Browse Source

added more rules need to test more but good so far

pull/1/head
Kremo 1 year ago
parent
commit
17d071cc81
  1. 2
      README.md
  2. 186
      roles/disa-v2r6/tasks/main.yml

2
README.md

@ -10,3 +10,5 @@ This is heavily based on the [MindPointGroup/RHEL7-STIG](https://github.com/Mind
| Severity | Vulid | STIG-ID |
|----------|---------|----------------|
| CAT-II | V-71965 | RHEL-07-010500 |
|----------|---------|----------------|
| CAT-II | V-71971 | RHEL-07-020020 |

186
roles/disa-v2r6/tasks/main.yml

@ -1190,3 +1190,189 @@
tags:
- CAT-I
- RHEL-07-020010
#- name: "CAT II | RHEL-07-020020 | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."
# block:
# - name: check authorized users
# command: "true"
# changed_when: no
# when: rhel_07_020020
# tags:
# - CAT-II
# - RHEL-07-020020
# Might need to be done manually
- name: |
"CAT II | RHEL-07-020030 | The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly."
"CAT II | RHEL-07-020040 | The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner."
block:
- name: ensure aide installed
shell: |
pack=$(yum list installed aide)
if [[ $pack -eq 0 ]]; then
exit 0
else
exit 1
fi
args:
warn: false
register: aide_installed
failed_when: aide_installed > 1
changed_when: false
- name: ensure /etc/cron.daily/aide exists
shell: |
file=/etc/cron.daily/aide
if [[ -f "$file" ]]; then
exit 0
else
exit 1
fi
args:
warn: false
register: aide_cron_daily
failed_when: aide_cron_daily > 1
changed_when: false
- name: ensure /etc/cron.daily/aide is set correctly
lineinfile:
path: /etc/cron.daily/aide
line: '{{item}}'
with_item:
- '#!/bin/bash'
- '/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root'
tags:
- CAT-II
- RHEL-07-020030
- RHEL-07-020040
- name: "CAT I | RHEL-07-020050 | The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."
block:
- name: "set yum to verify the signature of packages"
lineinfile:
dest: /etc/yum.conf
regexp: ^gpgcheck
line: gpgcheck=1
insertafter: '\[main\]'
tags:
- CAT-I
- RHEL-07-020050
- name: "CAT I | RHEL-07-020060 | The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."
block:
- name: "set local gpg key check"
lineinfile:
dest: /etc/yum.conf
regexp: ^localpkg_gpgcheck
line: localpkg_gpgcheck=1
insertafter: '\[main\]'
tags:
- CAT-I
- RHEL-07-020060
- name: "CAT II | RHEL-07-020100 | The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage."
lineinfile:
dest: /etc/modprobe.d/blacklist.conf
insertafter: "{{ item.insertafter }}"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
create: yes
owner: root
group: root
mode: "0644"
with_items:
- insertafter: "^#blacklist usb-storage(\\s+|$)"
regexp: "^blacklist usb-storage(\\s+|$)"
line: 'blacklist usb-storage'
- insertafter: "^#install usb-storage"
regexp: "^install usb-storage"
line: install usb-storage /bin/true
when: rhel_07_020100
tags:
- CAT-II
- RHEL-07-020100
- name: "CAT II | RHEL-07-020110 | The Red Hat Enterprise Linux operating system must disable the file system automounter unless required."
block:
- name: "Check if autofs is loaded"
shell: "systemctl show autofs | grep LoadState | cut -d = -f 2"
register: autofs_service_status
changed_when: no
check_mode: no
tags:
- RHEL-07-020110
- name: "Disable autofs"
service:
name: autofs
enabled: no
state: stopped
when:
- autofs_service_status == "loaded"
tags:
- RHEL-07-020110
- name: "CAT III | RHEL-07-020200 | The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed."
block:
- name: "set yum to clean up the unneeded packages"
lineinfile:
dest: /etc/yum.conf
regexp: ^#?clean_requirements_on_remove
line: clean_requirements_on_remove=1
insertafter: '\[main\]'
tags:
- CAT-III
- RHEL-07-020200
- name: |
"CAT I | RHEL-07-20210 | The Red Hat Enterprise Linux operating system must enable SELinux."
"CAT I | RHEL-07-20220 | The Red Hat Enterprise Linux operating system must targeted SELinux."
selinux:
state: enforcing
policy: targeted
check_mode: "{{ ansibe_check_mode or ansible_is_chroot }}"
tags:
- CAT-I
- RHEL-07-020210
- RHEL-07-020220
- name: "CAT I | RHEL-07-20230 | The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line."
shell: /bin/systemctl mask ctrl-alt-del.target
args:
warn: false
tags:
- CAT-I
- RHEL-07-020230
- name: "CAT II | RHEL-07-020240 | The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files."
lineinfile:
path: /etc/login.defs
regexp: ^#?UMASK
line: "UMASK 077"
tags:
- CAT-II
- RHEL-07-020240
#- name: "CAT I | RHEL-07-020250 | The Red Hat Enterprise Linux operating system must be a vendor supported release."
# block:
# name: check release version
# shell:
# cat /etc/redhat-release | grep 7.*
# register: rhel_version
# debug:
# msg: Minumum suppported vertsion is 7.5. Your version is {{ rhel_version }}. Please upgrade
# failed_when:
# - rhel_version < 7.5
# tags:
# - CAT-I
# - RHEL-07-020250
#### WONT work offline with out a local repo on the network ########
- name: "CAT II | RHEL-07-020260 | The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date."
yum:
name: '*'
state: latest
when: rhel_07_020260
tags:
- CAT-II
- RHEL-07-020260
Loading…
Cancel
Save