Browse Source

Merge pull request #1 from akremo/master

Merge More Rules Into Main Repo
020630-040160
Micah Halter 1 year ago
committed by GitHub
parent
commit
21b0364a83
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
  1. 38
      README.md
  2. 898
      roles/disa-v2r6/tasks/main.yml

38
README.md

@ -22,3 +22,41 @@ This is heavily based on the [MindPointGroup/RHEL7-STIG](https://github.com/Mind
| CAT-II | V-72009 | RHEL-07-020330 |
| CAT-II | V-72011 | RHEL-07-020600 |
| CAT-II | V-72015 | RHEL-07-020620 |
| CAT-II | V-72017 | RHEL-07-020630 |
| CAT-II | V-72019 | RHEL-07-020640 |
| CAT-II | V-72021 | RHEL-07-020650 |
| CAT-II | V-72023 | RHEL-07-020660 |
| CAT-II | V-72025 | RHEL-07-020670 |
| CAT-II | V-72027 | RHEL-07-020680 |
| CAT-II | V-72029 | RHEL-07-020690 |
| CAT-II | V-72031 | RHEL-07-020700 |
| CAT-II | V-72033 | RHEL-07-020710 |
| CAT-II | V-72035 | RHEL-07-020720 |
| CAT-II | V-72037 | RHEL-07-020730 | Might be able to automate
| CAT-II | V-72039 | RHEL-07-020900 |
| CAT-II | V-72043 | RHEL-07-021010 |
| CAT-II | V-72045 | RHEL-07-021020 |
| CAT-II | V-73161 | RHEL-07-021021 |*
| CAT-III | V-81009 | RHEL-07-021022 |*
| CAT-III | V-81011 | RHEL-07-021023 |*
| CAT-III | V-81013 | RHEL-07-021024 |*
| CAT-II | V-72047 | RHEL-07-021030 |*
| CAT-II | V-72049 | RHEL-07-021040 |*
| CAT-III | V-72059 | RHEL-07-021310 |
| CAT-III | V-72061 | RHEL-07-021320 |
| CAT-III | V-72063 | RHEL-07-021330 |
| CAT-III | V-72065 | RHEL-07-021340 |
| CAT-I | V-72067 | RHEL-07-021350 |
| CAT-III | V-72069 | RHEL-07-021600 |
| CAT-III | V-72071 | RHEL-07-021610 |
| CAT-II | V-72073 | RHEL-07-021620 |
| CAT-II | V-72075 | RHEL-07-021700 |
| CAT-I | V-72213 | RHEL-07-032000 |
| CAT-II | V-72219 | RHEL-07-040100 |
| CAT II | V-72081 | RHEL-07-030010 | can be changed to f1 for availability
| CAT II | V-72083 | RHEL-07-030300 |
| CAT II | V-72087 | RHEL-07-030320 |
| CAT II | V-72063 | RHEL-07-030321 |
| CAT II | V-72089 | RHEL-07-030330 |
| CAT II | V-72091 | RHEL-07-030340 |
| CAT II | V-72093 | RHEL-07-030350 |

898
roles/disa-v2r6/tasks/main.yml

@ -1191,9 +1191,62 @@
- CAT-I
- RHEL-07-020010
#- name: "CAT II | RHEL-07-020020 | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."
# block:
# - name: check authorized users
# command: "true"
# changed_when: no
# when: rhel_07_020020
# tags:
# - CAT-II
# - RHEL-07-020020
# Might need to be done manually
- name: |
"CAT II | RHEL-07-020030 | The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly."
"CAT II | RHEL-07-020040 | The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner."
block:
- name: ensure aide installed
shell: |
pack=$(yum list installed aide)
if [[ $pack -eq 0 ]]; then
exit 0
else
exit 1
fi
args:
warn: false
register: aide_installed
failed_when: aide_installed > 1
changed_when: false
- name: ensure /etc/cron.daily/aide exists
shell: |
file=/etc/cron.daily/aide
if [[ -f "$file" ]]; then
exit 0
else
exit 1
fi
args:
warn: false
register: aide_cron_daily
failed_when: aide_cron_daily > 1
changed_when: false
- name: ensure /etc/cron.daily/aide is set correctly
lineinfile:
path: /etc/cron.daily/aide
line: '{{item}}'
with_item:
- '#!/bin/bash'
- '/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root'
tags:
- CAT-II
- RHEL-07-020030
- RHEL-07-020040
- name: "CAT I | RHEL-07-020050 | The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."
block:
- name: verify all packages verify gpg keys
- name: "set yum to verify the signature of packages"
lineinfile:
dest: /etc/yum.conf
regexp: ^gpgcheck
@ -1291,8 +1344,8 @@
- RHEL-07-020200
- name: |
"CAT I | RHEL-07-020210 | The Red Hat Enterprise Linux operating system must enable SELinux."
"CAT I | RHEL-07-020220 | The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy."
"CAT I | RHEL-07-020210 | The Red Hat Enterprise Linux operating system must enable SELinux."
"CAT I | RHEL-07-020220 | The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy."
block:
- name: check if SELinux is enforcing
selinux:
@ -1349,3 +1402,842 @@
tags:
- CAT-II
- RHEL-07-020610
- name: "CAT II | RHEL-07-021100 | The Red Hat Enterprise Linux operating system must have cron logging implemented."
lineinfile:
path: /etc/rsyslog.conf
state: present
regexp: '^cron\.\*[ \t]+/var/log/cron$'
line: 'cron.* /var/log/cron'
insertafter: '#### RULES ####'
register: result
failed_when:
- result is failed
- result.rc != 257
when: rhel_07_021100
tags:
- CAT-II
- RHEL-07-021100
- name: "CAT II | RHEL-07-021110 | The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root."
block:
stat:
path: /etc/cron.allow
register: cron_allow
file:
dest: /etc/cron.allow
state: file
owner: root
group: root
mode: 0600
when: cron_allow.exists
tags:
- CAT-II
- RHEL-07-021110
- RHEL-07-021120
- name: "CAT II| RHEL-07-021300 | The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed."
block:
- name: "Register status of kdump"
shell: "systemctl show kdump | grep LoadState | cut -d = -f 2"
register: rhel_07_021300_kdump_service_status
changed_when: no
check_mode: no
- name: "Disable kdump if it's loaded"
service:
name: kdump
enabled: no
state: stopped
when:
- rhel_07_021300_kdump_service_status.stdout == "loaded"
- not rhel7stig_kdump_required
when: rhel_07_021300
tags:
- CAT-II
- RHEL-07-021300
- name: "CAT I | RHEL-07-021710 |The Red Hat Enterprise Linux operating system must not have the telnet-server package installed "
yum:
name: telnet-server
state: absent
tags:
- CAT-I
- RHEL-07-021710
- name: "CAT I | RHEL-07-030000 | The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users."
block:
- name: "ensure auditd is present"
yum:
name: audit
state: present
- name: "ensure auditd is enable and started"
service:
name: auditd
state: started
enabled: yes
tags:
- CAT-I
- RHEL-07-030000
## 030010-030920 Audit stuff
- name: "CAT II | RHEL-07-030010 | The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure."
command: auditctl -f 2
- name: "CAT II | RHEL-07-030200 | The Red Hat Enterprise Linux operating system must be configured to use the au-remote plugin."
block:
stat:
path: /etc/audisp/plugins.d/au-remote.conf
register: au-remote_status
file:
path: /etc/audisp/plugins.d/au-remote.conf
state: touch
when: au-remote_status.exists == false
- name: |
"CAT II | RHEL-07-030201 | The Red Hat Enterprise Linux operating system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon."
"CAT II | RHEL-07-030210 | The Red Hat Enterprise Linux operating system must take appropriate action when the audisp-remote buffer is full."
"CAT II | RHEL-07-030211 | The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server."
block:
- name: "regiester existence of au-remote.cont"
stat:
path: /etc/audisp/plugins.d/au-remote.conf
register: au-remote_change
- name: "Configure audispd.conf"
lineinfile:
path: /etc/audisp/plugins.d/au-remote.conf
line: '{{ itme }}'
with_items:
- 'active = yes'
- 'direction = out'
- 'path = /sbin/audisp-remote'
- 'type = always'
- 'overflow_action = syslog'
- 'name_format = hostname'
when: au-remote_status.exists
tags:
- CAT-II
- RHEL-07-030201
- RHEL-07-030210
- name: "CAT II | RHEL-07-030360 | The Red Hat Enterprise Linux operating system must audit all executions of privileged functions."
block:
- name: "Create an Audit config file to house all the DISA STIG RULES"
file:
path: /etc/audit/rules.d/DISA-STIGs.rules
state: touch
owner: root
group: root
mode: '0644'
- name: RHEL-07-030360
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid'
- '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid'
- '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid'
- '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid'
tags:
- CAT-II
- RHEL-07-030360
- name: "CAT II | RHEL-07-030370 | The Red Hat Enterprise Linux operating system must audit all uses of the chown syscall"
# Chown usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030370
- name: "CAT II | RHEL-07-030380 | The Red Hat Enterprise Linux operating system must audit all uses of the fchown syscall."
# fChown usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030380
- name: " CAT II | RHEL-07-030390 | The Red Hat Enterprise Linux operating system must audit all uses of the lchown syscall"
# lChown usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030390
- name: " CAT II | RHEL-07-030400 | The Red Hat Enterprise Linux operating system must audit all uses of the fchownat syscall."
# fChownat usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030400
- name: " CAT II | RHEL-07-030410 | The Red Hat Enterprise Linux operating system must audit all uses of the chmod syscall."
# chmod usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030410
- name: " CAT II | RHEL-07-030420 | The Red Hat Enterprise Linux operating system must audit all uses of the fchmod syscall."
# fchmod usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030420
- name: " CAT II | RHEL-07-030430 | The Red Hat Enterprise Linux operating system must audit all uses of the fchmodat syscall"
# fchmodat usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030430
- name: " CAT II | RHEL-07-030440 | The Red Hat Enterprise Linux operating system must audit all uses of the setxattr syscall."
# setxattr usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030440
- name: " CAT II | RHEL-07-030450 | The Red Hat Enterprise Linux operating system must audit all uses of the fsetxattr syscall."
# fsetxattr usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030450
- name: " CAT II | RHEL-07-030460 | The Red Hat Enterprise Linux operating system must audit all uses of the lsetxattr syscall."
# lsetxattr usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030460
- name: " CAT II | RHEL-07-030470 | The Red Hat Enterprise Linux operating system must audit all uses of the removexattr syscall."
# removexattr usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030470
- name: " CAT II | RHEL-07-030480 | The Red Hat Enterprise Linux operating system must audit all uses of the fremovexattr syscall."
# fremovexattr usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030480
- name: " CAT II | RHEL-07-030490 | The Red Hat Enterprise Linux operating system must audit all uses of the lremovexattr syscall."
# lremovexattr usage
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
- '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
tags:
- CAT-II
- RHEL-07-030490
- name: " CAT II | RHEL-07-030500 | The Red Hat Enterprise Linux operating system must audit all uses of the creat syscall" # successful and unsuccessful uses of creat syscall
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
tags:
- CAT-II
- RHEL-07-030500
- name: " CAT II | RHEL-07-030510 | The Red Hat Enterprise Linux operating system must audit all uses of the open syscall."
# successful and unsuccessful uses of open syscall
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
tags:
- CAT-II
- RHEL-07-030510
- name: " CAT II | RHEL-07-030520 | The Red Hat Enterprise Linux operating system must audit all uses of the openat syscall."
# successful and unsuccessful uses of openat syscall
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
tags:
- CAT-II
- RHEL-07-030520
- name: " CAT II | RHEL-07-030530 | The Red Hat Enterprise Linux operating system must audit all uses of the open_by_handle_at syscall."
# successful and unsuccessful uses of open_by_handle_at syscall
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
tags:
- CAT-II
- RHEL-07-030530
- name: " CAT II | RHEL-07-030540 | The Red Hat Enterprise Linux operating system must audit all uses of the truncate syscall."
# successful and unsuccessful uses of truncate syscall
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
tags:
- CAT-II
- RHEL-07-030540
- name: " CAT II | RHEL-07-030550 | The Red Hat Enterprise Linux operating system must audit all uses of the ftruncate syscall."
# successful and unsuccessful uses of ftruncate syscall
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
- '-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
tags:
- CAT-II
- RHEL-07-030550
- name: " CAT II | RHEL-07-030560 | The Red Hat Enterprise Linux operating system must audit all uses of the semanage command."
# successful and unsuccessful uses of semanage syscall
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
tags:
- CAT-II
- RHEL-07-030560
- name: " CAT II | RHEL-07-030570 | The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command."
# successful and unsuccessful uses of setsebool syscall
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
tags:
- CAT-II
- RHEL-07-030570
- name: " CAT II | RHEL-07-030580 | The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command."
# successful and unsuccessful uses of chcon syscall
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
tags:
- CAT-II
- RHEL-07-030580
- name: " CAT II | RHEL-07-030590 | The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command."
# successful and unsuccessful uses of setfiles syscall
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
tags:
- CAT-II
- RHEL-07-030590
- name: " CAT II | RHEL-07-030610 | The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events."
# failed logins
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-w /var/run/faillock -p wa -k logins'
tags:
- CAT-II
- RHEL-07-030610
- name: " CAT II | RHEL-07-030620 | The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events."
# successful logins
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-w /var/log/lastlog -p wa -k logins'
tags:
- CAT-II
- RHEL-07-030620
- name: " CAT II | RHEL-07-030630 | The Red Hat Enterprise Linux operating system must audit all uses of the passwd command."
# successful and unsuccessful attempts to use the "passwd" command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'
tags:
- CAT-II
- RHEL-07-030630
- name: " CAT II | RHEL-07-030640 | The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command."
# successful and unsuccessful attempts to use the unix_chkpwd command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'
tags:
- CAT-II
- RHEL-07-030640
- name: " CAT II | RHEL-07-030650 | The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command."
# successful and unsuccessful attempts to use the gpasswd command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'
tags:
- CAT-II
- RHEL-07-030650
- name: " CAT II | RHEL-07-030660 | The Red Hat Enterprise Linux operating system must audit all uses of the chage command."
# successful and unsuccessful attempts to use the chage command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'
tags:
- CAT-II
- RHEL-07-030660
- name: " CAT II | RHEL-07-030670 | The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command."
# successful and unsuccessful attempts to use the userhelper command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'
tags:
- CAT-II
- RHEL-07-030670
- name: " CAT II | RHEL-07-030680 | The Red Hat Enterprise Linux operating system must audit all uses of the su command."
# successful and unsuccessful attempts to use the su command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
tags:
- CAT-II
- RHEL-07-030680
- name: " CAT II | RHEL-07-030690 | The Red Hat Enterprise Linux operating system must audit all uses of the sudo command."
# successful and unsuccessful attempts to use the sudo command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
tags:
- CAT-II
- RHEL-07-030690
- name: " CAT II | RHEL-07-030700 | The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory."
# successful and unsuccessful attempts to access the sudoers file and directory
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-w /etc/sudoers -p wa -k privileged-actions'
- '-w /etc/sudoers.d/ -p wa -k privileged-actions'
tags:
- CAT-II
- RHEL-07-030700
- name: " CAT II | RHEL-07-030710 | The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command."
# successful and unsuccessful attempts to use the newgrp command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
tags:
- CAT-II
- RHEL-07-030710
- name: " CAT II | RHEL-07-030720 | The Red Hat Enterprise Linux operating system must audit all uses of the chsh command."
# successful and unsuccessful attempts to use the chsh command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
tags:
- CAT-II
- RHEL-07-030720
- name: " CAT II | RHEL-07-030740 | The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall."
# successful and unsuccessful attempts to use the mount commands and syscalls
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount'
- '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount'
- '-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount'
tags:
- CAT-II
- RHEL-07-030740
- name: " CAT II | RHEL-07-030750 | The Red Hat Enterprise Linux operating system must audit all uses of the umount command."
# successful and unsuccessful attempts to use the umount command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=4294967295 -k privileged-mount'
tags:
- CAT-II
- RHEL-07-030750
- name: " CAT II | RHEL-07-030760 | The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command."
# successful and unsuccessful attempts to use the postdrop command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
tags:
- CAT-II
- RHEL-07-030760
- name: " CAT II | RHEL-07-030770 | The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command."
# successful and unsuccessful attempts to use the postqueue command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
tags:
- CAT-II
- RHEL-07-030770
- name: " CAT II | RHEL-07-030780 | The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command."
# successful and unsuccessful attempts to use the ssh-keysign command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=4294967295 -k privileged-ssh'
tags:
- CAT-II
- RHEL-07-030780
- name: " CAT II | RHEL-07-030800 | The Red Hat Enterprise Linux operating system must audit all uses of the crontab command."
# successful and unsuccessful attempts to use the crontab command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
tags:
- CAT-II
- RHEL-07-030800
- name: " CAT II | RHEL-07-030810 | The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command."
# successful and unsuccessful attempts to use the pam_timestamp_check command
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
tags:
- CAT-II
- RHEL-07-030810
- name: " CAT II | RHEL-07-030819 | The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall."
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S create_module -k module-change'
- '-a always,exit -F arch=b64 -S create_module -k module-change'
tags:
- CAT-II
- RHEL-07-030819
- name: " CAT II | RHEL-07-030820 | The Red Hat Enterprise Linux operating system must audit all uses of the init_module syscall."
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S init_module -k module-change'
- '-a always,exit -F arch=b64 -S init_module -k module-change'
tags:
- CAT-II
- RHEL-07-030820
- name: " CAT II | RHEL-07-030821 | The Red Hat Enterprise Linux operating system must audit all uses of the finit_module syscall."
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S finit_module -k module-change'
- '-a always,exit -F arch=b64 -S finit_module -k module-change'
tags:
- CAT-II
- RHEL-07-030821
- name: " CAT II | RHEL-07-030830 | The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall."
# successful and unsuccessful attempts to use the delete_module syscall occur
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S delete_module -k module-change'
- '-a always,exit -F arch=b64 -S delete_module -k module-change'
tags:
- CAT-II
- RHEL-07-030830
- name: "CAT II | RHEL-07-030840 | The Red Hat Enterprise Linux operating system must audit all uses of the kmod command."
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-w /usr/bin/kmod -p x -F auid!=4294967295 -k module-change'
tags:
- CAT-II
- RHEL-07-030840
- name: "CAT II | RHEL-07-030870 | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd."
# Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-w /etc/passwd -p wa -k identity'
tags:
- CAT-II
- RHEL-07-030870
- name: "CAT II | RHEL-07-030871 | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group."
# onfigure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-w /etc/group -p wa -k identity'
tags:
- CAT-II
- RHEL-07-030871
- name: "CAT II | RHEL-07-030872 | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow."
# onfigure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-w /etc/gshadow -p wa -k identity'
tags:
- CAT-II
- RHEL-07-030872
- name: "CAT II | RHEL-07-030873 | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow."
# onfigure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow".
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-w /etc/shadow -p wa -k identity'
tags:
- CAT-II
- RHEL-07-030873
- name: "CAT II | RHEL-07-030874 |The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd."
# onfigure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/opasswd".
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-w /etc/security/opasswd -p wa -k identity'
tags:
- CAT-II
- RHEL-07-030874
- name: "CAT II | RHEL-07-030880 | The Red Hat Enterprise Linux operating system must audit all uses of the rename syscall."
# successful and unsuccessful attempts to use the rename syscall occur
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=4294967295 -k delete'
- '-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -k delete'
tags:
- CAT-II
- RHEL-07-030880
- name: "CAT II | RHEL-07-030890 | The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall"
# successful and unsuccessful attempts to use the renameat syscall occur
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
- '-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
tags:
- CAT-II
- RHEL-07-030890
- name: "CAT II | RHEL-07-030900 | The Red Hat Enterprise Linux operating system must audit all uses of the rmdir syscall."
# successful and unsuccessful attempts to use the rmdir syscall occur
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
- '-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
tags:
- CAT-II
- RHEL-07-030900
- name: "CAT II | RHEL-07-030910 | The Red Hat Enterprise Linux operating system must audit all uses of the unlink syscall."
# successful and unsuccessful attempts to use the unlink syscall occur
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=4294967295 -k delete'
- '-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -k delete'
tags:
- CAT-II
- RHEL-07-030910
- name: "CAT II | RHEL-07-030920 | The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall."
# successful and unsuccessful attempts to use the unlinkatsyscall occur
lineinfile:
path: /etc/audit/rules.d/DISA-STIGs.rules
line: '{{ item }}'
with_items:
- '-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete'
- '-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete'
tags:
- CAT-II
- RHEL-07-030920
- name: load all the rules into the main audit rules file
shell: /usr/sbin/augenrules --load
register: command_result
failed_when: "'FAILED' in command_result.stderr"
##031000 and RHEL-07-031010 pull from logging.yml may need to be manual depending on loggin solution
- name: "CAT III| RHEL-07-040000 | The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types."
lineinfile:
state: present
dest: /etc/security/limits.conf
insertbefore: '^# End of file'
regexp: '^\*.*maxlogins'
line: '* hard maxlogins 10'
tags:
- CAT-III
- RHEL-07-040000
- name: "CAT II | RHEL-07-040110 | The Red Hat Enterprise Linux operating system must use a FIPS 140-2 approved cryptographic algorithm for SSH communications."
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "(?i)^#?Ciphers"
line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr
validate: /usr/sbin/sshd -t -f %s
notify: restart sshd
tags:
- CAT-II
- RHEL-07-040110
### RHEL-07-040160
Loading…
Cancel
Save