Browse Source

more rules

010010-020620
Micah Halter 1 year ago
parent
commit
96551819c5
  1. 12
      README.md
  2. 3
      roles/disa-v2r6/handlers/main.yml
  3. 159
      roles/disa-v2r6/tasks/main.yml
  4. 31
      roles/disa-v2r6/tasks/prelim.yml

12
README.md

@ -10,3 +10,15 @@ This is heavily based on the [MindPointGroup/RHEL7-STIG](https://github.com/Mind
| Severity | Vulid | STIG-ID |
|----------|---------|----------------|
| CAT-II | V-71965 | RHEL-07-010500 |
| CAT-II | V-92255 | RHEL-07-020019 |
| CAT-II | V-71971 | RHEL-07-020020 |
| CAT-II | V-71973 | RHEL-07-020030 |
| CAT-II | V-71975 | RHEL-07-020040 |
| CAT-I | V-71997 | RHEL-07-020250 |
| CAT-II | V-71999 | RHEL-07-020260 |
| CAT-II | V-72003 | RHEL-07-020300 |
| CAT-I | V-72005 | RHEL-07-020310 |
| CAT-II | V-72007 | RHEL-07-020320 |
| CAT-II | V-72009 | RHEL-07-020330 |
| CAT-II | V-72011 | RHEL-07-020600 |
| CAT-II | V-72015 | RHEL-07-020620 |

3
roles/disa-v2r6/handlers/main.yml

@ -8,3 +8,6 @@
- name: make grub2 config
command: /usr/sbin/grub2-mkconfig --output=/boot/efi/EFI/redhat/grub.cfg
- name: dconf update
command: dconf update

159
roles/disa-v2r6/tasks/main.yml

@ -1190,3 +1190,162 @@
tags:
- CAT-I
- RHEL-07-020010
- name: "CAT I | RHEL-07-020050 | The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."
block:
- name: verify all packages verify gpg keys
lineinfile:
dest: /etc/yum.conf
regexp: ^gpgcheck
line: gpgcheck=1
insertafter: '\[main\]'
tags:
- CAT-I
- RHEL-07-020050
- name: "CAT I | RHEL-07-020060 | The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."
block:
- name: verify all packages verify gpg keys
lineinfile:
dest: /etc/yum.conf
regexp: ^localpkg_gpgcheck
line: localpkg_gpgcheck=1
insertafter: '\[main\]'
tags:
- CAT-I
- RHEL-07-020060
- name: "CAT II | RHEL-07-020100 | The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage."
block:
- name: verify usb storage is disabled
lineinfile:
dest: /etc/modprobe.d/usb-storage.conf
insertafter: "{{ item.insertafter }}"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
create: yes
owner: root
group: root
mode: "0644"
with_items:
- insertafter: "^#blacklist usb-storage(\\s+|$)"
regexp: "^blacklist usb-storage(\\s+|$)"
line: 'blacklist usb-storage'
- insertafter: "^#install usb-storage"
regexp: "^install usb-storage"
line: install usb-storage /bin/true
tags:
- CAT-II
- RHEL-07-020100
- name: "CAT II | RHEL-07-020101 | The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required."
block:
- name: verify dccp is disabled
lineinfile:
dest: /etc/modprobe.d/dccp.conf
insertafter: "{{ item.insertafter }}"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
create: yes
owner: root
group: root
mode: "0644"
with_items:
- insertafter: ^#blacklist dccp
regexp: ^blacklist dccp(\s+|$)
line: blacklist dccp
- insertafter: ^#install dccp
regexp: "^install dccp "
line: install dccp /bin/true
tags:
- CAT-II
- RHEL-07-020101
- name: "CAT II | RHEL-07-020110 | The Red Hat Enterprise Linux operating system must disable the file system automounter unless required."
block:
- name: check if autofs exists
shell: "systemctl show autofs | grep LoadState | cut -d = -f 2"
register: autofs_service_check
changed_when: no
check_mode: no
- name: verify autofs is disabled
service:
name: autofs
enabled: no
state: stopped
when: autofs_service_check == "loaded"
tags:
- CAT-II
- RHEL-07-020110
- name: "CAT III | RHEL-07-020200 | The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed."
block:
- name: check if yum cleans components after updating
lineinfile:
dest: /etc/yum.conf
regexp: ^#?clean_requirements_on_remove
line: clean_requirements_on_remove=1
insertafter: '\[main\]'
tags:
- CAT-III
- RHEL-07-020200
- name: |
"CAT I | RHEL-07-020210 | The Red Hat Enterprise Linux operating system must enable SELinux."
"CAT I | RHEL-07-020220 | The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy."
block:
- name: check if SELinux is enforcing
selinux:
state: enforcing
policy: targeted
tags:
- CAT-I
- RHEL-07-020210
- RHEL-07-020220
- name: "CAT I | RHEL-07-020230 | The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line."
block:
- name: mask ctrl-alt-delete
file:
src: /dev/null
dest: /etc/systemd/system/ctrl-alt-del.target
state: link
tags:
- CAT-I
- RHEL-07-020230
- name: "CAT I | RHEL-07-020231 | The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the GUI."
block:
- name: disable ctrl-alt-delete for GUI
copy:
dest: /etc/dconf/db/local.d/00-disable-CAD
content: |
[org/gnome/settings-daemon/plugins/media-keys]
logout=''
mode: '0644'
notify: dconf update
tags:
- CAT-I
- RHEL-07-020231
- name: "CAT II | RHEL-07-020240 | The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files."
block:
- name: make sure users can only read and modify their own files
lineinfile:
dest: /etc/login.defs
regexp: ^#?UMASK
line: "UMASK 077"
tags:
- CAT-II
- RHEL-07-020240
- name: "CAT II | RHEL-07-020610 | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory."
block:
- name: make all new users are assigned a home directory
lineinfile:
dest: /etc/login.defs
regexp: ^#?CREATE_HOME
line: "CREATE_HOME yes"
tags:
- CAT-II
- RHEL-07-020610

31
roles/disa-v2r6/tasks/prelim.yml

@ -4,3 +4,34 @@
changed_when: no
failed_when: no
register: sudoers_files
- name: "parse /etc/passwd"
block:
- name: "parse passwd file"
command: cat /etc/passwd
changed_when: no
check_mode: no
register: passwd_file_cat
- debug:
msg: "{{ passwd_file_cat }}"
- name: "split passwd entries"
set_fact:
rhel7stig_passwd: "{{ passwd_file_cat.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
vars:
ld_passwd_regex: >-
^(?P<id>[^:]*):(?P<password>[^:]*):(?P<uid>[^:]*):(?P<gid>[^:]*):(?P<gecos>[^:]*):(?P<dir>[^:]*):(?P<shell>[^:]*)
ld_passwd_yaml: |
id: >-4
\g<id>
password: >-4
\g<password>
uid: \g<uid>
gid: \g<gid>
gecos: >-4
\g<gecos>
dir: >-4
\g<dir>
shell: >-4
\g<shell>
Loading…
Cancel
Save