Browse Source

more rules

010010-020620
Micah Halter 1 year ago
parent
commit
9da3ae3e46
  1. 4
      roles/disa-v2r6/defaults/main.yml
  2. 3
      roles/disa-v2r6/handlers/main.yml
  3. 79
      roles/disa-v2r6/tasks/main.yml

4
roles/disa-v2r6/defaults/main.yml

@ -1,4 +1,8 @@
---
# generate hash using `grub2-mkpasswd-pbkdf2`
# provided hash is for `defaultpassword`
bootloader_password_hash: "grub.pbkdf2.sha512.10000.BC95FD85B8A38E9C3A097FE7F0E1D0D1439BD177D080A284D109CC556F2B30A75F9BBE8EF2360CD51B76C1E1FCAE78C5080D5F916CEB7ADE2A67DF581204EED5.3F7E1C601889B6BE266CC4A8A013295941EA2693B797B07CABDFF3C90FE968AE77A816D428951E0E7ACF4F12F160AAA95D0BF65D1136F9FB2D6BD75BD0C9177A"
logon_banner: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'
ssh_present: yes

3
roles/disa-v2r6/handlers/main.yml

@ -5,3 +5,6 @@
state: restarted
when:
- ssh_present
- name: make grub2 config
command: /usr/sbin/grub2-mkconfig --output=/boot/efi/EFI/redhat/grub.cfg

79
roles/disa-v2r6/tasks/main.yml

@ -1091,3 +1091,82 @@
tags:
- CAT-I
- RHEL-07-010450
- name: "CAT II | RHEL-07-010460 | The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables."
block:
- name: don't allow users to override ssh env variables
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "(?i)^#?PermitUserEnvironment"
line: PermitUserEnvironment no
validate: /usr/sbin/sshd -t -f %s
notify: restart sshd
tags:
- CAT-II
- RHEL-07-010460
- name: "CAT II | RHEL-07-010470 | The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system."
block:
- name: don't allow users to ssh with non-certificate trusted logon
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "(?i)^#?HostbasedAuthentication"
line: HostbasedAuthentication no
validate: /usr/sbin/sshd -t -f %s
notify: restart sshd
tags:
- CAT-II
- RHEL-07-010470
- name: |
"CAT I | RHEL-07-010480 | Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."
"CAT I | RHEL-07-010482 | Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."
"CAT I | RHEL-07-010490 | Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."
block:
- debug:
msg:
- "This is not applicable for UEFI Systems"
- "This is not applicable for RHEL >7.2"
tags:
- CAT-I
- RHEL-07-010480
- RHEL-07-010482
- RHEL-07-010490
- name: "CAT II | RHEL-07-010481 | The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes."
block:
- name: make sure authentication is required for singled-user mode
lineinfile:
create: true
dest: /usr/lib/systemd/system/rescue.service
regexp: ^#?ExecStart=
line: ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
tags:
- CAT-II
- RHEL-07-010481
- name: "CAT I | RHEL-07-010491 | Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."
block:
- name: verify bootloader authentication password
lineinfile:
path: /boot/efi/EFI/redhat/user.cfg
create: yes
regexp: ^GRUB2_PASSWORD=
line: GRUB2_PASSWORD={{ bootloader_password_hash }}
notify: make grub2 config
- name: verify superuser accounts for bootloader
lineinfile:
dest: /boot/efi/EFI/redhat/grub.cfg
create: yes
insertafter: EOF
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
notify: make grub2 config
with_items:
- regexp: ^\s*set superusers=
line: ' set superusers="root"'
- regexp: ^\s*export superusers
line: ' export superusers'
tags:
- CAT-I
- RHEL-07-010491
Loading…
Cancel
Save