diff --git a/tasks/main.yml b/tasks/main.yml index 9706c26..d79833c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -156,12 +156,12 @@ - no_reboot_needed | bool - restrict_strategy | bool -- name: Test for crypto_policy group - command: grep '^\s*\[\s*crypto_policy\s*]' /etc/pki/tls/openssl.cnf +- name: Configure OpenSSL library to use System Crypto Policy - Search for crypto_policy Section + ansible.builtin.find: + paths: /etc/pki/tls + patterns: openssl.cnf + contains: ^\s*\[\s*crypto_policy\s*] register: test_crypto_policy_group - failed_when: test_crypto_policy_group.rc not in [0, 1] - changed_when: false - check_mode: false tags: - CCE-83452-3 - NIST-800-53-AC-17(2) @@ -187,8 +187,39 @@ - no_reboot_needed | bool - unknown_strategy | bool -- name: Add .include for opensslcnf.config to crypto_policy section - lineinfile: +- name: Configure OpenSSL library to use System Crypto Policy - Search for crypto_policy Section Together With .include Directive + ansible.builtin.find: + paths: /etc/pki/tls + patterns: openssl.cnf + contains: ^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$ + register: test_crypto_policy_include_directive + tags: + - CCE-83452-3 + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-MA-4(6) + - NIST-800-53-SC-12(2) + - NIST-800-53-SC-12(3) + - NIST-800-53-SC-13 + - PCI-DSS-Req-2.2 + - PCI-DSSv4-2.2 + - configure_openssl_crypto_policy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + when: + - configure_openssl_crypto_policy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + +- name: '{{ rule_title }} - Add .include Line for opensslcnf.config File in crypto_policy Section' + ansible.builtin.lineinfile: create: true insertafter: ^\s*\[\s*crypto_policy\s*]\s* line: .include = /etc/crypto-policies/back-ends/opensslcnf.config @@ -200,8 +231,8 @@ - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - - test_crypto_policy_group.stdout is defined - - test_crypto_policy_group.stdout | length > 0 + - test_crypto_policy_group.matched > 0 + - test_crypto_policy_include_directive.matched == 0 tags: - CCE-83452-3 - NIST-800-53-AC-17(2) @@ -220,8 +251,9 @@ - no_reboot_needed - unknown_strategy -- name: Add crypto_policy group and set include opensslcnf.config - lineinfile: +- name: Configure OpenSSL library to use System Crypto Policy - Add crypto_policy Section With .include for opensslcnf.config + File + ansible.builtin.lineinfile: create: true line: '[crypto_policy] @@ -234,8 +266,7 @@ - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - - test_crypto_policy_group.stdout is defined - - test_crypto_policy_group.stdout | length < 1 + - test_crypto_policy_group.matched == 0 tags: - CCE-83452-3 - NIST-800-53-AC-17(2) @@ -3026,7 +3057,7 @@ - service_debug-shell_disabled - name: Unit Socket Exists - debug-shell.socket - command: systemctl list-unit-files debug-shell.socket + command: systemctl -q list-unit-files debug-shell.socket register: socket_file_exists changed_when: false failed_when: socket_file_exists.rc not in [0, 1] @@ -3064,7 +3095,7 @@ - no_reboot_needed | bool - service_debug_shell_disabled | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"debug-shell.socket" in socket_file_exists.stdout_lines[1]' + - socket_file_exists.stdout_lines is search("debug-shell.socket",multiline=True) tags: - CCE-90724-6 - NIST-800-171-3.4.5 @@ -3076,6 +3107,84 @@ - no_reboot_needed - service_debug-shell_disabled +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-90308-8 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(a) + - disable_ctrlaltdel_burstaction + - disable_strategy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + when: + - disable_ctrlaltdel_burstaction | bool + - disable_strategy | bool + - high_severity | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + +- name: Disable Ctrl-Alt-Del Burst Action + lineinfile: + dest: /etc/systemd/system.conf + state: present + regexp: ^CtrlAltDelBurstAction + line: CtrlAltDelBurstAction=none + create: true + when: + - disable_ctrlaltdel_burstaction | bool + - disable_strategy | bool + - high_severity | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"systemd" in ansible_facts.packages' + tags: + - CCE-90308-8 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(a) + - disable_ctrlaltdel_burstaction + - disable_strategy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + +- name: Disable Ctrl-Alt-Del Reboot Activation + systemd: + name: ctrl-alt-del.target + force: true + masked: true + state: stopped + when: + - disable_ctrlaltdel_reboot | bool + - disable_strategy | bool + - high_severity | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86667-3 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - disable_ctrlaltdel_reboot + - disable_strategy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - name: Require single user mode password lineinfile: create: true @@ -3159,6 +3268,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"tmux" in ansible_facts.packages' tags: - CCE-90586-9 @@ -3182,6 +3292,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"tmux" in ansible_facts.packages' tags: - CCE-90586-9 @@ -3205,6 +3316,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"tmux" in ansible_facts.packages' - tmux_in_bashrc is defined and tmux_in_bashrc.matched == 0 - tmux_in_profile_d is defined and tmux_in_profile_d.matched == 0 @@ -7350,6 +7462,32 @@ - no_reboot_needed - package_firewalld_installed +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-90833-5 + - NIST-800-171-3.1.3 + - NIST-800-171-3.4.7 + - NIST-800-53-AC-4 + - NIST-800-53-CA-3(5) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(21) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_firewalld_enabled + when: + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - service_firewalld_enabled | bool + - name: Enable service firewalld block: - name: Gather the package facts @@ -7371,6 +7509,7 @@ - no_reboot_needed | bool - service_firewalld_enabled | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"firewalld" in ansible_facts.packages' tags: - CCE-90833-5 - NIST-800-171-3.1.3 @@ -7621,7 +7760,8 @@ - medium_severity | bool - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) tags: - CCE-83882-1 - NIST-800-53-AC-6 @@ -7650,7 +7790,8 @@ - medium_severity | bool - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -7687,7 +7828,8 @@ - medium_severity | bool - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: @@ -7715,7 +7857,8 @@ - medium_severity | bool - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - mount_info is defined and "nodev" not in mount_info.options tags: - CCE-83882-1 @@ -7746,7 +7889,8 @@ - medium_severity | bool - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83882-1 @@ -7775,7 +7919,8 @@ - medium_severity | bool - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) tags: - CCE-83878-9 - NIST-800-53-AC-6 @@ -7804,7 +7949,8 @@ - medium_severity | bool - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -7841,7 +7987,8 @@ - medium_severity | bool - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: @@ -7869,7 +8016,8 @@ - medium_severity | bool - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - mount_info is defined and "noexec" not in mount_info.options tags: - CCE-83878-9 @@ -7900,7 +8048,8 @@ - medium_severity | bool - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83878-9 @@ -7929,7 +8078,8 @@ - medium_severity | bool - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) tags: - CCE-83893-8 - NIST-800-53-AC-6 @@ -7958,7 +8108,8 @@ - medium_severity | bool - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -7995,7 +8146,8 @@ - medium_severity | bool - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: @@ -8023,7 +8175,8 @@ - medium_severity | bool - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-83893-8 @@ -8054,7 +8207,8 @@ - medium_severity | bool - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83893-8 @@ -8713,43 +8867,11 @@ - reboot_required - sysctl_user_max_user_namespaces -- name: Block Disable service systemd-coredump - block: - - name: Disable service systemd-coredump - block: - - name: Disable service systemd-coredump - systemd: - name: systemd-coredump.service - enabled: 'no' - state: stopped - masked: 'yes' - rescue: - - name: Intentionally ignored previous 'Disable service systemd-coredump' failure, service was already disabled - meta: noop - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_systemd_coredump_disabled | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-83974-6 - - NIST-800-53-SC-7(10) - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_systemd-coredump_disabled - -- name: Unit Socket Exists - systemd-coredump.socket - command: systemctl list-unit-files systemd-coredump.socket - register: socket_file_exists +- name: Disable acquiring, saving, and processing core dumps - Collect systemd Socket Units Present in the System + ansible.builtin.command: + cmd: systemctl -q list-unit-files --type socket + register: result_systemd_unit_files changed_when: false - failed_when: socket_file_exists.rc not in [0, 1] - check_mode: false when: - disable_strategy | bool - low_complexity | bool @@ -8768,12 +8890,12 @@ - no_reboot_needed - service_systemd-coredump_disabled -- name: Disable socket systemd-coredump - systemd: +- name: Disable acquiring, saving, and processing core dumps - Ensure systemd-coredump.socket is Masked + ansible.builtin.systemd: name: systemd-coredump.socket - enabled: 'no' state: stopped - masked: 'yes' + enabled: false + masked: true when: - disable_strategy | bool - low_complexity | bool @@ -8782,7 +8904,7 @@ - no_reboot_needed | bool - service_systemd_coredump_disabled | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"systemd-coredump.socket" in socket_file_exists.stdout_lines[1]' + - result_systemd_unit_files.stdout_lines is search("systemd-coredump.socket") tags: - CCE-83974-6 - NIST-800-53-SC-7(10) @@ -9009,7 +9131,7 @@ - service_kdump_disabled - name: Unit Socket Exists - kdump.socket - command: systemctl list-unit-files kdump.socket + command: systemctl -q list-unit-files kdump.socket register: socket_file_exists changed_when: false failed_when: socket_file_exists.rc not in [0, 1] @@ -9048,7 +9170,7 @@ - no_reboot_needed | bool - service_kdump_disabled | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"kdump.socket" in socket_file_exists.stdout_lines[1]' + - socket_file_exists.stdout_lines is search("kdump.socket",multiline=True) tags: - CCE-84232-8 - NIST-800-53-CM-6(a)