From aa3a58a31ccea2716e6f0b7a65932b5db410adad Mon Sep 17 00:00:00 2001 From: uk-bolly Date: Wed, 6 Mar 2024 13:43:03 +0000 Subject: [PATCH] Release to main final v3r11 (#456) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Specify missing state parameter for package Signed-off-by: Anže Luzar * Correct with_items indentation for package Signed-off-by: Anže Luzar * Replace inline strings with module parameters Signed-off-by: Anže Luzar * updated link Signed-off-by: Mark Bolwell * lint updates Signed-off-by: Mark Bolwell * removed old Signed-off-by: Mark Bolwell * added new defined secrets file Signed-off-by: Mark Bolwell * added precommit Signed-off-by: Mark Bolwell * lint updates Signed-off-by: Mark Bolwell * updated Signed-off-by: Mark Bolwell * added pragma allow list Signed-off-by: Mark Bolwell * updated due to galaxy changes Signed-off-by: Mark Bolwell * moved file Signed-off-by: Mark Bolwell * updated path Signed-off-by: Mark Bolwell * removed quality badge since galaxy-ng Signed-off-by: Mark Bolwell * Adding additional condition for rhel7stig_grub2_user_cfg for task Signed-off-by: layluke * updated the workflow version and galaxy setup Signed-off-by: Mark Bolwell * removed file Signed-off-by: Mark Bolwell * updated Signed-off-by: Mark Bolwell * updated Signed-off-by: Mark Bolwell * lint update Signed-off-by: Mark Bolwell * fix typo Signed-off-by: Mark Bolwell * rhel7stig_boot_part variable now discovered Signed-off-by: Mark Bolwell * tidy up of rhel7stig_boot_part variable Signed-off-by: Mark Bolwell * changed logic on 20620 Signed-off-by: Mark Bolwell * updated logic for uuid Signed-off-by: Mark Bolwell * removed extra line Signed-off-by: Mark Bolwell * removed doc dir Signed-off-by: Mark Bolwell * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/gitleaks/gitleaks: v8.18.0 → v8.18.1](https://github.com/gitleaks/gitleaks/compare/v8.18.0...v8.18.1) - [github.com/ansible-community/ansible-lint: v6.21.1 → v6.22.2](https://github.com/ansible-community/ansible-lint/compare/v6.21.1...v6.22.2) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0) * Issue #446 tag update to always - thanks to @prestonSeaman2 Signed-off-by: Mark Bolwell * conditional updated 021000 & 021010 #448 thanks @erosen03 Signed-off-by: Mark Bolwell * [pre-commit.ci] pre-commit autoupdate (#451) updates: - [github.com/gitleaks/gitleaks: v8.18.1 → v8.18.2](https://github.com/gitleaks/gitleaks/compare/v8.18.1...v8.18.2) - [github.com/ansible-community/ansible-lint: v6.22.2 → v24.2.0](https://github.com/ansible-community/ansible-lint/compare/v6.22.2...v24.2.0) - [github.com/adrienverge/yamllint.git: v1.33.0 → v1.34.0](https://github.com/adrienverge/yamllint.git/compare/v1.33.0...v1.34.0) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> * [pre-commit.ci] pre-commit autoupdate (#454) updates: - [github.com/adrienverge/yamllint.git: v1.34.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.34.0...v1.35.1) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> * Feb 24 updates (#455) * issue #452 addressed * issue #453 addressed * updated for galaxy_ng reqs --------- Signed-off-by: Mark Bolwell --------- Signed-off-by: Anže Luzar Signed-off-by: Mark Bolwell Signed-off-by: layluke Signed-off-by: uk-bolly Co-authored-by: Anže Luzar Co-authored-by: layluke Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .pre-commit-config.yaml | 6 +-- README.md | 4 ++ meta/main.yml | 4 +- templates/audit/99_auditd.rules.j2 | 80 +++++++++++++++--------------- 4 files changed, 49 insertions(+), 45 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 43020660..82858b54 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,13 +36,13 @@ repos: args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.1 + rev: v8.18.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.22.2 + rev: v24.2.0 hooks: - id: ansible-lint name: Ansible-lint @@ -61,6 +61,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.33.0 # or higher tag + rev: v1.35.1 # or higher tag hooks: - id: yamllint diff --git a/README.md b/README.md index 70be8088..f8a2adec 100644 --- a/README.md +++ b/README.md @@ -220,3 +220,7 @@ pre-commit run ## Credits This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig) + +Massive thanks to the fantastic community and all its members. +This includes a huge thanks and credit to the original authors and maintainers. +Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell diff --git a/meta/main.yml b/meta/main.yml index a028684f..6a51cb12 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,6 +1,6 @@ --- galaxy_info: - author: "Sam Doran, Josh Springer, Daniel Shepherd, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell" + author: "MindPoint Group" description: "Apply the DISA RHEL 7 STIG" company: "MindPoint Group" license: MIT @@ -10,7 +10,7 @@ galaxy_info: platforms: - name: EL versions: - - 7 + - '7' galaxy_tags: - system - security diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 445e5ef7..8452a493 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -8,41 +8,41 @@ {% endif %} {% if rhel_07_030370 %} --a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod {% endif %} {% if rhel_07_030410 %} --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod {% endif %} {% if rhel_07_030440 %} --a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod {% endif %} {% if rhel_07_030510 %} --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k access --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k access --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k access --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k access {% endif %} {% if rhel_07_030560 %} --a always,exit -F path=/usr/sbin/semanage -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030570 %} --a always,exit -F path=/usr/sbin/setsebool -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030580 %} --a always,exit -F path=/usr/bin/chcon -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030590 %} --a always,exit -F path=/usr/sbin/setfiles -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030610 %} @@ -54,31 +54,31 @@ {% endif %} {% if rhel_07_030630 %} --a always,exit -F path=/usr/bin/passwd -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-passwd {% endif %} {% if rhel_07_030640 %} --a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-passwd {% endif %} {% if rhel_07_030650 %} --a always,exit -F path=/usr/bin/gpasswd -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-passwd {% endif %} {% if rhel_07_030660 %} --a always,exit -F path=/usr/bin/chage -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-passwd {% endif %} {% if rhel_07_030670 %} --a always,exit -F path=/usr/sbin/userhelper -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-passwd {% endif %} {% if rhel_07_030680 %} --a always,exit -F path=/usr/bin/su -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030690 %} --a always,exit -F path=/usr/bin/sudo -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030700 %} @@ -87,56 +87,56 @@ {% endif %} {% if rhel_07_030710 %} --a always,exit -F path=/usr/bin/newgrp -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030720 %} --a always,exit -F path=/usr/bin/chsh -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030740 %} --a always,exit -F arch=b32 -S mount -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-mount --a always,exit -F arch=b64 -S mount -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-mount --a always,exit -F path=/usr/bin/mount -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-mount +-a always,exit -F arch=b32 -S mount -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-mount +-a always,exit -F arch=b64 -S mount -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-mount +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-mount {% endif %} {% if rhel_07_030750 %} --a always,exit -F path=/usr/bin/umount -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-mount +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-mount {% endif %} {% if rhel_07_030760 %} --a always,exit -F path=/usr/sbin/postdrop -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-postfix +-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-postfix {% endif %} {% if rhel_07_030770 %} --a always,exit -F path=/usr/sbin/postqueue -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-postfix +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-postfix {% endif %} {% if rhel_07_030780 %} --a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-ssh +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-ssh {% endif %} {% if rhel_07_030800 %} --a always,exit -F path=/usr/bin/crontab -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-cron +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-cron {% endif %} {% if rhel_07_030810 %} --a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-pam +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-pam {% endif %} {% if rhel_07_030819 %} --a always,exit -F arch=b32 -S create_module -k module-change --a always,exit -F arch=b64 -S create_module -k module-change +-a always,exit -F arch=b32 -S create_module -F auid>={{ rhel7stig_interactive_uid_start }} -k module-change +-a always,exit -F arch=b64 -S create_module -F auid>={{ rhel7stig_interactive_uid_start }} -k module-change {% endif %} {% if rhel_07_030820 %} --a always,exit -F arch=b32 -S init_module,finit_module -k modulechange --a always,exit -F arch=b64 -S init_module,finit_module -k modulechange +-a always,exit -F arch=b32 -S init_module,finit_module -F auid>={{ rhel7stig_interactive_uid_start }} -k modulechange +-a always,exit -F arch=b64 -S init_module,finit_module -F auid>={{ rhel7stig_interactive_uid_start }} -k modulechange {% endif %} {% if rhel_07_030830 %} --a always,exit -F arch=b32 -S delete_module -k module-change --a always,exit -F arch=b64 -S delete_module -k module-change +-a always,exit -F arch=b32 -S delete_module -F auid>={{ rhel7stig_interactive_uid_start }} -k module-change +-a always,exit -F arch=b64 -S delete_module -F auid>={{ rhel7stig_interactive_uid_start }} -k module-change {% endif %} {% if rhel_07_030840 %} @@ -164,6 +164,6 @@ {% endif %} {% if rhel_07_030910 %} --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k delete --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k delete +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k delete {% endif %}