Browse Source

added more rules. NEED TESTING!

pull/1/head
akremo 1 year ago
parent
commit
ec10cf825a
  1. 43
      README.md
  2. 107
      roles/disa-v2r6/tasks/main.yml

43
README.md

@ -22,15 +22,34 @@ This is heavily based on the [MindPointGroup/RHEL7-STIG](https://github.com/Mind
| CAT-II | V-72009 | RHEL-07-020330 |
| CAT-II | V-72011 | RHEL-07-020600 |
| CAT-II | V-72015 | RHEL-07-020620 |
| CAT-II | V-72015 | RHEL-07-020630 |
| CAT-II | V-72015 | RHEL-07-020640 |
| CAT-II | V-72015 | RHEL-07-020650 |
| CAT-II | V-72015 | RHEL-07-020660 |
| CAT-II | V-72015 | RHEL-07-020670 |
| CAT-II | V-72015 | RHEL-07-020680 |
| CAT-II | V-72015 | RHEL-07-020690 |
| CAT-II | V-72015 | RHEL-07-020700 |
| CAT-II | V-72015 | RHEL-07-020710 |
| CAT-II | V-72015 | RHEL-07-020720 |
| CAT-II | V-72015 | RHEL-07-020730 | Might be able to automate
| CAT-II | V-72015 | RHEL-07-020900 |
| CAT-II | V-72017 | RHEL-07-020630 |
| CAT-II | V-72019 | RHEL-07-020640 |
| CAT-II | V-72021 | RHEL-07-020650 |
| CAT-II | V-72023 | RHEL-07-020660 |
| CAT-II | V-72025 | RHEL-07-020670 |
| CAT-II | V-72027 | RHEL-07-020680 |
| CAT-II | V-72029 | RHEL-07-020690 |
| CAT-II | V-72031 | RHEL-07-020700 |
| CAT-II | V-72033 | RHEL-07-020710 |
| CAT-II | V-72035 | RHEL-07-020720 |
| CAT-II | V-72037 | RHEL-07-020730 | Might be able to automate
| CAT-II | V-72039 | RHEL-07-020900 |
| CAT-II | V-72043 | RHEL-07-021010 |
| CAT-II | V-72045 | RHEL-07-021020 |
| CAT-II | V-73161 | RHEL-07-021021 |*
| CAT-III | V-81009 | RHEL-07-021022 |*
| CAT-III | V-81011 | RHEL-07-021023 |*
| CAT-III | V-81013 | RHEL-07-021024 |*
| CAT-II | V-72047 | RHEL-07-021030 |*
| CAT-II | V-72049 | RHEL-07-021040 |*
| CAT-III | V-72059 | RHEL-07-021310 |
| CAT-III | V-72061 | RHEL-07-021320 |
| CAT-III | V-72063 | RHEL-07-021330 |
| CAT-III | V-72065 | RHEL-07-021340 |
| CAT-I | V-72067 | RHEL-07-021350 |
| CAT-III | V-72069 | RHEL-07-021600 |
| CAT-III | V-72071 | RHEL-07-021610 |
| CAT-II | V-72073 | RHEL-07-021620 |
| CAT-II | V-72075 | RHEL-07-021700 |
| CAT-I | V-72213 | RHEL-07-032000 |
| CAT-II | V-72219 | RHEL-07-040100 |

107
roles/disa-v2r6/tasks/main.yml

@ -1403,4 +1403,109 @@
- CAT-II
- RHEL-07-020610
- name: "CAT"
- name: "CAT II | RHEL-07-021100 | The Red Hat Enterprise Linux operating system must have cron logging implemented."
lineinfile:
path: /etc/rsyslog.conf
state: present
regexp: '^cron\.\*[ \t]+/var/log/cron$'
line: 'cron.* /var/log/cron'
insertafter: '#### RULES ####'
register: result
failed_when:
- result is failed
- result.rc != 257
when: rhel_07_021100
tags:
- CAT-II
- RHEL-07-021100
- name: "CAT II | RHEL-07-021110 | The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root."
block:
stat:
path: /etc/cron.allow
register: cron_allow
file:
dest: /etc/cron.allow
state: file
owner: root
group: root
mode: 0600
when: cron_allow.exists
tags:
- CAT-II
- RHEL-07-021110
- RHEL-07-021120
- name: "CAT II| RHEL-07-021300 | The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed."
block:
- name: "Register status of kdump"
shell: "systemctl show kdump | grep LoadState | cut -d = -f 2"
register: rhel_07_021300_kdump_service_status
changed_when: no
check_mode: no
- name: "Disable kdump if it's loaded"
service:
name: kdump
enabled: no
state: stopped
when:
- rhel_07_021300_kdump_service_status.stdout == "loaded"
- not rhel7stig_kdump_required
when: rhel_07_021300
tags:
- CAT-II
- RHEL-07-021300
- name: "CAT I | RHEL-07-021710 |The Red Hat Enterprise Linux operating system must not have the telnet-server package installed "
yum:
name: telnet-server
state: absent
tags:
- CAT-I
- RHEL-07-021710
- name: "CAT I | RHEL-07-030000 | The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users."
block:
- name: "ensure auditd is present"
yum:
name: audit
state: present
- name: "ensure auditd is enable and started"
service:
name: auditd
state: started
enabled: yes
tags:
- CAT-I
- RHEL-07-030000
## 030010-030920 Audit stuff
##031000 and RHEL-07-031010 pull from logging.yml may need to be manual depending on loggin solution
- name: "CAT III| RHEL-07-040000 | The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types."
lineinfile:
state: present
dest: /etc/security/limits.conf
insertbefore: '^# End of file'
regexp: '^\*.*maxlogins'
line: '* hard maxlogins 10'
tags:
- CAT-III
- RHEL-07-040000
- name: "CAT II | RHEL-07-040110 | The Red Hat Enterprise Linux operating system must use a FIPS 140-2 approved cryptographic algorithm for SSH communications."
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "(?i)^#?Ciphers"
line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr
validate: /usr/sbin/sshd -t -f %s
notify: restart sshd
tags:
- CAT-II
- RHEL-07-040110
### RHEL-07-040160
Loading…
Cancel
Save