message Buffer - Comment out any occurrences of
kernel.dmesg_restrict from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.dmesg_restrict
replace: '#kernel.dmesg_restrict'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002406
- NIST-800-171-3.1.5
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_dmesg_restrict
- name: Restrict Access to Kernel Message Buffer - Ensure sysctl kernel.dmesg_restrict
is set to 1
ansible.posix.sysctl:
name: kernel.dmesg_restrict
value: '1'
sysctl_file: /etc/sysctl.d/kernel_dmesg_restrict.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002406
- NIST-800-171-3.1.5
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_dmesg_restrict
- name: Disable Kernel Image Loading - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002428
- NIST-800-53-CM-6
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kexec_load_disabled
- name: Disable Kernel Image Loading - Find all files that contain kernel.kexec_load_disabled
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.kexec_load_disabled\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002428
- NIST-800-53-CM-6
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kexec_load_disabled
- name: Disable Kernel Image Loading - Find all files that set kernel.kexec_load_disabled
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.kexec_load_disabled\s*=\s*1$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002428
- NIST-800-53-CM-6
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kexec_load_disabled
- name: Disable Kernel Image Loading - Comment out any occurrences of kernel.kexec_load_disabled
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.kexec_load_disabled
replace: '#kernel.kexec_load_disabled'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL09-00-002428
- NIST-800-53-CM-6
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kexec_load_disabled
- name: Disable Kernel Image Loading - Comment out any occurrences of kernel.kexec_load_disabled
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.kexec_load_disabled
replace: '#kernel.kexec_load_disabled'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002428
- NIST-800-53-CM-6
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kexec_load_disabled
- name: Disable Kernel Image Loading - Ensure sysctl kernel.kexec_load_disabled
is set to 1
ansible.posix.sysctl:
name: kernel.kexec_load_disabled
value: '1'
sysctl_file: /etc/sysctl.d/kernel_kexec_load_disabled.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002428
- NIST-800-53-CM-6
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kexec_load_disabled
- name: Disable Access to Network bpf() Syscall From Unprivileged Processes - Set
fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002409
- NIST-800-53-AC-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_unprivileged_bpf_disabled
- name: Disable Access to Network bpf() Syscall From Unprivileged Processes - Find
all files that contain kernel.unprivileged_bpf_disabled
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.unprivileged_bpf_disabled\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002409
- NIST-800-53-AC-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_unprivileged_bpf_disabled
- name: Disable Access to Network bpf() Syscall From Unprivileged Processes - Find
all files that set kernel.unprivileged_bpf_disabled to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.unprivileged_bpf_disabled\s*=\s*1$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002409
- NIST-800-53-AC-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_unprivileged_bpf_disabled
- name: Disable Access to Network bpf() Syscall From Unprivileged Processes - Comment
out any occurrences of kernel.unprivileged_bpf_disabled from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.unprivileged_bpf_disabled
replace: '#kernel.unprivileged_bpf_disabled'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL09-00-002409
- NIST-800-53-AC-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_unprivileged_bpf_disabled
- name: Disable Access to Network bpf() Syscall From Unprivileged Processes - Comment
out any occurrences of kernel.unprivileged_bpf_disabled from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.unprivileged_bpf_disabled
replace: '#kernel.unprivileged_bpf_disabled'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002409
- NIST-800-53-AC-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_unprivileged_bpf_disabled
- name: Disable Access to Network bpf() Syscall From Unprivileged Processes - Ensure
sysctl kernel.unprivileged_bpf_disabled is set to 1
ansible.posix.sysctl:
name: kernel.unprivileged_bpf_disabled
value: '1'
sysctl_file: /etc/sysctl.d/kernel_unprivileged_bpf_disabled.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002409
- NIST-800-53-AC-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_unprivileged_bpf_disabled
- name: Restrict usage of ptrace to descendant processes - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002410
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_yama_ptrace_scope
- name: Restrict usage of ptrace to descendant processes - Find all files that contain
kernel.yama.ptrace_scope
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.yama.ptrace_scope\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002410
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_yama_ptrace_scope
- name: Restrict usage of ptrace to descendant processes - Find all files that set
kernel.yama.ptrace_scope to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.yama.ptrace_scope\s*=\s*1$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002410
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_yama_ptrace_scope
- name: Restrict usage of ptrace to descendant processes - Comment out any occurrences
of kernel.yama.ptrace_scope from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.yama.ptrace_scope
replace: '#kernel.yama.ptrace_scope'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL09-00-002410
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_yama_ptrace_scope
- name: Restrict usage of ptrace to descendant processes - Comment out any occurrences
of kernel.yama.ptrace_scope from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.yama.ptrace_scope
replace: '#kernel.yama.ptrace_scope'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002410
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_yama_ptrace_scope
- name: Restrict usage of ptrace to descendant processes - Ensure sysctl kernel.yama.ptrace_scope
is set to 1
ansible.posix.sysctl:
name: kernel.yama.ptrace_scope
value: '1'
sysctl_file: /etc/sysctl.d/kernel_yama_ptrace_scope.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002410
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_yama_ptrace_scope
- name: Harden the operation of the BPF just-in-time compiler - Set fact for sysctl
paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002430
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_core_bpf_jit_harden
- name: Harden the operation of the BPF just-in-time compiler - Find all files that
contain net.core.bpf_jit_harden
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.core.bpf_jit_harden\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002430
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_core_bpf_jit_harden
- name: Harden the operation of the BPF just-in-time compiler - Find all files that
set net.core.bpf_jit_harden to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.core.bpf_jit_harden\s*=\s*2$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002430
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_core_bpf_jit_harden
- name: Harden the operation of the BPF just-in-time compiler - Comment out any
occurrences of net.core.bpf_jit_harden from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.core.bpf_jit_harden
replace: '#net.core.bpf_jit_harden'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL09-00-002430
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_core_bpf_jit_harden
- name: Harden the operation of the BPF just-in-time compiler - Comment out any
occurrences of net.core.bpf_jit_harden from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.core.bpf_jit_harden
replace: '#net.core.bpf_jit_harden'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002430
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_core_bpf_jit_harden
- name: Harden the operation of the BPF just-in-time compiler - Ensure sysctl net.core.bpf_jit_harden
is set to 2
ansible.posix.sysctl:
name: net.core.bpf_jit_harden
value: '2'
sysctl_file: /etc/sysctl.d/net_core_bpf_jit_harden.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002430
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_core_bpf_jit_harden
- name: Check if noexec argument is already present in /etc/default/grub
ansible.builtin.slurp:
src: /etc/default/grub
register: etc_default_grub
when: ( ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
and ansible_architecture == "x86_64" )
tags:
- DISA-STIG-OL09-00-002422
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-39
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- sysctl_kernel_exec_shield
- name: Check if noexec argument is present
ansible.builtin.command: /sbin/grubby --info=ALL
register: grubby_info
check_mode: false
changed_when: false
failed_when: false
when: ( ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
and ansible_architecture == "x86_64" )
tags:
- DISA-STIG-OL09-00-002422
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-39
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- sysctl_kernel_exec_shield
- name: Update grub defaults and the bootloader menu
ansible.builtin.command: /sbin/grubby --update-kernel=ALL --remove-args="noexec"
when:
- ( ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
and ansible_architecture == "x86_64" )
- (grubby_info.stdout is search('noexec')) or ((etc_default_grub['content'] |
b64decode) is search('noexec'))
tags:
- DISA-STIG-OL09-00-002422
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-39
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- sysctl_kernel_exec_shield
- name: Restrict Exposed Kernel Pointer Addresses Access - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002408
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-SC-30(5)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kptr_restrict
- name: Restrict Exposed Kernel Pointer Addresses Access - Find all files that contain
kernel.kptr_restrict
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.kptr_restrict\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002408
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-SC-30(5)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kptr_restrict
- name: Restrict Exposed Kernel Pointer Addresses Access - Find all files that set
kernel.kptr_restrict to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.kptr_restrict\s*=\s*{{ sysctl_kernel_kptr_restrict_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002408
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-SC-30(5)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kptr_restrict
- name: Restrict Exposed Kernel Pointer Addresses Access - Comment out any occurrences
of kernel.kptr_restrict from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.kptr_restrict
replace: '#kernel.kptr_restrict'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL09-00-002408
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-SC-30(5)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kptr_restrict
- name: Restrict Exposed Kernel Pointer Addresses Access - Comment out any occurrences
of kernel.kptr_restrict from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.kptr_restrict
replace: '#kernel.kptr_restrict'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002408
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-SC-30(5)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kptr_restrict
- name: Restrict Exposed Kernel Pointer Addresses Access - Ensure sysctl kernel.kptr_restrict
is set
ansible.posix.sysctl:
name: kernel.kptr_restrict
value: '{{ sysctl_kernel_kptr_restrict_value }}'
sysctl_file: /etc/sysctl.d/kernel_kptr_restrict.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002408
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-SC-30(5)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kptr_restrict
- name: Enable Randomized Layout of Virtual Address Space - Set fact for sysctl
paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002423
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- PCI-DSS-Req-2.2.1
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_randomize_va_space
- name: Enable Randomized Layout of Virtual Address Space - Find all files that
contain kernel.randomize_va_space
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.randomize_va_space\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002423
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- PCI-DSS-Req-2.2.1
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_randomize_va_space
- name: Enable Randomized Layout of Virtual Address Space - Find all files that
set kernel.randomize_va_space to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.randomize_va_space\s*=\s*2$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002423
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- PCI-DSS-Req-2.2.1
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_randomize_va_space
- name: Enable Randomized Layout of Virtual Address Space - Comment out any occurrences
of kernel.randomize_va_space from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.randomize_va_space
replace: '#kernel.randomize_va_space'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL09-00-002423
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- PCI-DSS-Req-2.2.1
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_randomize_va_space
- name: Enable Randomized Layout of Virtual Address Space - Comment out any occurrences
of kernel.randomize_va_space from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.randomize_va_space
replace: '#kernel.randomize_va_space'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002423
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- PCI-DSS-Req-2.2.1
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_randomize_va_space
- name: Enable Randomized Layout of Virtual Address Space - Ensure sysctl kernel.randomize_va_space
is set to 2
ansible.posix.sysctl:
name: kernel.randomize_va_space
value: '2'
sysctl_file: /etc/sysctl.d/kernel_randomize_va_space.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002423
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- PCI-DSS-Req-2.2.1
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_randomize_va_space
- name: Configure SELinux Policy
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUXTYPE=
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/selinux/config
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUXTYPE=
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/selinux/config
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUXTYPE=
line: SELINUXTYPE={{ var_selinux_policy_name }}
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000065
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- NIST-800-53-AU-9
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- selinux_policytype
- name: Ensure SELinux State is Enforcing - Check current SELinux state
ansible.builtin.command:
cmd: getenforce
register: current_selinux_state
check_mode: false
changed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000060
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- NIST-800-53-AU-9
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- selinux_state
- name: Ensure SELinux State is Enforcing
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUX=
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/selinux/config
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUX=
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/selinux/config
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUX=
line: SELINUX={{ var_selinux_state }}
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000060
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- NIST-800-53-AU-9
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- selinux_state
- name: Ensure SELinux State is Enforcing - Mark system to relabel SELinux on next
boot
ansible.builtin.file:
path: /.autorelabel
state: touch
access_time: preserve
modification_time: preserve
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- current_selinux_state.stdout | lower != var_selinux_state
tags:
- DISA-STIG-OL09-00-000060
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- NIST-800-53-AU-9
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- selinux_state
- name: Enable the auditadm_exec_content SELinux Boolean - Set SELinux Boolean auditadm_exec_content
Accordingly
ansible.posix.seboolean:
name: auditadm_exec_content
state: '{{ var_auditadm_exec_content }}'
persistent: true
when:
- ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline or lookup("env", "container") == "bwrap-osbuild"
or ansible_facts.selinux.status != "disabled" )
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-80424-5
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- sebool_auditadm_exec_content
- name: Check if chrony main config has active server/pool entries
ansible.builtin.command:
cmd: grep -q '^[[:space:]]*\(server\|pool\)[[:space:]]\+[[:graph:]]\+' /etc/chrony.conf
register: chrony_conf_has_servers
changed_when: false
failed_when: false
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"chrony" in ansible_facts.packages'
tags:
- NIST-800-53-AU-8(1)(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.3
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.2
- chronyd_specify_remote_server
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Extract sourcedir paths from chrony configuration
ansible.builtin.shell:
cmd: grep '^[[:space:]]*sourcedir[[:space:]]\+' /etc/chrony.conf | awk '{print
$2}'
register: chrony_sourcedir_paths
changed_when: false
failed_when: false
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"chrony" in ansible_facts.packages'
- chrony_conf_has_servers.rc != 0
tags:
- NIST-800-53-AU-8(1)(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.3
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.2
- chronyd_specify_remote_server
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Check for server/pool entries in sourcedir .sources files
ansible.builtin.shell:
cmd: |
for dir in {{ chrony_sourcedir_paths.stdout_lines | join(' ') }}; do
if [ -d "$dir" ]; then
grep -q '^[[:space:]]*\(server\|pool\)[[:space:]]\+[[:graph:]]\+' "$dir"/*.sources 2>/dev/null && exit 0
fi
done
exit 1
register: chrony_sourcedir_has_servers
changed_when: false
failed_when: false
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"chrony" in ansible_facts.packages'
- chrony_conf_has_servers.rc != 0
- chrony_sourcedir_paths.stdout_lines | length > 0
tags:
- NIST-800-53-AU-8(1)(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.3
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.2
- chronyd_specify_remote_server
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Extract confdir paths from chrony configuration
ansible.builtin.shell:
cmd: grep '^[[:space:]]*confdir[[:space:]]\+' /etc/chrony.conf | awk '{print
$2}'
register: chrony_confdir_paths
changed_when: false
failed_when: false
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"chrony" in ansible_facts.packages'
- chrony_conf_has_servers.rc != 0
- (chrony_sourcedir_paths.stdout_lines | default([]) | length == 0 or chrony_sourcedir_has_servers.rc
!= 0)
tags:
- NIST-800-53-AU-8(1)(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.3
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.2
- chronyd_specify_remote_server
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Check for server/pool entries in confdir .conf files
ansible.builtin.shell:
cmd: |
for dir in {{ chrony_confdir_paths.stdout_lines | join(' ') }}; do
if [ -d "$dir" ]; then
grep -q '^[[:space:]]*\(server\|pool\)[[:space:]]\+[[:graph:]]\+' "$dir"/*.conf 2>/dev/null && exit 0
fi
done
exit 1
register: chrony_confdir_has_servers
changed_when: false
failed_when: false
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"chrony" in ansible_facts.packages'
- chrony_conf_has_servers.rc != 0
- chrony_confdir_paths.stdout_lines | default([]) | length > 0
- (chrony_sourcedir_paths.stdout_lines | default([]) | length == 0 or chrony_sourcedir_has_servers.rc
!= 0)
tags:
- NIST-800-53-AU-8(1)(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.3
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.2
- chronyd_specify_remote_server
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Create sourcedir directory if needed
ansible.builtin.file:
path: '{{ chrony_sourcedir_paths.stdout_lines[0] }}'
state: directory
mode: '0755'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"chrony" in ansible_facts.packages'
- chrony_conf_has_servers.rc != 0
- chrony_sourcedir_paths.stdout_lines | default([]) | length > 0
- chrony_sourcedir_has_servers.rc != 0
tags:
- NIST-800-53-AU-8(1)(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.3
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.2
- chronyd_specify_remote_server
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Add remote time servers to sourcedir .sources file
ansible.builtin.lineinfile:
path: '{{ chrony_sourcedir_paths.stdout_lines[0] }}/ntp-servers.sources'
line: server {{ item }}
state: present
create: true
mode: '0644'
loop: '{{ var_multiple_time_servers.split(",") }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"chrony" in ansible_facts.packages'
- chrony_conf_has_servers.rc != 0
- chrony_sourcedir_paths.stdout_lines | default([]) | length > 0
- chrony_sourcedir_has_servers.rc != 0
tags:
- NIST-800-53-AU-8(1)(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.3
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.2
- chronyd_specify_remote_server
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Create confdir directory if needed
ansible.builtin.file:
path: '{{ chrony_confdir_paths.stdout_lines[0] }}'
state: directory
mode: '0755'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"chrony" in ansible_facts.packages'
- chrony_conf_has_servers.rc != 0
- (chrony_sourcedir_paths.stdout_lines | default([]) | length == 0 or chrony_sourcedir_has_servers.rc
!= 0)
- chrony_confdir_paths.stdout_lines | default([]) | length > 0
- chrony_confdir_has_servers.rc != 0
tags:
- NIST-800-53-AU-8(1)(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.3
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.2
- chronyd_specify_remote_server
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Add remote time servers to confdir .conf file
ansible.builtin.lineinfile:
path: '{{ chrony_confdir_paths.stdout_lines[0] }}/ntp-servers.conf'
line: server {{ item }}
state: present
create: true
mode: '0644'
loop: '{{ var_multiple_time_servers.split(",") }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"chrony" in ansible_facts.packages'
- chrony_conf_has_servers.rc != 0
- (chrony_sourcedir_paths.stdout_lines | default([]) | length == 0 or chrony_sourcedir_has_servers.rc
!= 0)
- chrony_confdir_paths.stdout_lines | default([]) | length > 0
- chrony_confdir_has_servers.rc != 0
tags:
- NIST-800-53-AU-8(1)(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.3
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.2
- chronyd_specify_remote_server
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Add remote time servers to main chrony configuration
ansible.builtin.lineinfile:
path: /etc/chrony.conf
line: server {{ item }}
state: present
create: true
loop: '{{ var_multiple_time_servers.split(",") }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"chrony" in ansible_facts.packages'
- chrony_conf_has_servers.rc != 0
- (chrony_sourcedir_paths.stdout_lines | default([]) | length == 0 or chrony_sourcedir_has_servers.rc
!= 0)
- (chrony_confdir_paths.stdout_lines | default([]) | length == 0 or chrony_confdir_has_servers.rc
!= 0)
tags:
- NIST-800-53-AU-8(1)(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.3
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.2
- chronyd_specify_remote_server
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find root:root-owned keys
ansible.builtin.command: find -H /etc/ssh/ -maxdepth 1 -user root -regex ".*_key$"
-type f -group root -perm /u+xs,g+xws,o+xwrt
register: root_owned_keys
changed_when: false
failed_when: false
check_mode: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002502
- NIST-800-171-3.1.13
- NIST-800-171-3.13.10
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for root:root-owned keys
ansible.builtin.file:
path: '{{ item }}'
mode: u-xs,g-xws,o-xwrt
state: file
with_items:
- '{{ root_owned_keys.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002502
- NIST-800-171-3.1.13
- NIST-800-171-3.13.10
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find root:ssh_keys-owned keys
ansible.builtin.command: find -H /etc/ssh/ -maxdepth 1 -user root -regex ".*_key$"
-type f -group ssh_keys -perm /u+xs,g+xws,o+xwrt
register: dedicated_group_owned_keys
changed_when: false
failed_when: false
check_mode: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002502
- NIST-800-171-3.1.13
- NIST-800-171-3.13.10
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for root:ssh_keys-owned keys
ansible.builtin.file:
path: '{{ item }}'
mode: u-xs,g-xws,o-xwrt
state: file
with_items:
- '{{ dedicated_group_owned_keys.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002502
- NIST-800-171-3.1.13
- NIST-800-171-3.13.10
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002357
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- disable_host_auth
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*HostbasedAuthentication.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002357
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- disable_host_auth
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable Host-Based Authentication - Check if the parameter HostbasedAuthentication
is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
register: _sshd_config_has_parameter
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002357
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- disable_host_auth
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable Host-Based Authentication - Check if the parameter HostbasedAuthentication
is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+no$
register: _sshd_config_correctly
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002357
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- disable_host_auth
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable Host-Based Authentication
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter HostbasedAuthentication is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched > 0
- name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
create: true
regexp: (?i)(?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
line: HostbasedAuthentication no
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched !=
1
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002357
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- disable_host_auth
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable Host-Based Authentication - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002357
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- disable_host_auth
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Enable SSH Server firewalld Firewall Exception - Remediation is applicable
if firewalld and NetworkManager services are running
block:
- name: Enable SSH Server firewalld Firewall Exception - Collect NetworkManager
connections names
ansible.builtin.shell:
cmd: nmcli -g UUID,TYPE con | grep -v loopback | awk -F ':' '{ print $1 }'
register: result_nmcli_cmd_connections_names
check_mode: false
changed_when: false
failed_when: false
- name: Enable SSH Server firewalld Firewall Exception - Collect NetworkManager
connections zones
ansible.builtin.shell:
cmd: nmcli -f connection.zone connection show {{ item | trim }} | awk '{ print
$2}'
register: result_nmcli_cmd_connections_zones
changed_when: false
failed_when: false
with_items:
- '{{ result_nmcli_cmd_connections_names.stdout_lines | default([]) }}'
when:
- result_nmcli_cmd_connections_names.stdout_lines is defined
- result_nmcli_cmd_connections_names.stdout_lines | length > 0
- name: Enable SSH Server firewalld Firewall Exception - Ensure NetworkManager
connections are assigned to a firewalld zone
ansible.builtin.command:
cmd: nmcli connection modify {{ item.0 }} connection.zone {{ firewalld_sshd_zone
}}
register: result_nmcli_cmd_zone_assignment
changed_when: true
with_together:
- '{{ result_nmcli_cmd_connections_names.stdout_lines | default([]) }}'
- '{{ result_nmcli_cmd_connections_zones.stdout_lines | default([]) }}'
when:
- result_nmcli_cmd_connections_zones.stdout_lines is defined
- result_nmcli_cmd_connections_zones.stdout_lines | length > 0
- item.1.stdout == '--' or item.1.stdout != firewalld_sshd_zone
- name: Enable SSH Server firewalld Firewall Exception - Ensure NetworkManager
connections changes are applied
ansible.builtin.service:
name: NetworkManager
state: restarted
when:
- result_nmcli_cmd_zone_assignment is defined
- result_nmcli_cmd_zone_assignment is changed
- result_nmcli_cmd_zone_assignment.results | selectattr('changed', 'equalto',
true) | list | length > 0
- name: Enable SSH Server firewalld Firewall Exception - Collect firewalld active
zones
ansible.builtin.shell:
cmd: firewall-cmd --get-active-zones | grep -v "^ " | cut -d " " -f 1
register: result_firewall_cmd_zones_names
changed_when: false
failed_when: false
- name: Enable SSH Server firewalld Firewall Exception - Ensure firewalld zones
allow SSH
ansible.posix.firewalld:
zone: '{{ item }}'
service: ssh
permanent: true
state: enabled
immediate: true
register: result_firewall_ssh_service_assignment
with_items:
- '{{ result_firewall_cmd_zones_names.stdout_lines | default([]) }}'
when:
- result_firewall_cmd_zones_names.stdout_lines is defined
- result_firewall_cmd_zones_names.stdout_lines | length > 0
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ansible_facts.services['firewalld.service'].state == 'running'
- ansible_facts.services['NetworkManager.service'].state == 'running'
tags:
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- firewalld_sshd_port_enabled
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Enable SSH Server firewalld Firewall Exception - Informative message based
on services states
ansible.builtin.assert:
that:
- ansible_check_mode or ansible_facts.services['firewalld.service'].state ==
'running'
- ansible_check_mode or ansible_facts.services['NetworkManager.service'].state
== 'running'
fail_msg:
- firewalld and NetworkManager services are not active. Remediation aborted!
- This remediation could not be applied because it depends on firewalld and
NetworkManager services running.
- The service is not started by this remediation in order to prevent connection
issues.
success_msg:
- Enable SSH Server firewalld Firewall Exception remediation successfully executed
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- firewalld_sshd_port_enabled
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002343
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- sshd_disable_empty_passwords
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*PermitEmptyPasswords.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002343
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- sshd_disable_empty_passwords
- name: Disable SSH Access via Empty Passwords - Check if the parameter PermitEmptyPasswords
is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
register: _sshd_config_has_parameter
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002343
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- sshd_disable_empty_passwords
- name: Disable SSH Access via Empty Passwords - Check if the parameter PermitEmptyPasswords
is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+no$
register: _sshd_config_correctly
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002343
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- sshd_disable_empty_passwords
- name: Disable SSH Access via Empty Passwords
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter PermitEmptyPasswords is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched > 0
- name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
create: true
regexp: (?i)(?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
line: PermitEmptyPasswords no
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched !=
1
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002343
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- sshd_disable_empty_passwords
- name: Disable SSH Access via Empty Passwords - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002343
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- sshd_disable_empty_passwords
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002341
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_gssapi_auth
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*GSSAPIAuthentication.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002341
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_gssapi_auth
- name: Disable GSSAPI Authentication - Check if the parameter GSSAPIAuthentication
is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+
register: _sshd_config_has_parameter
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002341
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_gssapi_auth
- name: Disable GSSAPI Authentication - Check if the parameter GSSAPIAuthentication
is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+no$
register: _sshd_config_correctly
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002341
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_gssapi_auth
- name: Disable GSSAPI Authentication
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter GSSAPIAuthentication is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched > 0
- name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
create: true
regexp: (?i)(?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+
line: GSSAPIAuthentication no
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched !=
1
tags:
- DISA-STIG-OL09-00-002341
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_gssapi_auth
- name: Disable GSSAPI Authentication - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002341
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_gssapi_auth
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002356
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_kerb_auth
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*KerberosAuthentication.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002356
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_kerb_auth
- name: Disable Kerberos Authentication - Check if the parameter KerberosAuthentication
is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "KerberosAuthentication"| regex_escape }}\s+
register: _sshd_config_has_parameter
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002356
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_kerb_auth
- name: Disable Kerberos Authentication - Check if the parameter KerberosAuthentication
is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "KerberosAuthentication"| regex_escape }}\s+no$
register: _sshd_config_correctly
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002356
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_kerb_auth
- name: Disable Kerberos Authentication
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "KerberosAuthentication"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter KerberosAuthentication is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "KerberosAuthentication"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "KerberosAuthentication"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched > 0
- name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
create: true
regexp: (?i)(?i)^\s*{{ "KerberosAuthentication"| regex_escape }}\s+
line: KerberosAuthentication no
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched !=
1
tags:
- DISA-STIG-OL09-00-002356
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_kerb_auth
- name: Disable Kerberos Authentication - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002356
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_kerb_auth
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002348
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_rhosts
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*IgnoreRhosts.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002348
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_rhosts
- name: Disable SSH Support for .rhosts Files - Check if the parameter IgnoreRhosts
is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
register: _sshd_config_has_parameter
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002348
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_rhosts
- name: Disable SSH Support for .rhosts Files - Check if the parameter IgnoreRhosts
is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+yes$
register: _sshd_config_correctly
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002348
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_rhosts
- name: Disable SSH Support for .rhosts Files
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter IgnoreRhosts is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched > 0
- name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
create: true
regexp: (?i)(?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
line: IgnoreRhosts yes
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched !=
1
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002348
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_rhosts
- name: Disable SSH Support for .rhosts Files - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002348
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_rhosts
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002345
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(2)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-2
- NIST-800-53-IA-2(5)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_root_login
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*PermitRootLogin.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002345
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(2)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-2
- NIST-800-53-IA-2(5)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_root_login
- name: Disable SSH Root Login - Check if the parameter PermitRootLogin is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
register: _sshd_config_has_parameter
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002345
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(2)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-2
- NIST-800-53-IA-2(5)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_root_login
- name: Disable SSH Root Login - Check if the parameter PermitRootLogin is configured
correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+no$
register: _sshd_config_correctly
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002345
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(2)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-2
- NIST-800-53-IA-2(5)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_root_login
- name: Disable SSH Root Login
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter PermitRootLogin is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched > 0
- name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
create: true
regexp: (?i)(?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
line: PermitRootLogin no
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched !=
1
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002345
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(2)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-2
- NIST-800-53-IA-2(5)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_root_login
- name: Disable SSH Root Login - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002345
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(2)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-2
- NIST-800-53-IA-2(5)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_root_login
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002349
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_user_known_hosts
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*IgnoreUserKnownHosts.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002349
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_user_known_hosts
- name: Disable SSH Support for User Known Hosts - Check if the parameter IgnoreUserKnownHosts
is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "IgnoreUserKnownHosts"| regex_escape }}\s+
register: _sshd_config_has_parameter
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002349
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_user_known_hosts
- name: Disable SSH Support for User Known Hosts - Check if the parameter IgnoreUserKnownHosts
is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "IgnoreUserKnownHosts"| regex_escape }}\s+yes$
register: _sshd_config_correctly
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002349
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_user_known_hosts
- name: Disable SSH Support for User Known Hosts
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "IgnoreUserKnownHosts"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter IgnoreUserKnownHosts is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "IgnoreUserKnownHosts"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "IgnoreUserKnownHosts"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched > 0
- name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
create: true
regexp: (?i)(?i)^\s*{{ "IgnoreUserKnownHosts"| regex_escape }}\s+
line: IgnoreUserKnownHosts yes
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched !=
1
tags:
- DISA-STIG-OL09-00-002349
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_user_known_hosts
- name: Disable SSH Support for User Known Hosts - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002349
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_user_known_hosts
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002350
- NIST-800-53-CM-6(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_x11_forwarding
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*X11Forwarding.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002350
- NIST-800-53-CM-6(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_x11_forwarding
- name: Disable X11 Forwarding - Check if the parameter X11Forwarding is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "X11Forwarding"| regex_escape }}\s+
register: _sshd_config_has_parameter
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002350
- NIST-800-53-CM-6(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_x11_forwarding
- name: Disable X11 Forwarding - Check if the parameter X11Forwarding is configured
correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "X11Forwarding"| regex_escape }}\s+no$
register: _sshd_config_correctly
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002350
- NIST-800-53-CM-6(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_x11_forwarding
- name: Disable X11 Forwarding
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "X11Forwarding"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter X11Forwarding is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "X11Forwarding"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "X11Forwarding"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched > 0
- name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
create: true
regexp: (?i)(?i)^\s*{{ "X11Forwarding"| regex_escape }}\s+
line: X11Forwarding no
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched !=
1
tags:
- DISA-STIG-OL09-00-002350
- NIST-800-53-CM-6(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_x11_forwarding
- name: Disable X11 Forwarding - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002350
- NIST-800-53-CM-6(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_x11_forwarding
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002358
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_do_not_permit_user_env
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*PermitUserEnvironment.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002358
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_do_not_permit_user_env
- name: Do Not Allow SSH Environment Options - Check if the parameter PermitUserEnvironment
is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
register: _sshd_config_has_parameter
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002358
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_do_not_permit_user_env
- name: Do Not Allow SSH Environment Options - Check if the parameter PermitUserEnvironment
is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+no$
register: _sshd_config_correctly
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002358
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_do_not_permit_user_env
- name: Do Not Allow SSH Environment Options
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter PermitUserEnvironment is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched > 0
- name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
create: true
regexp: (?i)(?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
line: PermitUserEnvironment no
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched !=
1
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002358
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_do_not_permit_user_env
- name: Do Not Allow SSH Environment Options - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-002358
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_do_not_permit_user_env
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002351
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_strictmodes
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*StrictModes.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002351
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_strictmodes
- name: Enable Use of Strict Mode Checking - Check if the parameter StrictModes
is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "StrictModes"| regex_escape }}\s+
register: _sshd_config_has_parameter
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002351
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_strictmodes
- name: Enable Use of Strict Mode Checking - Check if the parameter StrictModes
is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "StrictModes"| regex_escape }}\s+yes$
register: _sshd_config_correctly
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002351
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_strictmodes
- name: Enable Use of Strict Mode Checking
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "StrictModes"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter StrictModes is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "StrictModes"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "StrictModes"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched > 0
- name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
create: true
regexp: (?i)(?i)^\s*{{ "StrictModes"| regex_escape }}\s+
line: StrictModes yes
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched !=
1
tags:
- DISA-STIG-OL09-00-002351
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_strictmodes
- name: Enable Use of Strict Mode Checking - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002351
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_strictmodes
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-000256
- NIST-800-171-3.1.9
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_warning_banner
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*Banner.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-000256
- NIST-800-171-3.1.9
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_warning_banner
- name: Enable SSH Warning Banner - Check if the parameter Banner is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "Banner"| regex_escape }}\s+
register: _sshd_config_has_parameter
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-000256
- NIST-800-171-3.1.9
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_warning_banner
- name: Enable SSH Warning Banner - Check if the parameter Banner is configured
correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "Banner"| regex_escape }}\s+/etc/issue$
register: _sshd_config_correctly
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-000256
- NIST-800-171-3.1.9
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_warning_banner
- name: Enable SSH Warning Banner
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "Banner"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter Banner is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "Banner"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "Banner"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched > 0
- name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
create: true
regexp: (?i)(?i)^\s*{{ "Banner"| regex_escape }}\s+
line: Banner /etc/issue
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched !=
1
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-000256
- NIST-800-171-3.1.9
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_warning_banner
- name: Enable SSH Warning Banner - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL09-00-000256
- NIST-800-171-3.1.9
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_warning_banner
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002352
- NIST-800-53-AC-9
- NIST-800-53-AC-9(1)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_print_last_log
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*PrintLastLog.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002352
- NIST-800-53-AC-9
- NIST-800-53-AC-9(1)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_print_last_log
- name: Enable SSH Print Last Log - Check if the parameter PrintLastLog is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "PrintLastLog"| regex_escape }}\s+
register: _sshd_config_has_parameter
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002352
- NIST-800-53-AC-9
- NIST-800-53-AC-9(1)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_print_last_log
- name: Enable SSH Print Last Log - Check if the parameter PrintLastLog is configured
correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "PrintLastLog"| regex_escape }}\s+yes$
register: _sshd_config_correctly
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002352
- NIST-800-53-AC-9
- NIST-800-53-AC-9(1)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_print_last_log
- name: Enable SSH Print Last Log
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "PrintLastLog"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter PrintLastLog is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "PrintLastLog"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "PrintLastLog"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched > 0
- name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
create: true
regexp: (?i)(?i)^\s*{{ "PrintLastLog"| regex_escape }}\s+
line: PrintLastLog yes
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched !=
1
tags:
- DISA-STIG-OL09-00-002352
- NIST-800-53-AC-9
- NIST-800-53-AC-9(1)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_print_last_log
- name: Enable SSH Print Last Log - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-002352
- NIST-800-53-AC-9
- NIST-800-53-AC-9(1)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_print_last_log
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_loglevel_info
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*LogLevel.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_loglevel_info
- name: Set LogLevel to INFO - Check if the parameter LogLevel is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+
register: _sshd_config_has_parameter
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_loglevel_info
- name: Set LogLevel to INFO - Check if the parameter LogLevel is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+INFO$
register: _sshd_config_correctly
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_loglevel_info
- name: Set LogLevel to INFO
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "LogLevel"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter LogLevel is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "LogLevel"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched > 0
- name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
create: true
regexp: (?i)(?i)^\s*{{ "LogLevel"| regex_escape }}\s+
line: LogLevel INFO
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched !=
1
tags:
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_loglevel_info
- name: Set LogLevel to INFO - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_loglevel_info
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_max_auth_tries
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*MaxAuthTries.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_max_auth_tries
- name: Set SSH authentication attempt limit - Check if the parameter MaxAuthTries
is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+
register: _sshd_config_has_parameter
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_max_auth_tries
- name: Set SSH authentication attempt limit - Check if the parameter MaxAuthTries
is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+{{ sshd_max_auth_tries_value
}}$
register: _sshd_config_correctly
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_max_auth_tries
- name: Set SSH authentication attempt limit
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter MaxAuthTries is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched > 0
- name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
create: true
regexp: (?i)(?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+
line: MaxAuthTries {{ sshd_max_auth_tries_value }}
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched !=
1
tags:
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_max_auth_tries
- name: Set SSH authentication attempt limit - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_max_auth_tries
- name: Set architecture for audit tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Remediate audit rules for network configuration for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- sethostname
- setdomainname
syscall_grouping:
- sethostname
- setdomainname
- name: Check existence of sethostname, setdomainname in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- sethostname
- setdomainname
syscall_grouping:
- sethostname
- setdomainname
- name: Check existence of sethostname, setdomainname in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
| join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Remediate audit rules for network configuration for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- sethostname
- setdomainname
syscall_grouping:
- sethostname
- setdomainname
- name: Check existence of sethostname, setdomainname in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- sethostname
- setdomainname
syscall_grouping:
- sethostname
- setdomainname
- name: Check existence of sethostname, setdomainname in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
| join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- audit_arch == "b64"
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Check if watch
rule for /etc/issue already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d
for other rules with specified key audit_rules_networkconfig_modification
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Use matched
file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Add watch rule
for /etc/issue in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Check if watch
rule for /etc/issue already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Add watch rule
for /etc/issue in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Check if watch
rule for /etc/issue.net already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d
for other rules with specified key audit_rules_networkconfig_modification
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Use matched
file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Add watch rule
for /etc/issue.net in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Check if watch
rule for /etc/issue.net already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Add watch rule
for /etc/issue.net in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Check if watch
rule for /etc/hosts already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d
for other rules with specified key audit_rules_networkconfig_modification
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Use matched
file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Add watch rule
for /etc/hosts in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Check if watch
rule for /etc/hosts already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Add watch rule
for /etc/hosts in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Check if watch
rule for /etc/sysconfig/network already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d
for other rules with specified key audit_rules_networkconfig_modification
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Use matched
file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Add watch rule
for /etc/sysconfig/network in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Check if watch
rule for /etc/sysconfig/network already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Add watch rule
for /etc/sysconfig/network in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information btmp
- Check if watch rule for /var/log/btmp already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_btmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information btmp
- Search /etc/audit/rules.d for other rules with specified key session
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)session$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_btmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information btmp
- Use /etc/audit/rules.d/session.rules as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/session.rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_btmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information btmp
- Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_btmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information btmp
- Add watch rule for /var/log/btmp in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /var/log/btmp -p wa -k session
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_btmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information btmp
- Check if watch rule for /var/log/btmp already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_btmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information btmp
- Add watch rule for /var/log/btmp in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /var/log/btmp -p wa -k session
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_btmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information utmp
- Check if watch rule for /var/run/utmp already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_utmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information utmp
- Search /etc/audit/rules.d for other rules with specified key session
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)session$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_utmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information utmp
- Use /etc/audit/rules.d/session.rules as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/session.rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_utmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information utmp
- Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_utmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information utmp
- Add watch rule for /var/run/utmp in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /var/run/utmp -p wa -k session
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_utmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information utmp
- Check if watch rule for /var/run/utmp already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_utmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information utmp
- Add watch rule for /var/run/utmp in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /var/run/utmp -p wa -k session
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_utmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information wtmp
- Check if watch rule for /var/log/wtmp already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_wtmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information wtmp
- Search /etc/audit/rules.d for other rules with specified key session
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)session$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_wtmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information wtmp
- Use /etc/audit/rules.d/session.rules as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/session.rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_wtmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information wtmp
- Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_wtmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information wtmp
- Add watch rule for /var/log/wtmp in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /var/log/wtmp -p wa -k session
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_wtmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information wtmp
- Check if watch rule for /var/log/wtmp already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_wtmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information wtmp
- Add watch rule for /var/log/wtmp in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /var/log/wtmp -p wa -k session
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_wtmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Check if watch rule
for /etc/sudoers already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Add watch rule for
/etc/sudoers in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/sudoers -p wa -k actions
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Check if watch rule
for /etc/sudoers already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Search /etc/audit/rules.d
for other rules with specified key actions
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)actions$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Use /etc/audit/rules.d/actions.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/actions.rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Use matched file as
the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Add watch rule for
/etc/sudoers in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/sudoers -p wa -k actions
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Check if watch rule
for /etc/sudoers.d/ already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Add watch rule for
/etc/sudoers.d/ in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/sudoers.d/ -p wa -k actions
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Check if watch rule
for /etc/sudoers.d/ already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Search /etc/audit/rules.d
for other rules with specified key actions
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)actions$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Use /etc/audit/rules.d/actions.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/actions.rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Use matched file as
the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Add watch rule for
/etc/sudoers.d/ in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/sudoers.d/ -p wa -k actions
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/group - Check if
watch rule for /etc/group already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/group\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000510
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/group - Search /etc/audit/rules.d
for other rules with specified key audit_rules_usergroup_modification
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000510
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/group - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_usergroup_modification.rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000510
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/group - Use matched
file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000510
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/group - Add watch
rule for /etc/group in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/group -p wa -k audit_rules_usergroup_modification
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000510
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/group - Check if
watch rule for /etc/group already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/group\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000510
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/group - Add watch
rule for /etc/group in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/group -p wa -k audit_rules_usergroup_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000510
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/gshadow - Check
if watch rule for /etc/gshadow already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/gshadow\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000515
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/gshadow - Search
/etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000515
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/gshadow - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_usergroup_modification.rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000515
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/gshadow - Use matched
file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000515
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/gshadow - Add watch
rule for /etc/gshadow in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000515
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/gshadow - Check
if watch rule for /etc/gshadow already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/gshadow\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000515
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/gshadow - Add watch
rule for /etc/gshadow in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000515
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/security/opasswd
- Check if watch rule for /etc/security/opasswd already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/security/opasswd\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000520
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_opasswd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/security/opasswd
- Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000520
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_opasswd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/security/opasswd
- Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules as the recipient
for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_usergroup_modification.rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000520
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_opasswd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/security/opasswd
- Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000520
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_opasswd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/security/opasswd
- Add watch rule for /etc/security/opasswd in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000520
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_opasswd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/security/opasswd
- Check if watch rule for /etc/security/opasswd already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/security/opasswd\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000520
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_opasswd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/security/opasswd
- Add watch rule for /etc/security/opasswd in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000520
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_opasswd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/passwd - Check if
watch rule for /etc/passwd already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/passwd\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000525
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/passwd - Search
/etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000525
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/passwd - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_usergroup_modification.rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000525
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/passwd - Use matched
file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000525
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/passwd - Add watch
rule for /etc/passwd in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000525
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/passwd - Check if
watch rule for /etc/passwd already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/passwd\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000525
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/passwd - Add watch
rule for /etc/passwd in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000525
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/shadow - Check if
watch rule for /etc/shadow already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/shadow\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000530
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/shadow - Search
/etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000530
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/shadow - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_usergroup_modification.rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000530
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/shadow - Use matched
file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000530
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/shadow - Add watch
rule for /etc/shadow in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/shadow -p wa -k audit_rules_usergroup_modification
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000530
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/shadow - Check if
watch rule for /etc/shadow already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/shadow\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000530
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/shadow - Add watch
rule for /etc/shadow in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/shadow -p wa -k audit_rules_usergroup_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000530
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set architecture for audit chmod tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- not ( ansible_architecture == "aarch64" )
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000640
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_chmod
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for chmod for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- chmod
syscall_grouping:
- chmod
- fchmod
- fchmodat
- name: Check existence of chmod in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- chmod
syscall_grouping:
- chmod
- fchmod
- fchmodat
- name: Check existence of chmod in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- not ( ansible_architecture == "aarch64" )
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000640
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_chmod
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for chmod for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- chmod
syscall_grouping:
- chmod
- fchmod
- fchmodat
- name: Check existence of chmod in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- chmod
syscall_grouping:
- chmod
- fchmod
- fchmodat
- name: Check existence of chmod in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- not ( ansible_architecture == "aarch64" )
- audit_arch == "b64"
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000640
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_chmod
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit chown tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- not ( ansible_architecture == "aarch64" )
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000645
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_chown
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for chown for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- chown
syscall_grouping:
- chown
- fchown
- fchownat
- lchown
- name: Check existence of chown in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- chown
syscall_grouping:
- chown
- fchown
- fchownat
- lchown
- name: Check existence of chown in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- not ( ansible_architecture == "aarch64" )
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000645
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_chown
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for chown for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- chown
syscall_grouping:
- chown
- fchown
- fchownat
- lchown
- name: Check existence of chown in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- chown
syscall_grouping:
- chown
- fchown
- fchownat
- lchown
- name: Check existence of chown in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- not ( ansible_architecture == "aarch64" )
- audit_arch == "b64"
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL09-00-000645
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_chown
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Record Any Attempts to Run chcon - Perform remediation of Audit rules for
/usr/bin/chcon
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
-F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chcon -F perm=x
-F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chcon -F perm=x
-F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
-F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
}}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chcon -F perm=x -F auid>=1000
-F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chcon -F perm=x
-F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000555
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- audit_rules_execution_chcon
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Any Attempts to Run restorecon - Perform remediation of Audit rules
for /usr/sbin/restorecon
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
-F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/restorecon -F perm=x
-F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/restorecon
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
-F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
}}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000
-F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/restorecon
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- audit_rules_execution_restorecon
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Any Attempts to Run semanage - Perform remediation of Audit rules
for /usr/sbin/semanage
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
-F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/semanage -F perm=x
-F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/semanage
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
-F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
}}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/semanage -F perm=x -F auid>=1000
-F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/semanage
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000650
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- audit_rules_execution_semanage
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Any Attempts to Run setfiles - Perform remediation of Audit rules
for /usr/sbin/setfiles
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
-F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/setfiles -F perm=x
-F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/setfiles
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
-F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
}}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000
-F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/setfiles
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000655
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- audit_rules_execution_setfiles
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Any Attempts to Run setsebool - Perform remediation of Audit rules
for /usr/sbin/setsebool
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
-F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/setsebool -F perm=x
-F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/setsebool
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
-F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
}}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000
-F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/setsebool
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000660
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- audit_rules_execution_setsebool
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Any Attempts to Run seunshare - Perform remediation of Audit rules
for /usr/sbin/seunshare
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
-F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/seunshare -F perm=x
-F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/seunshare
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)*
-F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|")
}}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000
-F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/seunshare
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- audit_rules_execution_seunshare
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set architecture for audit tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- audit_rules_kernel_module_loading
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for kernel module loading for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- init_module
- delete_module
- finit_module
syscall_grouping:
- init_module
- delete_module
- finit_module
- name: Check existence of init_module, delete_module, finit_module in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- init_module
- delete_module
- finit_module
syscall_grouping:
- init_module
- delete_module
- finit_module
- name: Check existence of init_module, delete_module, finit_module in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- audit_rules_kernel_module_loading
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for kernel module loading for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- init_module
- delete_module
- finit_module
syscall_grouping:
- init_module
- delete_module
- finit_module
- name: Check existence of init_module, delete_module, finit_module in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- init_module
- delete_module
- finit_module
syscall_grouping:
- init_module
- delete_module
- finit_module
- name: Check existence of init_module, delete_module, finit_module in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- audit_arch == "b64"
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- audit_rules_kernel_module_loading
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - faillock - Check if watch
rule for {{ var_accounts_passwords_pam_faillock_dir }} already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+{{ var_accounts_passwords_pam_faillock_dir }}\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000720
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_faillock
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - faillock - Search /etc/audit/rules.d
for other rules with specified key logins
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)logins$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- DISA-STIG-OL09-00-000720
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_faillock
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - faillock - Use /etc/audit/rules.d/logins.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/logins.rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- DISA-STIG-OL09-00-000720
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_faillock
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - faillock - Use matched
file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- DISA-STIG-OL09-00-000720
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_faillock
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - faillock - Add watch
rule for {{ var_accounts_passwords_pam_faillock_dir }} in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w {{ var_accounts_passwords_pam_faillock_dir }} -p wa -k logins
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- DISA-STIG-OL09-00-000720
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_faillock
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - faillock - Check if watch
rule for {{ var_accounts_passwords_pam_faillock_dir }} already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+{{ var_accounts_passwords_pam_faillock_dir }}\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000720
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_faillock
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - faillock - Add watch
rule for {{ var_accounts_passwords_pam_faillock_dir }} in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w {{ var_accounts_passwords_pam_faillock_dir }} -p wa -k logins
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- DISA-STIG-OL09-00-000720
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_faillock
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - lastlog - Check if watch
rule for /var/log/lastlog already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/var/log/lastlog\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000700
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_lastlog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - lastlog - Search /etc/audit/rules.d
for other rules with specified key logins
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)logins$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- DISA-STIG-OL09-00-000700
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_lastlog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - lastlog - Use /etc/audit/rules.d/logins.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/logins.rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- DISA-STIG-OL09-00-000700
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_lastlog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - lastlog - Use matched
file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- DISA-STIG-OL09-00-000700
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_lastlog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - lastlog - Add watch rule
for /var/log/lastlog in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /var/log/lastlog -p wa -k logins
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- DISA-STIG-OL09-00-000700
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_lastlog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - lastlog - Check if watch
rule for /var/log/lastlog already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/var/log/lastlog\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000700
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_lastlog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - lastlog - Add watch rule
for /var/log/lastlog in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /var/log/lastlog -p wa -k logins
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- DISA-STIG-OL09-00-000700
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_lastlog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - tallylog - Check if watch
rule for /var/log/tallylog already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/var/log/tallylog\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000725
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_tallylog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - tallylog - Search /etc/audit/rules.d
for other rules with specified key logins
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)logins$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- DISA-STIG-OL09-00-000725
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_tallylog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - tallylog - Use /etc/audit/rules.d/logins.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/logins.rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- DISA-STIG-OL09-00-000725
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_tallylog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - tallylog - Use matched
file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- DISA-STIG-OL09-00-000725
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_tallylog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - tallylog - Add watch
rule for /var/log/tallylog in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /var/log/tallylog -p wa -k logins
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- DISA-STIG-OL09-00-000725
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_tallylog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - tallylog - Check if watch
rule for /var/log/tallylog already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/var/log/tallylog\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000725
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_tallylog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - tallylog - Add watch
rule for /var/log/tallylog in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /var/log/tallylog -p wa -k logins
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- DISA-STIG-OL09-00-000725
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_tallylog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects Information on the Use of Privileged Commands - Set
List of Mount Points Which Permits Execution of Privileged Commands
ansible.builtin.set_fact:
privileged_mount_points: '{{ (ansible_facts.mounts | rejectattr(''options'',
''search'', ''noexec|nosuid'') | rejectattr(''mount'', ''match'', ''/proc($|/.*$)'')
| map(attribute=''mount'') | list ) }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- audit_rules_privileged_commands
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on the Use of Privileged Commands - Search
for Privileged Commands in Eligible Mount Points
ansible.builtin.shell:
cmd: find {{ item }} -xdev -perm /6000 -type f 2>/dev/null
register: result_privileged_commands_search
changed_when: false
failed_when: false
with_items: '{{ privileged_mount_points }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- audit_rules_privileged_commands
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on the Use of Privileged Commands - Set
List of Privileged Commands Found in Eligible Mount Points
ansible.builtin.set_fact:
privileged_commands: '{{ privileged_commands | default([]) + item.stdout_lines
}}'
loop: '{{ result_privileged_commands_search.results }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- item is not skipped
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- audit_rules_privileged_commands
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on the Use of Privileged Commands - Privileged
Commands are Present in the System
block:
- name: Ensure auditd Collects Information on the Use of Privileged Commands -
Ensure Rules for All Privileged Commands in augenrules Format
ansible.builtin.lineinfile:
path: /etc/audit/rules.d/privileged.rules
line: -a always,exit -F path={{ item }} -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
regexp: ^.*path={{ item | regex_escape() }} .*$
create: true
with_items:
- '{{ privileged_commands }}'
- name: Ensure auditd Collects Information on the Use of Privileged Commands -
Ensure Rules for All Privileged Commands in auditctl Format
ansible.builtin.lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path={{ item }} -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
regexp: ^.*path={{ item | regex_escape() }} .*$
create: true
with_items:
- '{{ privileged_commands }}'
- name: Ensure auditd Collects Information on the Use of Privileged Commands -
Search for Duplicated Rules in Other Files
ansible.builtin.find:
paths: /etc/audit/rules.d
recurse: false
contains: ^-a always,exit (-F arch=b32 |-F arch=b64 )?-F path={{ item | regex_escape()
}} .*$
patterns: '*.rules'
with_items:
- '{{ privileged_commands }}'
register: result_augenrules_files
- name: Ensure auditd Collects Information on the Use of Privileged Commands -
Ensure Rules for Privileged Commands are Defined Only in One File
ansible.builtin.lineinfile:
path: '{{ item.1.path }}'
regexp: ^-a always,exit (-F arch=b32 |-F arch=b64 )?-F path={{ item.0.item
| regex_escape() }} .*$
state: absent
with_subelements:
- '{{ result_augenrules_files.results }}'
- files
when:
- item.1.path != '/etc/audit/rules.d/privileged.rules'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- privileged_commands is defined
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- audit_rules_privileged_commands
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set architecture for audit tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_adjtimex
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Perform remediation of Audit rules for adjtimex for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- adjtimex
syscall_grouping:
- adjtimex
- settimeofday
- stime
- name: Check existence of adjtimex in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- adjtimex
syscall_grouping:
- adjtimex
- settimeofday
- stime
- name: Check existence of adjtimex in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
| join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_adjtimex
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Perform remediation of Audit rules for adjtimex for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- adjtimex
syscall_grouping:
- adjtimex
- settimeofday
- name: Check existence of adjtimex in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- adjtimex
syscall_grouping:
- adjtimex
- settimeofday
- stime
- name: Check existence of adjtimex in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
| join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- audit_arch == "b64"
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_adjtimex
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set architecture for audit tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_clock_settime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Perform remediation of Audit rules for clock_settime for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- clock_settime
syscall_grouping: []
- name: Check existence of clock_settime in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/time-change.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F
key=time-change
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- clock_settime
syscall_grouping: []
- name: Check existence of clock_settime in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F
key=time-change
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_clock_settime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Perform remediation of Audit rules for clock_settime for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- clock_settime
syscall_grouping: []
- name: Check existence of clock_settime in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/time-change.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F
key=time-change
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- clock_settime
syscall_grouping: []
- name: Check existence of clock_settime in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
| join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F
key=time-change
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- audit_arch == "b64"
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_clock_settime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set architecture for audit tasks
set_fact:
audit_arch: b64
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
== "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_settimeofday
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Perform remediation of Audit rules for settimeofday for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- settimeofday
syscall_grouping:
- adjtimex
- settimeofday
- stime
- name: Check existence of settimeofday in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- settimeofday
syscall_grouping:
- adjtimex
- settimeofday
- stime
- name: Check existence of settimeofday in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
| join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_settimeofday
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Perform remediation of Audit rules for settimeofday for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- settimeofday
syscall_grouping:
- adjtimex
- settimeofday
- stime
- name: Check existence of settimeofday in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- settimeofday
syscall_grouping:
- adjtimex
- settimeofday
- stime
- name: Check existence of settimeofday in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
| join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- audit_arch == "b64"
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_settimeofday
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Perform remediation of Audit rules for stime syscall for x86 platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- stime
syscall_grouping:
- adjtimex
- settimeofday
- stime
- name: Check existence of stime in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine(
{item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files')
| flatten | map(attribute='path') | list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({
item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
| list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() |
sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
| join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- stime
syscall_grouping:
- adjtimex
- settimeofday
- stime
- name: Check existence of stime in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+((
-S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched')
| map(attribute='item') | list }}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found)
}}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found
| join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( not ( ansible_architecture == "aarch64" ) and not ( ansible_architecture ==
"s390x" ) )
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_stime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter the localtime File - Check if watch rule for /etc/localtime
already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_watch_localtime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter the localtime File - Search /etc/audit/rules.d
for other rules with specified key audit_time_rules
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_time_rules$
patterns: '*.rules'
register: find_watch_key
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_watch_localtime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter the localtime File - Use /etc/audit/rules.d/audit_time_rules.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_time_rules.rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_watch_localtime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter the localtime File - Use matched file as the recipient
for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
is defined and find_existing_watch_rules_d.matched == 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_watch_localtime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter the localtime File - Add watch rule for /etc/localtime
in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/localtime -p wa -k audit_time_rules
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_watch_localtime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter the localtime File - Check if watch rule for /etc/localtime
already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_watch_localtime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter the localtime File - Add watch rule for /etc/localtime
in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/localtime -p wa -k audit_time_rules
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
== 0
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_watch_localtime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditd Flush Priority
ansible.builtin.lineinfile:
dest: /etc/audit/auditd.conf
regexp: ^\s*flush\s*=\s*.*$
line: flush = {{ var_auditd_flush }}
state: present
create: true
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.3.1
- NIST-800-53-AU-11
- NIST-800-53-CM-6(a)
- auditd_data_retention_flush
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set number of records to cause an explicit flush to audit logs
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*freq\s*=\s*
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/audit/auditd.conf
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*freq\s*=\s*
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/audit/auditd.conf
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*freq\s*=\s*
line: freq = {{ var_auditd_freq }}
state: present
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000775
- NIST-800-53-CM-6
- auditd_freq
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Include Local Events in Audit Logs
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*local_events\s*=\s*
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/audit/auditd.conf
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*local_events\s*=\s*
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/audit/auditd.conf
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*local_events\s*=\s*
line: local_events = yes
state: present
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000800
- NIST-800-53-CM-6
- auditd_local_events
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Resolve information before writing to audit logs
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*log_format\s*=\s*
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/audit/auditd.conf
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*log_format\s*=\s*
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/audit/auditd.conf
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*log_format\s*=\s*
line: log_format = ENRICHED
state: present
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000835
- NIST-800-53-AU-3
- NIST-800-53-CM-6
- auditd_log_format
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- name: Set type of computer node name logging in audit logs - Define Value to Be
Used in the Remediation
ansible.builtin.set_fact: auditd_name_format_split="{{ var_auditd_name_format.split('|')[0]
}}"
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000755
- NIST-800-53-AU-3
- NIST-800-53-CM-6
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.2
- auditd_name_format
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set type of computer node name logging in audit logs
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*name_format\s*=\s*
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/audit/auditd.conf
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*name_format\s*=\s*
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/audit/auditd.conf
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*name_format\s*=\s*
line: name_format = {{ auditd_name_format_split }}
state: present
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000755
- NIST-800-53-AU-3
- NIST-800-53-CM-6
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.2
- auditd_name_format
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Write Audit Logs to the Disk
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*write_logs\s*=\s*
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/audit/auditd.conf
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*write_logs\s*=\s*
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/audit/auditd.conf
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*write_logs\s*=\s*
line: write_logs = yes
state: present
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL09-00-000880
- NIST-800-53-CM-6
- auditd_write_logs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Put contents into /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules according
to policy
ansible.builtin.copy:
dest: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
content: |
## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
force: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_access_failed
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditing of unsuccessful file accesses - Remove any permissions
from group and other
ansible.builtin.file:
path: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
mode: g-rwx,o-rwx
state: touch
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_access_failed
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Put contents into /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
according to policy
ansible.builtin.copy:
dest: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
content: |
## Successful file access (any other opens) This has to go last.
## These next two are likely to result in a whole lot of events
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
force: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_access_success
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditing of successful file accesses - Remove any permissions
from group and other
ansible.builtin.file:
path: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
mode: g-rwx,o-rwx
state: touch
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_access_success
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy