diff --git a/tasks/main.yml b/tasks/main.yml index c2f598e..49141e0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -50,22 +50,24 @@ - no_reboot_needed - restrict_strategy -- name: Read list of files with incorrect permissions - command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup - args: - warn: false - register: files_with_incorrect_permissions - failed_when: files_with_incorrect_permissions.rc > 1 - changed_when: false - check_mode: false +- name: 'Set fact: Package manager reinstall command (dnf)' + set_fact: + package_manager_reinstall_cmd: dnf reinstall -y + when: + - high_complexity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - high_severity | bool + - rpm_verify_hashes | bool + - medium_disruption | bool + - ansible_distribution == "Fedora" tags: - - CCE-27209-6 + - CCE-27157-7 - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010010 + - DISA-STIG-RHEL-07-010020 - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - NIST-800-53-AU-9(3) - - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(c) - NIST-800-53-CM-6(d) - NIST-800-53-SI-7 @@ -77,40 +79,26 @@ - medium_disruption - no_reboot_needed - restrict_strategy - - rpm_verify_permissions - when: - - high_complexity | bool - - no_reboot_needed | bool - - rpm_verify_permissions | bool - - restrict_strategy | bool - - high_severity | bool - - medium_disruption | bool + - rpm_verify_hashes -- name: Create list of packages - command: rpm -qf "{{ item }}" - args: - warn: false - with_items: '{{ files_with_incorrect_permissions.stdout_lines | map(''regex_findall'', ''^[.]+[M]+.* (\/.*)'', ''\1'') | - map(''join'') | select(''match'', ''(\/.*)'') | list | unique }}' - register: list_of_packages - changed_when: false - check_mode: false +- name: 'Set fact: Package manager reinstall command (yum)' + set_fact: + package_manager_reinstall_cmd: yum reinstall -y when: - high_complexity | bool - no_reboot_needed | bool - - rpm_verify_permissions | bool - restrict_strategy | bool - high_severity | bool + - rpm_verify_hashes | bool - medium_disruption | bool - - (files_with_incorrect_permissions.stdout_lines | length > 0) + - (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux") tags: - - CCE-27209-6 + - CCE-27157-7 - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010010 + - DISA-STIG-RHEL-07-010020 - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - NIST-800-53-AU-9(3) - - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(c) - NIST-800-53-CM-6(d) - NIST-800-53-SI-7 @@ -122,29 +110,31 @@ - medium_disruption - no_reboot_needed - restrict_strategy - - rpm_verify_permissions + - rpm_verify_hashes -- name: Correct file permissions with RPM - command: rpm --setperms '{{ item }}' +- name: Read files with incorrect hash + command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noghost --noconfig args: warn: false - with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list | unique }}' + register: files_with_incorrect_hash + changed_when: false + failed_when: files_with_incorrect_hash.rc > 1 + check_mode: false when: - high_complexity | bool - no_reboot_needed | bool - - rpm_verify_permissions | bool - restrict_strategy | bool - high_severity | bool + - rpm_verify_hashes | bool - medium_disruption | bool - - (files_with_incorrect_permissions.stdout_lines | length > 0) + - (package_manager_reinstall_cmd is defined) tags: - - CCE-27209-6 + - CCE-27157-7 - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010010 + - DISA-STIG-RHEL-07-010020 - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - NIST-800-53-AU-9(3) - - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(c) - NIST-800-53-CM-6(d) - NIST-800-53-SI-7 @@ -156,11 +146,17 @@ - medium_disruption - no_reboot_needed - restrict_strategy - - rpm_verify_permissions + - rpm_verify_hashes -- name: 'Set fact: Package manager reinstall command (dnf)' - set_fact: - package_manager_reinstall_cmd: dnf reinstall -y +- name: Create list of packages + command: rpm -qf "{{ item }}" + args: + warn: false + with_items: '{{ files_with_incorrect_hash.stdout_lines | map(''regex_findall'', ''^[.]+[5]+.* (\/.*)'', ''\1'') | map(''join'') + | select(''match'', ''(\/.*)'') | list | unique }}' + register: list_of_packages + changed_when: false + check_mode: false when: - high_complexity | bool - no_reboot_needed | bool @@ -168,7 +164,8 @@ - high_severity | bool - rpm_verify_hashes | bool - medium_disruption | bool - - ansible_distribution == "Fedora" + - files_with_incorrect_hash.stdout_lines is defined + - (files_with_incorrect_hash.stdout_lines | length > 0) tags: - CCE-27157-7 - CJIS-5.10.4.1 @@ -189,9 +186,11 @@ - restrict_strategy - rpm_verify_hashes -- name: 'Set fact: Package manager reinstall command (yum)' - set_fact: - package_manager_reinstall_cmd: yum reinstall -y +- name: Reinstall packages of files with incorrect hash + command: '{{ package_manager_reinstall_cmd }} ''{{ item }}''' + args: + warn: false + with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list | unique }}' when: - high_complexity | bool - no_reboot_needed | bool @@ -199,7 +198,8 @@ - high_severity | bool - rpm_verify_hashes | bool - medium_disruption | bool - - (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux") + - files_with_incorrect_hash.stdout_lines is defined + - (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0)) tags: - CCE-27157-7 - CJIS-5.10.4.1 @@ -220,29 +220,22 @@ - restrict_strategy - rpm_verify_hashes -- name: Read files with incorrect hash - command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noghost --noconfig +- name: Read list of files with incorrect permissions + command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup args: warn: false - register: files_with_incorrect_hash + register: files_with_incorrect_permissions + failed_when: files_with_incorrect_permissions.rc > 1 changed_when: false - failed_when: files_with_incorrect_hash.rc > 1 check_mode: false - when: - - high_complexity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - high_severity | bool - - rpm_verify_hashes | bool - - medium_disruption | bool - - (package_manager_reinstall_cmd is defined) tags: - - CCE-27157-7 + - CCE-27209-6 - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010020 + - DISA-STIG-RHEL-07-010010 - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(c) - NIST-800-53-CM-6(d) - NIST-800-53-SI-7 @@ -254,33 +247,40 @@ - medium_disruption - no_reboot_needed - restrict_strategy - - rpm_verify_hashes + - rpm_verify_permissions + when: + - high_complexity | bool + - no_reboot_needed | bool + - rpm_verify_permissions | bool + - restrict_strategy | bool + - high_severity | bool + - medium_disruption | bool - name: Create list of packages command: rpm -qf "{{ item }}" args: warn: false - with_items: '{{ files_with_incorrect_hash.stdout_lines | map(''regex_findall'', ''^[.]+[5]+.* (\/.*)'', ''\1'') | map(''join'') - | select(''match'', ''(\/.*)'') | list | unique }}' + with_items: '{{ files_with_incorrect_permissions.stdout_lines | map(''regex_findall'', ''^[.]+[M]+.* (\/.*)'', ''\1'') | + map(''join'') | select(''match'', ''(\/.*)'') | list | unique }}' register: list_of_packages changed_when: false check_mode: false when: - high_complexity | bool - no_reboot_needed | bool + - rpm_verify_permissions | bool - restrict_strategy | bool - high_severity | bool - - rpm_verify_hashes | bool - medium_disruption | bool - - files_with_incorrect_hash.stdout_lines is defined - - (files_with_incorrect_hash.stdout_lines | length > 0) + - (files_with_incorrect_permissions.stdout_lines | length > 0) tags: - - CCE-27157-7 + - CCE-27209-6 - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010020 + - DISA-STIG-RHEL-07-010010 - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(c) - NIST-800-53-CM-6(d) - NIST-800-53-SI-7 @@ -292,29 +292,29 @@ - medium_disruption - no_reboot_needed - restrict_strategy - - rpm_verify_hashes + - rpm_verify_permissions -- name: Reinstall packages of files with incorrect hash - command: '{{ package_manager_reinstall_cmd }} ''{{ item }}''' +- name: Correct file permissions with RPM + command: rpm --setperms '{{ item }}' args: warn: false with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list | unique }}' when: - high_complexity | bool - no_reboot_needed | bool + - rpm_verify_permissions | bool - restrict_strategy | bool - high_severity | bool - - rpm_verify_hashes | bool - medium_disruption | bool - - files_with_incorrect_hash.stdout_lines is defined - - (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0)) + - (files_with_incorrect_permissions.stdout_lines | length > 0) tags: - - CCE-27157-7 + - CCE-27209-6 - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010020 + - DISA-STIG-RHEL-07-010010 - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(c) - NIST-800-53-CM-6(d) - NIST-800-53-SI-7 @@ -326,7 +326,7 @@ - medium_disruption - no_reboot_needed - restrict_strategy - - rpm_verify_hashes + - rpm_verify_permissions - name: Ensure aide is installed package: @@ -512,18 +512,18 @@ - no_reboot_needed - restrict_strategy -- package_facts: +- name: Gather the package facts + package_facts: manager: auto - name: Gather the package facts tags: - - CCE-80111-8 + - CCE-80110-0 - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010100 + - DISA-STIG-RHEL-07-010070 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_idle_delay - low_complexity - medium_disruption - medium_severity @@ -531,68 +531,68 @@ - unknown_strategy when: - no_reboot_needed | bool - - dconf_gnome_screensaver_idle_activation_enabled | bool - medium_severity | bool + - dconf_gnome_screensaver_idle_delay | bool - unknown_strategy | bool - medium_disruption | bool - low_complexity | bool -- name: Enable GNOME3 Screensaver Idle Activation +- name: Set GNOME3 Screensaver Inactivity Timeout ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/screensaver - option: idle_activation_enabled - value: 'true' + option: idle-delay + value: '{{ inactivity_timeout_value }}' create: true no_extra_spaces: true when: - no_reboot_needed | bool - - dconf_gnome_screensaver_idle_activation_enabled | bool - medium_severity | bool + - dconf_gnome_screensaver_idle_delay | bool - unknown_strategy | bool - medium_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"gdm" in ansible_facts.packages' tags: - - CCE-80111-8 + - CCE-80110-0 - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010100 + - DISA-STIG-RHEL-07-010070 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_idle_delay - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy -- name: Prevent user modification of GNOME idle_activation_enabled +- name: Prevent user modification of GNOME idle-delay lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/desktop/screensaver/idle-activation-enabled - line: /org/gnome/desktop/screensaver/idle-activation-enabled + regexp: ^/org/gnome/desktop/screensaver/idle-delay + line: /org/gnome/desktop/screensaver/idle-delay create: true when: - no_reboot_needed | bool - - dconf_gnome_screensaver_idle_activation_enabled | bool - medium_severity | bool + - dconf_gnome_screensaver_idle_delay | bool - unknown_strategy | bool - medium_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"gdm" in ansible_facts.packages' tags: - - CCE-80111-8 + - CCE-80110-0 - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010100 + - DISA-STIG-RHEL-07-010070 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_idle_delay - low_complexity - medium_disruption - medium_severity @@ -603,40 +603,40 @@ command: dconf update when: - no_reboot_needed | bool - - dconf_gnome_screensaver_idle_activation_enabled | bool - medium_severity | bool + - dconf_gnome_screensaver_idle_delay | bool - unknown_strategy | bool - medium_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"gdm" in ansible_facts.packages' tags: - - CCE-80111-8 + - CCE-80110-0 - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010100 + - DISA-STIG-RHEL-07-010070 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_idle_delay - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy -- package_facts: +- name: Gather the package facts + package_facts: manager: auto - name: Gather the package facts tags: - - CCE-80110-0 + - CCE-80111-8 - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010070 + - DISA-STIG-RHEL-07-010100 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_idle_activation_enabled - low_complexity - medium_disruption - medium_severity @@ -644,68 +644,68 @@ - unknown_strategy when: - no_reboot_needed | bool + - dconf_gnome_screensaver_idle_activation_enabled | bool - medium_severity | bool - - dconf_gnome_screensaver_idle_delay | bool - unknown_strategy | bool - medium_disruption | bool - low_complexity | bool -- name: Set GNOME3 Screensaver Inactivity Timeout +- name: Enable GNOME3 Screensaver Idle Activation ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/screensaver - option: idle-delay - value: '{{ inactivity_timeout_value }}' + option: idle_activation_enabled + value: 'true' create: true no_extra_spaces: true when: - no_reboot_needed | bool + - dconf_gnome_screensaver_idle_activation_enabled | bool - medium_severity | bool - - dconf_gnome_screensaver_idle_delay | bool - unknown_strategy | bool - medium_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"gdm" in ansible_facts.packages' tags: - - CCE-80110-0 + - CCE-80111-8 - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010070 + - DISA-STIG-RHEL-07-010100 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_idle_activation_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy -- name: Prevent user modification of GNOME idle-delay +- name: Prevent user modification of GNOME idle_activation_enabled lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/desktop/screensaver/idle-delay - line: /org/gnome/desktop/screensaver/idle-delay + regexp: ^/org/gnome/desktop/screensaver/idle-activation-enabled + line: /org/gnome/desktop/screensaver/idle-activation-enabled create: true when: - no_reboot_needed | bool + - dconf_gnome_screensaver_idle_activation_enabled | bool - medium_severity | bool - - dconf_gnome_screensaver_idle_delay | bool - unknown_strategy | bool - medium_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"gdm" in ansible_facts.packages' tags: - - CCE-80110-0 + - CCE-80111-8 - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010070 + - DISA-STIG-RHEL-07-010100 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_idle_activation_enabled - low_complexity - medium_disruption - medium_severity @@ -716,39 +716,39 @@ command: dconf update when: - no_reboot_needed | bool + - dconf_gnome_screensaver_idle_activation_enabled | bool - medium_severity | bool - - dconf_gnome_screensaver_idle_delay | bool - unknown_strategy | bool - medium_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"gdm" in ansible_facts.packages' tags: - - CCE-80110-0 + - CCE-80111-8 - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010070 + - DISA-STIG-RHEL-07-010100 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_idle_activation_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy -- package_facts: +- name: Gather the package facts + package_facts: manager: auto - name: Gather the package facts tags: - - CCE-80113-4 + - CCE-80112-6 - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010060 - NIST-800-171-3.1.10 - - NIST-800-53-AC-11(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_mode_blank + - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption - medium_severity @@ -758,64 +758,64 @@ - no_reboot_needed | bool - medium_severity | bool - unknown_strategy | bool - - dconf_gnome_screensaver_mode_blank | bool - medium_disruption | bool + - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool -- name: Implement Blank Screensaver +- name: Enable GNOME3 Screensaver Lock After Idle Period ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/screensaver - option: picture-uri - value: string '' + option: lock-enabled + value: 'true' create: true no_extra_spaces: true when: - no_reboot_needed | bool - medium_severity | bool - unknown_strategy | bool - - dconf_gnome_screensaver_mode_blank | bool - medium_disruption | bool + - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"gdm" in ansible_facts.packages' tags: - - CCE-80113-4 + - CCE-80112-6 - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010060 - NIST-800-171-3.1.10 - - NIST-800-53-AC-11(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_mode_blank + - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy -- name: Prevent user modification of GNOME picture-uri +- name: Prevent user modification of GNOME lock-enabled lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/desktop/screensaver/picture-uri - line: /org/gnome/desktop/screensaver/picture-uri + regexp: ^/org/gnome/desktop/screensaver/lock-enabled + line: /org/gnome/desktop/screensaver/lock-enabled create: true when: - no_reboot_needed | bool - medium_severity | bool - unknown_strategy | bool - - dconf_gnome_screensaver_mode_blank | bool - medium_disruption | bool + - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"gdm" in ansible_facts.packages' tags: - - CCE-80113-4 + - CCE-80112-6 - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010060 - NIST-800-171-3.1.10 - - NIST-800-53-AC-11(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_mode_blank + - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption - medium_severity @@ -828,36 +828,36 @@ - no_reboot_needed | bool - medium_severity | bool - unknown_strategy | bool - - dconf_gnome_screensaver_mode_blank | bool - medium_disruption | bool + - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"gdm" in ansible_facts.packages' tags: - - CCE-80113-4 + - CCE-80112-6 - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010060 - NIST-800-171-3.1.10 - - NIST-800-53-AC-11(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_mode_blank + - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy -- package_facts: +- name: Gather the package facts + package_facts: manager: auto - name: Gather the package facts tags: - - CCE-80112-6 + - CCE-80113-4 - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010060 - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_lock_enabled + - dconf_gnome_screensaver_mode_blank - low_complexity - medium_disruption - medium_severity @@ -867,64 +867,64 @@ - no_reboot_needed | bool - medium_severity | bool - unknown_strategy | bool + - dconf_gnome_screensaver_mode_blank | bool - medium_disruption | bool - - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool -- name: Enable GNOME3 Screensaver Lock After Idle Period +- name: Implement Blank Screensaver ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/screensaver - option: lock-enabled - value: 'true' + option: picture-uri + value: string '' create: true no_extra_spaces: true when: - no_reboot_needed | bool - medium_severity | bool - unknown_strategy | bool + - dconf_gnome_screensaver_mode_blank | bool - medium_disruption | bool - - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"gdm" in ansible_facts.packages' tags: - - CCE-80112-6 + - CCE-80113-4 - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010060 - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_lock_enabled + - dconf_gnome_screensaver_mode_blank - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy -- name: Prevent user modification of GNOME lock-enabled +- name: Prevent user modification of GNOME picture-uri lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/desktop/screensaver/lock-enabled - line: /org/gnome/desktop/screensaver/lock-enabled + regexp: ^/org/gnome/desktop/screensaver/picture-uri + line: /org/gnome/desktop/screensaver/picture-uri create: true when: - no_reboot_needed | bool - medium_severity | bool - unknown_strategy | bool + - dconf_gnome_screensaver_mode_blank | bool - medium_disruption | bool - - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"gdm" in ansible_facts.packages' tags: - - CCE-80112-6 + - CCE-80113-4 - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010060 - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_lock_enabled + - dconf_gnome_screensaver_mode_blank - low_complexity - medium_disruption - medium_severity @@ -937,94 +937,25 @@ - no_reboot_needed | bool - medium_severity | bool - unknown_strategy | bool + - dconf_gnome_screensaver_mode_blank | bool - medium_disruption | bool - - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"gdm" in ansible_facts.packages' tags: - - CCE-80112-6 + - CCE-80113-4 - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010060 - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_lock_enabled + - dconf_gnome_screensaver_mode_blank - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy -- name: Grep for yum repo section names - shell: grep -HEr '^\[.+\]' -r /etc/yum.repos.d/ - register: repo_grep_results - ignore_errors: true - changed_when: false - tags: - - CCE-26876-3 - - CJIS-5.10.4.1 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) - - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - enable_strategy - - ensure_gpgcheck_never_disabled - - high_severity - - low_complexity - - medium_disruption - - no_reboot_needed - when: - - ensure_gpgcheck_never_disabled | bool - - no_reboot_needed | bool - - high_severity | bool - - enable_strategy | bool - - medium_disruption | bool - - low_complexity | bool - -- name: Set gpgcheck=1 for each yum repo - ini_file: - path: '{{ item[0] }}' - section: '{{ item[1] }}' - option: gpgcheck - value: '1' - no_extra_spaces: true - loop: '{{ repo_grep_results.stdout | regex_findall( ''(.+\.repo):\[(.+)\]\n?'' ) }}' - tags: - - CCE-26876-3 - - CJIS-5.10.4.1 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) - - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - enable_strategy - - ensure_gpgcheck_never_disabled - - high_severity - - low_complexity - - medium_disruption - - no_reboot_needed - when: - - ensure_gpgcheck_never_disabled | bool - - no_reboot_needed | bool - - high_severity | bool - - enable_strategy | bool - - medium_disruption | bool - - low_complexity | bool - - name: Security patches are up to date package: name: '*' @@ -1201,9 +1132,78 @@ - no_reboot_needed - restrict_strategy -- package_facts: +- name: Grep for yum repo section names + shell: grep -HEr '^\[.+\]' -r /etc/yum.repos.d/ + register: repo_grep_results + ignore_errors: true + changed_when: false + tags: + - CCE-26876-3 + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - enable_strategy + - ensure_gpgcheck_never_disabled + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + when: + - ensure_gpgcheck_never_disabled | bool + - no_reboot_needed | bool + - high_severity | bool + - enable_strategy | bool + - medium_disruption | bool + - low_complexity | bool + +- name: Set gpgcheck=1 for each yum repo + ini_file: + path: '{{ item[0] }}' + section: '{{ item[1] }}' + option: gpgcheck + value: '1' + no_extra_spaces: true + loop: '{{ repo_grep_results.stdout | regex_findall( ''(.+\.repo):\[(.+)\]\n?'' ) }}' + tags: + - CCE-26876-3 + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - enable_strategy + - ensure_gpgcheck_never_disabled + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + when: + - ensure_gpgcheck_never_disabled | bool + - no_reboot_needed | bool + - high_severity | bool + - enable_strategy | bool + - medium_disruption | bool + - low_complexity | bool + +- name: Gather the package facts + package_facts: manager: auto - name: Gather the package facts tags: - CCE-26989-4 - CJIS-5.10.4.1 @@ -1347,19 +1347,18 @@ - no_reboot_needed - unknown_strategy -- package_facts: +- name: Gather the package facts + package_facts: manager: auto - name: Gather the package facts tags: - - CCE-27051-2 - - CJIS-5.6.2.1 - - DISA-STIG-RHEL-07-010250 - - NIST-800-171-3.5.6 + - CCE-27345-8 + - DISA-STIG-RHEL-07-010130 - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(d) - - NIST-800-53-IA-5(f) - - PCI-DSS-Req-8.2.4 - - accounts_maximum_age_login_defs + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_lcredit - low_complexity - low_disruption - medium_severity @@ -1368,156 +1367,207 @@ when: - no_reboot_needed | bool - restrict_strategy | bool + - accounts_password_pam_lcredit | bool - medium_severity | bool - - accounts_maximum_age_login_defs | bool - low_disruption | bool - low_complexity | bool -- name: Set Password Maximum Age +- name: Ensure PAM variable lcredit is set accordingly lineinfile: create: true - dest: /etc/login.defs - regexp: ^#?PASS_MAX_DAYS - line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }} + dest: /etc/security/pwquality.conf + regexp: ^#?\s*lcredit + line: lcredit = {{ var_password_pam_lcredit }} when: - no_reboot_needed | bool - restrict_strategy | bool + - accounts_password_pam_lcredit | bool - medium_severity | bool - - accounts_maximum_age_login_defs | bool - low_disruption | bool - low_complexity | bool - - '"shadow-utils" in ansible_facts.packages' + - '"pam" in ansible_facts.packages' tags: - - CCE-27051-2 - - CJIS-5.6.2.1 - - DISA-STIG-RHEL-07-010250 - - NIST-800-171-3.5.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(d) - - NIST-800-53-IA-5(f) - - PCI-DSS-Req-8.2.4 - - accounts_maximum_age_login_defs + - CCE-27345-8 + - DISA-STIG-RHEL-07-010130 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_lcredit - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Prevent Log In to Accounts With Empty Password - system-auth - replace: - dest: /etc/pam.d/system-auth - regexp: nullok +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-27286-4 - - CJIS-5.5.2 - - DISA-STIG-RHEL-07-010290 - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 + - CCE-27214-6 + - DISA-STIG-RHEL-07-010140 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - - configure_strategy - - high_severity + - accounts_password_pam_dcredit - low_complexity - - medium_disruption - - no_empty_passwords + - low_disruption + - medium_severity - no_reboot_needed + - restrict_strategy when: - - no_empty_passwords | bool + - accounts_password_pam_dcredit | bool - no_reboot_needed | bool - - high_severity | bool - - configure_strategy | bool - - medium_disruption | bool + - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool - low_complexity | bool -- name: Prevent Log In to Accounts With Empty Password - password-auth - replace: - dest: /etc/pam.d/password-auth - regexp: nullok +- name: Ensure PAM variable dcredit is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*dcredit + line: dcredit = {{ var_password_pam_dcredit }} + when: + - accounts_password_pam_dcredit | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-27286-4 - - CJIS-5.5.2 - - DISA-STIG-RHEL-07-010290 - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 + - CCE-27214-6 + - DISA-STIG-RHEL-07-010140 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - - configure_strategy - - high_severity + - accounts_password_pam_dcredit - low_complexity - - medium_disruption - - no_empty_passwords + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-27293-0 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-07-010280 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_minlen + - low_complexity + - low_disruption + - medium_severity - no_reboot_needed + - restrict_strategy when: - - no_empty_passwords | bool + - accounts_password_pam_minlen | bool - no_reboot_needed | bool - - high_severity | bool - - configure_strategy | bool - - medium_disruption | bool + - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool - low_complexity | bool -- package_facts: - manager: auto - name: Gather the package facts +- name: Ensure PAM variable minlen is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*minlen + line: minlen = {{ var_password_pam_minlen }} + when: + - accounts_password_pam_minlen | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-27355-7 + - CCE-27293-0 - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-07-010310 - - NIST-800-171-3.5.6 - - NIST-800-53-AC-2(3) + - DISA-STIG-RHEL-07-010280 - NIST-800-53-CM-6(a) - - NIST-800-53-IA-4(e) - - PCI-DSS-Req-8.1.4 - - account_disable_post_pw_expiration + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_minlen + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-27200-5 + - DISA-STIG-RHEL-07-010120 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_ucredit - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - - account_disable_post_pw_expiration | bool - no_reboot_needed | bool - restrict_strategy | bool + - accounts_password_pam_ucredit | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool -- name: Set Account Expiration Following Inactivity +- name: Ensure PAM variable ucredit is set accordingly lineinfile: create: true - dest: /etc/default/useradd - regexp: ^INACTIVE - line: INACTIVE={{ var_account_disable_post_pw_expiration }} + dest: /etc/security/pwquality.conf + regexp: ^#?\s*ucredit + line: ucredit = {{ var_password_pam_ucredit }} when: - - account_disable_post_pw_expiration | bool - no_reboot_needed | bool - restrict_strategy | bool + - accounts_password_pam_ucredit | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool - - '"shadow-utils" in ansible_facts.packages' + - '"pam" in ansible_facts.packages' tags: - - CCE-27355-7 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-07-010310 - - NIST-800-171-3.5.6 - - NIST-800-53-AC-2(3) + - CCE-27200-5 + - DISA-STIG-RHEL-07-010120 - NIST-800-53-CM-6(a) - - NIST-800-53-IA-4(e) - - PCI-DSS-Req-8.1.4 - - account_disable_post_pw_expiration + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_ucredit - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- package_facts: +- name: Gather the package facts + package_facts: manager: auto - name: Gather the package facts tags: - CCE-82050-6 - CJIS-5.6.2.2 @@ -1572,9 +1622,9 @@ - restrict_strategy - set_password_hashing_algorithm_logindefs -- package_facts: +- name: Gather the package facts + package_facts: manager: auto - name: Gather the package facts tags: - CCE-82038-1 - CJIS-5.6.2.2 @@ -1630,9 +1680,9 @@ - restrict_strategy - set_password_hashing_algorithm_libuserconf -- package_facts: +- name: Gather the package facts + package_facts: manager: auto - name: Gather the package facts tags: - CCE-26884-7 - CJIS-5.5.3 @@ -1833,90 +1883,9 @@ - no_reboot_needed - restrict_strategy -- package_facts: - manager: auto - name: Gather the package facts - tags: - - CCE-82030-8 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-07-010270 - - NIST-800-171-3.5.8 - - NIST-800-53-IA-5(1)(e) - - NIST-800-53-IA-5(f) - - PCI-DSS-Req-8.2.5 - - accounts_password_pam_unix_remember - - configure_strategy - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - when: - - no_reboot_needed | bool - - configure_strategy | bool - - medium_severity | bool - - medium_disruption | bool - - accounts_password_pam_unix_remember | bool - - low_complexity | bool - -- name: Do not allow users to reuse recent passwords - system-auth (change) - replace: - dest: /etc/pam.d/system-auth - regexp: ^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$ - replace: \g<1>{{ var_password_pam_unix_remember }}\g<3> - when: - - no_reboot_needed | bool - - configure_strategy | bool - - medium_severity | bool - - medium_disruption | bool - - accounts_password_pam_unix_remember | bool - - low_complexity | bool - - '"pam" in ansible_facts.packages' - tags: - - CCE-82030-8 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-07-010270 - - NIST-800-171-3.5.8 - - NIST-800-53-IA-5(1)(e) - - NIST-800-53-IA-5(f) - - PCI-DSS-Req-8.2.5 - - accounts_password_pam_unix_remember - - configure_strategy - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - -- name: Do not allow users to reuse recent passwords - system-auth (add) - replace: - dest: /etc/pam.d/system-auth - regexp: ^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$ - replace: \g<0> remember={{ var_password_pam_unix_remember }} - when: - - no_reboot_needed | bool - - configure_strategy | bool - - medium_severity | bool - - medium_disruption | bool - - accounts_password_pam_unix_remember | bool - - low_complexity | bool - - '"pam" in ansible_facts.packages' - tags: - - CCE-82030-8 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-07-010270 - - NIST-800-171-3.5.8 - - NIST-800-53-IA-5(1)(e) - - NIST-800-53-IA-5(f) - - PCI-DSS-Req-8.2.5 - - accounts_password_pam_unix_remember - - configure_strategy - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - -- package_facts: +- name: Gather the package facts + package_facts: manager: auto - name: Gather the package facts tags: - CCE-27350-8 - CJIS-5.5.3 @@ -2118,182 +2087,212 @@ - no_reboot_needed - restrict_strategy -- package_facts: +- name: Gather the package facts + package_facts: manager: auto - name: Gather the package facts tags: - - CCE-27293-0 + - CCE-82030-8 - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-07-010280 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - accounts_password_pam_minlen + - DISA-STIG-RHEL-07-010270 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_unix_remember + - configure_strategy - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed - - restrict_strategy when: - - accounts_password_pam_minlen | bool - no_reboot_needed | bool - - restrict_strategy | bool + - configure_strategy | bool - medium_severity | bool - - low_disruption | bool + - medium_disruption | bool + - accounts_password_pam_unix_remember | bool - low_complexity | bool -- name: Ensure PAM variable minlen is set accordingly - lineinfile: - create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*minlen - line: minlen = {{ var_password_pam_minlen }} +- name: Do not allow users to reuse recent passwords - system-auth (change) + replace: + dest: /etc/pam.d/system-auth + regexp: ^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$ + replace: \g<1>{{ var_password_pam_unix_remember }}\g<3> when: - - accounts_password_pam_minlen | bool - no_reboot_needed | bool - - restrict_strategy | bool + - configure_strategy | bool - medium_severity | bool - - low_disruption | bool + - medium_disruption | bool + - accounts_password_pam_unix_remember | bool - low_complexity | bool - '"pam" in ansible_facts.packages' tags: - - CCE-27293-0 + - CCE-82030-8 - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-07-010280 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - accounts_password_pam_minlen + - DISA-STIG-RHEL-07-010270 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_unix_remember + - configure_strategy - low_complexity - - low_disruption + - medium_disruption + - medium_severity + - no_reboot_needed + +- name: Do not allow users to reuse recent passwords - system-auth (add) + replace: + dest: /etc/pam.d/system-auth + regexp: ^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$ + replace: \g<0> remember={{ var_password_pam_unix_remember }} + when: + - no_reboot_needed | bool + - configure_strategy | bool + - medium_severity | bool + - medium_disruption | bool + - accounts_password_pam_unix_remember | bool + - low_complexity | bool + - '"pam" in ansible_facts.packages' + tags: + - CCE-82030-8 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-07-010270 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_unix_remember + - configure_strategy + - low_complexity + - medium_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- package_facts: +- name: Gather the package facts + package_facts: manager: auto - name: Gather the package facts tags: - - CCE-27214-6 - - DISA-STIG-RHEL-07-010140 + - CCE-27355-7 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-07-010310 + - NIST-800-171-3.5.6 + - NIST-800-53-AC-2(3) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - accounts_password_pam_dcredit + - NIST-800-53-IA-4(e) + - PCI-DSS-Req-8.1.4 + - account_disable_post_pw_expiration - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - - accounts_password_pam_dcredit | bool + - account_disable_post_pw_expiration | bool - no_reboot_needed | bool - restrict_strategy | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool -- name: Ensure PAM variable dcredit is set accordingly +- name: Set Account Expiration Following Inactivity lineinfile: create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*dcredit - line: dcredit = {{ var_password_pam_dcredit }} + dest: /etc/default/useradd + regexp: ^INACTIVE + line: INACTIVE={{ var_account_disable_post_pw_expiration }} when: - - accounts_password_pam_dcredit | bool + - account_disable_post_pw_expiration | bool - no_reboot_needed | bool - restrict_strategy | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool - - '"pam" in ansible_facts.packages' + - '"shadow-utils" in ansible_facts.packages' tags: - - CCE-27214-6 - - DISA-STIG-RHEL-07-010140 + - CCE-27355-7 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-07-010310 + - NIST-800-171-3.5.6 + - NIST-800-53-AC-2(3) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - accounts_password_pam_dcredit + - NIST-800-53-IA-4(e) + - PCI-DSS-Req-8.1.4 + - account_disable_post_pw_expiration - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- package_facts: - manager: auto - name: Gather the package facts +- name: Prevent Log In to Accounts With Empty Password - system-auth + replace: + dest: /etc/pam.d/system-auth + regexp: nullok tags: - - CCE-27345-8 - - DISA-STIG-RHEL-07-010130 + - CCE-27286-4 + - CJIS-5.5.2 + - DISA-STIG-RHEL-07-010290 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - - accounts_password_pam_lcredit + - configure_strategy + - high_severity - low_complexity - - low_disruption - - medium_severity + - medium_disruption + - no_empty_passwords - no_reboot_needed - - restrict_strategy when: + - no_empty_passwords | bool - no_reboot_needed | bool - - restrict_strategy | bool - - accounts_password_pam_lcredit | bool - - medium_severity | bool - - low_disruption | bool + - high_severity | bool + - configure_strategy | bool + - medium_disruption | bool - low_complexity | bool -- name: Ensure PAM variable lcredit is set accordingly - lineinfile: - create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*lcredit - line: lcredit = {{ var_password_pam_lcredit }} - when: - - no_reboot_needed | bool - - restrict_strategy | bool - - accounts_password_pam_lcredit | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool - - '"pam" in ansible_facts.packages' +- name: Prevent Log In to Accounts With Empty Password - password-auth + replace: + dest: /etc/pam.d/password-auth + regexp: nullok tags: - - CCE-27345-8 - - DISA-STIG-RHEL-07-010130 + - CCE-27286-4 + - CJIS-5.5.2 + - DISA-STIG-RHEL-07-010290 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - - accounts_password_pam_lcredit + - configure_strategy + - high_severity - low_complexity - - low_disruption - - medium_severity + - medium_disruption + - no_empty_passwords - no_reboot_needed - - restrict_strategy + when: + - no_empty_passwords | bool + - no_reboot_needed | bool + - high_severity | bool + - configure_strategy | bool + - medium_disruption | bool + - low_complexity | bool -- package_facts: +- name: Gather the package facts + package_facts: manager: auto - name: Gather the package facts tags: - - CCE-27200-5 - - DISA-STIG-RHEL-07-010120 + - CCE-27051-2 + - CJIS-5.6.2.1 + - DISA-STIG-RHEL-07-010250 + - NIST-800-171-3.5.6 - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - accounts_password_pam_ucredit + - NIST-800-53-IA-5(1)(d) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.4 + - accounts_maximum_age_login_defs - low_complexity - low_disruption - medium_severity @@ -2302,34 +2301,35 @@ when: - no_reboot_needed | bool - restrict_strategy | bool - - accounts_password_pam_ucredit | bool - medium_severity | bool + - accounts_maximum_age_login_defs | bool - low_disruption | bool - low_complexity | bool -- name: Ensure PAM variable ucredit is set accordingly +- name: Set Password Maximum Age lineinfile: create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*ucredit - line: ucredit = {{ var_password_pam_ucredit }} + dest: /etc/login.defs + regexp: ^#?PASS_MAX_DAYS + line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }} when: - no_reboot_needed | bool - restrict_strategy | bool - - accounts_password_pam_ucredit | bool - medium_severity | bool + - accounts_maximum_age_login_defs | bool - low_disruption | bool - low_complexity | bool - - '"pam" in ansible_facts.packages' + - '"shadow-utils" in ansible_facts.packages' tags: - - CCE-27200-5 - - DISA-STIG-RHEL-07-010120 + - CCE-27051-2 + - CJIS-5.6.2.1 + - DISA-STIG-RHEL-07-010250 + - NIST-800-171-3.5.6 - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - accounts_password_pam_ucredit + - NIST-800-53-IA-5(1)(d) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.4 + - accounts_maximum_age_login_defs - low_complexity - low_disruption - medium_severity @@ -2379,9 +2379,9 @@ - no_reboot_needed - service_auditd_enabled -- package_facts: +- name: Gather the package facts + package_facts: manager: auto - name: Gather the package facts tags: - CCE-27212-0 - CJIS-5.4.1.1 @@ -2528,56 +2528,31 @@ - reboot_required - restrict_strategy -- name: enable syslog plugin +- name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size lineinfile: - dest: /etc/audisp/plugins.d/syslog.conf - regexp: ^active - line: active = yes + dest: /etc/audit/auditd.conf + line: max_log_file_action = {{ var_auditd_max_log_file_action }} + regexp: ^\s*max_log_file_action\s*=\s*.*$ + state: present create: true when: - - auditd_audispd_syslog_plugin_activated | bool - no_reboot_needed | bool - - medium_severity | bool - - configure_strategy | bool - - low_disruption | bool - - low_complexity | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-27341-7 - - CJIS-5.4.1.1 - - NIST-800-171-3.3.1 - - NIST-800-53-AU-4(1) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.3 - - auditd_audispd_syslog_plugin_activated - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Configure auditd Max Log File Size - lineinfile: - dest: /etc/audit/auditd.conf - regexp: ^\s*max_log_file\s*=\s*.*$ - line: max_log_file = {{ var_auditd_max_log_file }} - state: present - create: true - when: - - no_reboot_needed | bool - - auditd_data_retention_max_log_file | bool - - restrict_strategy | bool + - restrict_strategy | bool - medium_severity | bool - low_disruption | bool + - auditd_data_retention_max_log_file_action | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27319-3 + - CCE-27231-0 - CJIS-5.4.1.1 - - NIST-800-53-AU-11 + - NIST-800-53-AU-5(1) + - NIST-800-53-AU-5(2) + - NIST-800-53-AU-5(4) + - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 - - auditd_data_retention_max_log_file + - auditd_data_retention_max_log_file_action - low_complexity - low_disruption - medium_severity @@ -2648,328 +2623,529 @@ - no_reboot_needed - restrict_strategy -- name: Configure auditd space_left Action on Low Disk Space +- name: Configure auditd Number of Logs Retained lineinfile: dest: /etc/audit/auditd.conf - line: space_left_action = {{ var_auditd_space_left_action }} - regexp: ^\s*space_left_action\s*=\s*.*$ + line: num_logs = {{ var_auditd_num_logs }} + regexp: ^\s*num_logs\s*=\s*.*$ state: present create: true when: - - no_reboot_needed | bool + - auditd_data_retention_num_logs | bool - restrict_strategy | bool - - auditd_data_retention_space_left_action | bool - medium_severity | bool + - no_reboot_needed | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27375-5 + - CCE-27348-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030340 - NIST-800-171-3.3.1 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(2) - - NIST-800-53-AU-5(4) - - NIST-800-53-AU-5(b) + - NIST-800-53-AU-11 - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 - - auditd_data_retention_space_left_action + - auditd_data_retention_num_logs - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Configure auditd Number of Logs Retained +- name: enable syslog plugin lineinfile: - dest: /etc/audit/auditd.conf - line: num_logs = {{ var_auditd_num_logs }} - regexp: ^\s*num_logs\s*=\s*.*$ - state: present + dest: /etc/audisp/plugins.d/syslog.conf + regexp: ^active + line: active = yes create: true when: - - auditd_data_retention_num_logs | bool - - restrict_strategy | bool - - medium_severity | bool + - auditd_audispd_syslog_plugin_activated | bool - no_reboot_needed | bool + - medium_severity | bool + - configure_strategy | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27348-2 + - CCE-27341-7 - CJIS-5.4.1.1 - NIST-800-171-3.3.1 - - NIST-800-53-AU-11 + - NIST-800-53-AU-4(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.7 - - auditd_data_retention_num_logs + - PCI-DSS-Req-10.5.3 + - auditd_audispd_syslog_plugin_activated + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size +- name: Configure auditd Max Log File Size lineinfile: dest: /etc/audit/auditd.conf - line: max_log_file_action = {{ var_auditd_max_log_file_action }} - regexp: ^\s*max_log_file_action\s*=\s*.*$ + regexp: ^\s*max_log_file\s*=\s*.*$ + line: max_log_file = {{ var_auditd_max_log_file }} state: present create: true when: - no_reboot_needed | bool + - auditd_data_retention_max_log_file | bool - restrict_strategy | bool - medium_severity | bool - low_disruption | bool - - auditd_data_retention_max_log_file_action | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27231-0 + - CCE-27319-3 - CJIS-5.4.1.1 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(2) - - NIST-800-53-AU-5(4) - - NIST-800-53-AU-5(b) + - NIST-800-53-AU-11 - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 - - auditd_data_retention_max_log_file_action + - auditd_data_retention_max_log_file - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions - find: - paths: /etc/audit/rules.d - recurse: false - contains: ^.*/etc/sudoers.*$ - patterns: '*.rules' - register: find_audit_sysadmin_actions +- name: Configure auditd space_left Action on Low Disk Space + lineinfile: + dest: /etc/audit/auditd.conf + line: space_left_action = {{ var_auditd_space_left_action }} + regexp: ^\s*space_left_action\s*=\s*.*$ + state: present + create: true when: - - audit_rules_sysadmin_actions | bool - no_reboot_needed | bool - restrict_strategy | bool + - auditd_data_retention_space_left_action | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27461-3 + - CCE-27375-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030700 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - DISA-STIG-RHEL-07-030340 + - NIST-800-171-3.3.1 + - NIST-800-53-AU-5(1) + - NIST-800-53-AU-5(2) + - NIST-800-53-AU-5(4) + - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - PCI-DSS-Req-10.7 + - auditd_data_retention_space_left_action - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule +- name: Set architecture for audit tasks set_fact: - all_sysadmin_actions_files: - - /etc/audit/rules.d/actions.rules + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_sysadmin_actions | bool - - no_reboot_needed | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool - medium_severity | bool + - no_reboot_needed | bool - low_disruption | bool - low_complexity | bool - - find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27461-3 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030700 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_sysadmin_actions_files: - - '{{ find_audit_sysadmin_actions.files | map(attribute=''path'') | list | first }}' +- name: Remediate audit rules for network configuration for x86 + block: + - name: Declare list of syscals + set_fact: + syscalls: + - sethostname + - setdomainname + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_rules_networkconfig_modification + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - sethostname + - setdomainname + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls when: - - audit_rules_sysadmin_actions | bool - - no_reboot_needed | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool - medium_severity | bool + - no_reboot_needed | bool - low_disruption | bool - low_complexity | bool - - find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27461-3 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030700 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Inserts/replaces audit rule for /etc/sudoers rule in rules.d - lineinfile: - path: '{{ all_sysadmin_actions_files[0] }}' - line: -w /etc/sudoers -p wa -k actions - create: true +- name: Remediate audit rules for network configuration for x86_64 + block: + - name: Declare list of syscals + set_fact: + syscalls: + - sethostname + - setdomainname + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b64_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_rules_networkconfig_modification + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - sethostname + - setdomainname + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b64_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls when: - - audit_rules_sysadmin_actions | bool - - no_reboot_needed | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool - medium_severity | bool + - no_reboot_needed | bool - low_disruption | bool - low_complexity | bool + - audit_arch == "b64" - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27461-3 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030700 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Inserts/replaces audit rule for /etc/sudoers.d rule in rules.d - lineinfile: - path: '{{ all_sysadmin_actions_files[0] }}' - line: -w /etc/sudoers.d/ -p wa -k actions - create: true +- name: Check if watch rule for /etc/issue already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d when: - - audit_rules_sysadmin_actions | bool + - audit_rules_networkconfig_modification | bool + - restrict_strategy | bool + - medium_severity | bool - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27076-9 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ + patterns: '*.rules' + register: find_watch_key + when: + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool - medium_severity | bool + - no_reboot_needed | bool - low_disruption | bool - low_complexity | bool + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27461-3 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030700 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Inserts/replaces audit rule for /etc/sudoers in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -w /etc/sudoers -p wa -k actions - create: true +- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules when: - - audit_rules_sysadmin_actions | bool + - audit_rules_networkconfig_modification | bool + - restrict_strategy | bool + - medium_severity | bool - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27076-9 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + when: + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool - medium_severity | bool + - no_reboot_needed | bool - low_disruption | bool - low_complexity | bool + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27461-3 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030700 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Inserts/replaces audit rule for /etc/sudoers.d in audit.rules +- name: Add watch rule for /etc/issue in /etc/audit/rules.d/ lineinfile: - path: /etc/audit/audit.rules - line: -w /etc/sudoers.d/ -p wa -k actions + path: '{{ all_files[0] }}' + line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification create: true when: - - audit_rules_sysadmin_actions | bool - - no_reboot_needed | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool - medium_severity | bool + - no_reboot_needed | bool - low_disruption | bool - low_complexity | bool + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27461-3 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030700 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Set architecture for audit tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Check if watch rule for /etc/issue already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules when: - audit_rules_networkconfig_modification | bool - restrict_strategy | bool @@ -2994,202 +3170,12 @@ - no_reboot_needed - restrict_strategy -- name: Remediate audit rules for network configuration for x86 - block: - - name: Declare list of syscals - set_fact: - syscalls: - - sethostname - - setdomainname - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b32_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_rules_networkconfig_modification - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - sethostname - - setdomainname - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b32_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls - when: - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool - - low_disruption | bool - - low_complexity | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-27076-9 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Remediate audit rules for network configuration for x86_64 - block: - - name: Declare list of syscals - set_fact: - syscalls: - - sethostname - - setdomainname - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b64_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_rules_networkconfig_modification - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - sethostname - - setdomainname - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b64_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls +- name: Add watch rule for /etc/issue in /etc/audit/audit.rules + lineinfile: + line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification + state: present + dest: /etc/audit/audit.rules + create: true when: - audit_rules_networkconfig_modification | bool - restrict_strategy | bool @@ -3197,7 +3183,7 @@ - no_reboot_needed | bool - low_disruption | bool - low_complexity | bool - - audit_arch == "b64" + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-27076-9 @@ -3215,10 +3201,10 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/issue already exists in /etc/audit/rules.d/ +- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d - contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+ + contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: @@ -3336,10 +3322,10 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/issue in /etc/audit/rules.d/ +- name: Add watch rule for /etc/issue.net in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' - line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification + line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification create: true when: - audit_rules_networkconfig_modification | bool @@ -3366,10 +3352,10 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/issue already exists in /etc/audit/audit.rules +- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/audit.rules find: paths: /etc/audit/ - contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+ + contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: @@ -3396,9 +3382,9 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/issue in /etc/audit/audit.rules +- name: Add watch rule for /etc/issue.net in /etc/audit/audit.rules lineinfile: - line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification + line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification state: present dest: /etc/audit/audit.rules create: true @@ -3427,10 +3413,10 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/rules.d/ +- name: Check if watch rule for /etc/hosts already exists in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d - contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+ + contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: @@ -3548,10 +3534,10 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/issue.net in /etc/audit/rules.d/ +- name: Add watch rule for /etc/hosts in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' - line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification + line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification create: true when: - audit_rules_networkconfig_modification | bool @@ -3578,10 +3564,10 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/audit.rules +- name: Check if watch rule for /etc/hosts already exists in /etc/audit/audit.rules find: paths: /etc/audit/ - contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+ + contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: @@ -3608,9 +3594,9 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/issue.net in /etc/audit/audit.rules +- name: Add watch rule for /etc/hosts in /etc/audit/audit.rules lineinfile: - line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification + line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification state: present dest: /etc/audit/audit.rules create: true @@ -3639,10 +3625,10 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/hosts already exists in /etc/audit/rules.d/ +- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d - contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+ + contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: @@ -3760,10 +3746,10 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/hosts in /etc/audit/rules.d/ +- name: Add watch rule for /etc/sysconfig/network in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' - line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification + line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification create: true when: - audit_rules_networkconfig_modification | bool @@ -3790,10 +3776,10 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/hosts already exists in /etc/audit/audit.rules +- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/audit.rules find: paths: /etc/audit/ - contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+ + contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: @@ -3820,9 +3806,9 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/hosts in /etc/audit/audit.rules +- name: Add watch rule for /etc/sysconfig/network in /etc/audit/audit.rules lineinfile: - line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification + line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification state: present dest: /etc/audit/audit.rules create: true @@ -3851,212 +3837,226 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/rules.d/ +- name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions find: paths: /etc/audit/rules.d - contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+ + recurse: false + contains: ^.*/etc/sudoers.*$ patterns: '*.rules' - register: find_existing_watch_rules_d + register: find_audit_sysadmin_actions when: - - audit_rules_networkconfig_modification | bool + - audit_rules_sysadmin_actions | bool + - no_reboot_needed | bool - restrict_strategy | bool - medium_severity | bool - - no_reboot_needed | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27076-9 + - CCE-27461-3 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030700 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification - - low_complexity + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions + - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ - patterns: '*.rules' - register: find_watch_key +- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule + set_fact: + all_sysadmin_actions_files: + - /etc/audit/rules.d/actions.rules when: - - audit_rules_networkconfig_modification | bool + - audit_rules_sysadmin_actions | bool + - no_reboot_needed | bool - restrict_strategy | bool - medium_severity | bool - - no_reboot_needed | bool - low_disruption | bool - low_complexity | bool - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + - find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27076-9 + - CCE-27461-3 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030700 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule +- name: Use matched file as the recipient for the rule set_fact: - all_files: - - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules + all_sysadmin_actions_files: + - '{{ find_audit_sysadmin_actions.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_networkconfig_modification | bool + - audit_rules_sysadmin_actions | bool + - no_reboot_needed | bool - restrict_strategy | bool - medium_severity | bool - - no_reboot_needed | bool - low_disruption | bool - low_complexity | bool - - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 + - find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27076-9 + - CCE-27461-3 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030700 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' +- name: Inserts/replaces audit rule for /etc/sudoers rule in rules.d + lineinfile: + path: '{{ all_sysadmin_actions_files[0] }}' + line: -w /etc/sudoers -p wa -k actions + create: true when: - - audit_rules_networkconfig_modification | bool + - audit_rules_sysadmin_actions | bool + - no_reboot_needed | bool - restrict_strategy | bool - medium_severity | bool - - no_reboot_needed | bool - low_disruption | bool - low_complexity | bool - - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27076-9 + - CCE-27461-3 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030700 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/sysconfig/network in /etc/audit/rules.d/ +- name: Inserts/replaces audit rule for /etc/sudoers.d rule in rules.d lineinfile: - path: '{{ all_files[0] }}' - line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification + path: '{{ all_sysadmin_actions_files[0] }}' + line: -w /etc/sudoers.d/ -p wa -k actions create: true when: - - audit_rules_networkconfig_modification | bool + - audit_rules_sysadmin_actions | bool + - no_reboot_needed | bool - restrict_strategy | bool - medium_severity | bool - - no_reboot_needed | bool - low_disruption | bool - low_complexity | bool - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27076-9 + - CCE-27461-3 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030700 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/audit.rules - find: - paths: /etc/audit/ - contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+ - patterns: audit.rules - register: find_existing_watch_audit_rules +- name: Inserts/replaces audit rule for /etc/sudoers in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -w /etc/sudoers -p wa -k actions + create: true when: - - audit_rules_networkconfig_modification | bool + - audit_rules_sysadmin_actions | bool + - no_reboot_needed | bool - restrict_strategy | bool - medium_severity | bool - - no_reboot_needed | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27076-9 + - CCE-27461-3 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030700 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/sysconfig/network in /etc/audit/audit.rules +- name: Inserts/replaces audit rule for /etc/sudoers.d in audit.rules lineinfile: - line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification - state: present - dest: /etc/audit/audit.rules + path: /etc/audit/audit.rules + line: -w /etc/sudoers.d/ -p wa -k actions create: true when: - - audit_rules_networkconfig_modification | bool + - audit_rules_sysadmin_actions | bool + - no_reboot_needed | bool - restrict_strategy | bool - medium_severity | bool - - no_reboot_needed | bool - low_disruption | bool - low_complexity | bool - - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27076-9 + - CCE-27461-3 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030700 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity @@ -5215,121 +5215,185 @@ - reboot_required - restrict_strategy -- name: Set architecture for audit tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Search for privileged commands + shell: find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype + ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs + -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o + -perm -2000 \) 2> /dev/null + args: + warn: false + executable: /bin/bash + check_mode: false + register: find_result + changed_when: false + failed_when: false when: - - audit_rules_kernel_module_loading | bool + - no_reboot_needed | bool + - audit_rules_privileged_commands | bool - restrict_strategy | bool - - reboot_required | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27129-6 + - CCE-27437-3 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030360 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Perform remediation of Audit rules for kernel module loading for x86 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - init_module - - delete_module - - finit_module - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b32_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key modules - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)modules$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/modules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/modules.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k modules' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - init_module - - delete_module - - finit_module - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b32_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k modules' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls +- name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path={{ item }} .*$ + patterns: '*.rules' + with_items: + - '{{ find_result.stdout_lines }}' + register: files_result + when: + - no_reboot_needed | bool + - audit_rules_privileged_commands | bool + - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27437-3 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030360 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Overwrites the rule in rules.d + lineinfile: + path: '{{ item.1.path }}' + line: -a always,exit -F path={{ item.0.item }} -F auid>=1000 -F auid!=unset -F key=privileged + create: false + regexp: ^.*path={{ item.0.item }} .*$ + with_subelements: + - '{{ files_result.results }}' + - files + when: + - no_reboot_needed | bool + - audit_rules_privileged_commands | bool + - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27437-3 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030360 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Adds the rule in rules.d + lineinfile: + path: /etc/audit/rules.d/privileged.rules + line: -a always,exit -F path={{ item.item }} -F auid>=1000 -F auid!=unset -F key=privileged + create: true + with_items: + - '{{ files_result.results }}' + when: + - no_reboot_needed | bool + - audit_rules_privileged_commands | bool + - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - files_result.results is defined and item.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27437-3 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030360 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path={{ item.item }} -F auid>=1000 -F auid!=unset -F key=privileged + create: true + regexp: ^.*path={{ item.item }} .*$ + with_items: + - '{{ files_result.results }}' + when: + - no_reboot_needed | bool + - audit_rules_privileged_commands | bool + - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27437-3 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030360 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Set architecture for audit tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - audit_rules_kernel_module_loading | bool - restrict_strategy | bool @@ -5354,7 +5418,7 @@ - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for kernel module loading for x86_64 platform +- name: Perform remediation of Audit rules for kernel module loading for x86 platform block: - name: Declare list of syscals set_fact: @@ -5364,15 +5428,15 @@ - finit_module - name: Declare number of syscalls set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ patterns: '*.rules' - register: audit_syscalls_found_b64_rules_d + register: audit_syscalls_found_b32_rules_d loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int }}" - name: Search /etc/audit/rules.d for other rules with the key modules find: @@ -5393,10 +5457,10 @@ - name: Insert the syscall rule in {{ all_files[0] }} block: - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" + set_fact: tmpline="-a always,exit -F arch=b32" - name: 'Construct rule: add syscalls' set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_rules_d.results }}' + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' when: item.matched is defined and item.matched == 0 - name: 'Construct rule: add fields and key' set_fact: tmpline="{{ tmpline + ' -k modules' }}" @@ -5406,7 +5470,7 @@ line: '{{ tmpline }}' create: true state: present - when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls - name: Declare list of syscals set_fact: syscalls: @@ -5415,23 +5479,23 @@ - finit_module - name: Declare number of syscalls set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules find: paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ patterns: audit.rules - register: audit_syscalls_found_b64_audit_rules + register: audit_syscalls_found_b32_audit_rules loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int }}" - name: Insert the syscall rule in /etc/audit/audit.rules block: - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" + set_fact: tmpline="-a always,exit -F arch=b32" - name: 'Construct rule: add syscalls' set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' when: item.matched is defined and item.matched == 0 - name: 'Construct rule: add fields and key' set_fact: tmpline="{{ tmpline + ' -k modules' }}" @@ -5441,7 +5505,7 @@ line: '{{ tmpline }}' create: true state: present - when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls when: - audit_rules_kernel_module_loading | bool - restrict_strategy | bool @@ -5449,7 +5513,6 @@ - medium_severity | bool - low_disruption | bool - low_complexity | bool - - audit_arch == "b64" - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-27129-6 @@ -5467,34 +5530,36 @@ - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for stime syscall for x86 platform +- name: Perform remediation of Audit rules for kernel module loading for x86_64 platform block: - name: Declare list of syscals set_fact: syscalls: - - stime + - init_module + - delete_module + - finit_module - name: Declare number of syscalls set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ patterns: '*.rules' - register: audit_syscalls_found_b32_rules_d + register: audit_syscalls_found_b64_rules_d loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + - name: Search /etc/audit/rules.d for other rules with the key modules find: paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + contains: ^.*(?:-F key=|-k\s+)modules$ patterns: '*.rules' register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule + - name: Use /etc/audit/rules.d/modules.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/audit_time_rules.rules + - /etc/audit/rules.d/modules.rules when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - name: Use matched file as the recipient for the rule set_fact: @@ -5504,1278 +5569,573 @@ - name: Insert the syscall rule in {{ all_files[0] }} block: - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" + set_fact: tmpline="-a always,exit -F arch=b64" - name: 'Construct rule: add syscalls' set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + loop: '{{ audit_syscalls_found_b64_rules_d.results }}' when: item.matched is defined and item.matched == 0 - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + set_fact: tmpline="{{ tmpline + ' -k modules' }}" - name: Insert the line in {{ all_files[0] }} lineinfile: path: '{{ all_files[0] }}' line: '{{ tmpline }}' create: true state: present - when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls - name: Declare list of syscals set_fact: syscalls: - - stime + - init_module + - delete_module + - finit_module - name: Declare number of syscalls set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules find: paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ patterns: audit.rules - register: audit_syscalls_found_b32_audit_rules + register: audit_syscalls_found_b64_audit_rules loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int }}" - name: Insert the syscall rule in /etc/audit/audit.rules block: - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" + set_fact: tmpline="-a always,exit -F arch=b64" - name: 'Construct rule: add syscalls' set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' when: item.matched is defined and item.matched == 0 - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + set_fact: tmpline="{{ tmpline + ' -k modules' }}" - name: Insert the line in /etc/audit/audit.rules lineinfile: path: /etc/audit/audit.rules line: '{{ tmpline }}' create: true state: present - when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls + when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls when: - - audit_rules_time_stime | bool - - no_reboot_needed | bool + - audit_rules_kernel_module_loading | bool - restrict_strategy | bool + - reboot_required | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool + - audit_arch == "b64" - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27299-7 + - CCE-27129-6 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_stime + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Check if watch rule for /etc/localtime already exists in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+ - patterns: '*.rules' - register: find_existing_watch_rules_d +- name: Set architecture for audit removexattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_time_watch_localtime | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_removexattr | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27310-2 + - CCE-27367-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030470 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_time_rules +- name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + recurse: false + contains: -F key=perm_mod$ patterns: '*.rules' - register: find_watch_key + register: find_removexattr when: - - audit_rules_time_watch_localtime | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_removexattr | bool - low_disruption | bool - low_complexity | bool - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27310-2 + - CCE-27367-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030470 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/audit_time_rules.rules + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_time_watch_localtime | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_removexattr | bool - low_disruption | bool - low_complexity | bool - - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 + - find_removexattr.matched is defined and find_removexattr.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27310-2 + - CCE-27367-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030470 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + - '{{ find_removexattr.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_time_watch_localtime | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_removexattr | bool - low_disruption | bool - low_complexity | bool - - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 + - find_removexattr.matched is defined and find_removexattr.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27310-2 + - CCE-27367-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030470 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Add watch rule for /etc/localtime in /etc/audit/rules.d/ +- name: Inserts/replaces the removexattr rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -w /etc/localtime -p wa -k audit_time_rules + line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_time_watch_localtime | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_removexattr | bool - low_disruption | bool - low_complexity | bool - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27310-2 + - CCE-27367-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030470 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Check if watch rule for /etc/localtime already exists in /etc/audit/audit.rules - find: - paths: /etc/audit/ - contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+ - patterns: audit.rules - register: find_existing_watch_audit_rules +- name: Inserts/replaces the removexattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - audit_rules_time_watch_localtime | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_removexattr | bool - low_disruption | bool - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27310-2 + - CCE-27367-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030470 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Add watch rule for /etc/localtime in /etc/audit/audit.rules +- name: Inserts/replaces the removexattr rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -w /etc/localtime -p wa -k audit_time_rules + line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_time_watch_localtime | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_removexattr | bool - low_disruption | bool - low_complexity | bool - - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27310-2 + - CCE-27367-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030470 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Set architecture for audit tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Inserts/replaces the removexattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool - medium_severity | bool - - audit_rules_time_adjtimex | bool + - audit_rules_dac_modification_removexattr | bool - low_disruption | bool - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27290-6 + - CCE-27367-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030470 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_adjtimex + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for adjtimex for x86 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - adjtimex - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b32_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_time_rules.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - adjtimex - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b32_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls +- name: Set architecture for audit fchmodat tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool - medium_severity | bool - - audit_rules_time_adjtimex | bool - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27290-6 + - CCE-27388-8 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030430 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_adjtimex + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for adjtimex for x86_64 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - adjtimex - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b64_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_time_rules.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - adjtimex - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b64_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fchmodat when: - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool - medium_severity | bool - - audit_rules_time_adjtimex | bool - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool - - audit_arch == "b64" - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27290-6 + - CCE-27388-8 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030430 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_adjtimex + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Set architecture for audit tasks +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + all_files: + - /etc/audit/rules.d/privileged.rules when: - - no_reboot_needed | bool - - audit_rules_time_clock_settime | bool - restrict_strategy | bool + - reboot_required | bool - medium_severity | bool - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool + - find_fchmodat.matched is defined and find_fchmodat.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27219-5 + - CCE-27388-8 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030430 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_clock_settime + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for clock_settime for x86 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - clock_settime - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b32_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key time-change - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)time-change$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/time-change.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/time-change.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - clock_settime - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b32_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_fchmodat.files | map(attribute=''path'') | list | first }}' when: - - no_reboot_needed | bool - - audit_rules_time_clock_settime | bool - restrict_strategy | bool + - reboot_required | bool - medium_severity | bool - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool + - find_fchmodat.matched is defined and find_fchmodat.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27219-5 + - CCE-27388-8 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030430 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_clock_settime + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for clock_settime for x86_64 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - clock_settime - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b64_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key time-change - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)time-change$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/time-change.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/time-change.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - clock_settime - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b64_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls - when: - - no_reboot_needed | bool - - audit_rules_time_clock_settime | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool - - audit_arch == "b64" - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-27219-5 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_clock_settime - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Set architecture for audit tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} - when: - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - audit_rules_time_settimeofday | bool - - low_disruption | bool - - low_complexity | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-27216-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_settimeofday - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for settimeofday for x86 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - settimeofday - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b32_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_time_rules.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - settimeofday - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b32_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls - when: - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - audit_rules_time_settimeofday | bool - - low_disruption | bool - - low_complexity | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-27216-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_settimeofday - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Perform remediation of Audit rules for settimeofday for x86_64 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - settimeofday - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b64_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_time_rules.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - settimeofday - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b64_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls - when: - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - audit_rules_time_settimeofday | bool - - low_disruption | bool - - low_complexity | bool - - audit_arch == "b64" - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-27216-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_settimeofday - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Set architecture for audit fchown tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} - when: - - audit_rules_dac_modification_fchown | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-27356-5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ - patterns: '*.rules' - register: find_fchown - when: - - audit_rules_dac_modification_fchown | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-27356-5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules - when: - - audit_rules_dac_modification_fchown | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool - - find_fchown.matched is defined and find_fchown.matched == 0 - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-27356-5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_fchown.files | map(attribute=''path'') | list | first }}' - when: - - audit_rules_dac_modification_fchown | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool - - find_fchown.matched is defined and find_fchown.matched > 0 - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-27356-5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Inserts/replaces the fchown rule in rules.d when on x86 +- name: Inserts/replaces the fchmodat rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_dac_modification_fchown | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27356-5 + - CCE-27388-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 + - DISA-STIG-RHEL-07-030430 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchown rule in rules.d when on x86_64 +- name: Inserts/replaces the fchmodat rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_dac_modification_fchown | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27356-5 + - CCE-27388-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 + - DISA-STIG-RHEL-07-030430 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchown rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the fchmodat rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_dac_modification_fchown | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27356-5 + - CCE-27388-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 + - DISA-STIG-RHEL-07-030430 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchown rule in audit.rules when on x86_64 +- name: Inserts/replaces the fchmodat rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_dac_modification_fchown | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27356-5 + - CCE-27388-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 + - DISA-STIG-RHEL-07-030430 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit setxattr tasks +- name: Set architecture for audit fremovexattr tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_fremovexattr | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27213-8 + - CCE-27353-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 + - DISA-STIG-RHEL-07-030480 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity @@ -6788,25 +6148,25 @@ recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_setxattr + register: find_fremovexattr when: - - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_fremovexattr | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27213-8 + - CCE-27353-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 + - DISA-STIG-RHEL-07-030480 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity @@ -6818,24 +6178,24 @@ all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_fremovexattr | bool - low_disruption | bool - low_complexity | bool - - find_setxattr.matched is defined and find_setxattr.matched == 0 + - find_fremovexattr.matched is defined and find_fremovexattr.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27213-8 + - CCE-27353-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 + - DISA-STIG-RHEL-07-030480 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity @@ -6845,173 +6205,173 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_setxattr.files | map(attribute=''path'') | list | first }}' + - '{{ find_fremovexattr.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_fremovexattr | bool - low_disruption | bool - low_complexity | bool - - find_setxattr.matched is defined and find_setxattr.matched > 0 + - find_fremovexattr.matched is defined and find_fremovexattr.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27213-8 + - CCE-27353-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 + - DISA-STIG-RHEL-07-030480 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the setxattr rule in rules.d when on x86 +- name: Inserts/replaces the fremovexattr rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_fremovexattr | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27213-8 + - CCE-27353-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 + - DISA-STIG-RHEL-07-030480 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the setxattr rule in rules.d when on x86_64 +- name: Inserts/replaces the fremovexattr rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_fremovexattr | bool - low_disruption | bool - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27213-8 + - CCE-27353-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 + - DISA-STIG-RHEL-07-030480 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the setxattr rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the fremovexattr rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_fremovexattr | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27213-8 + - CCE-27353-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 + - DISA-STIG-RHEL-07-030480 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the setxattr rule in audit.rules when on x86_64 +- name: Inserts/replaces the fremovexattr rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_fremovexattr | bool - low_disruption | bool - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27213-8 + - CCE-27353-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 + - DISA-STIG-RHEL-07-030480 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit chown tasks +- name: Set architecture for audit lchown tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_dac_modification_chown | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_lchown | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27364-9 + - CCE-27083-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 + - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity @@ -7024,25 +6384,25 @@ recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_chown + register: find_lchown when: - - audit_rules_dac_modification_chown | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_lchown | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27364-9 + - CCE-27083-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 + - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity @@ -7054,24 +6414,24 @@ all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_dac_modification_chown | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_lchown | bool - low_disruption | bool - low_complexity | bool - - find_chown.matched is defined and find_chown.matched == 0 + - find_lchown.matched is defined and find_lchown.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27364-9 + - CCE-27083-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 + - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity @@ -7081,157 +6441,157 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_chown.files | map(attribute=''path'') | list | first }}' + - '{{ find_lchown.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_dac_modification_chown | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_lchown | bool - low_disruption | bool - low_complexity | bool - - find_chown.matched is defined and find_chown.matched > 0 + - find_lchown.matched is defined and find_lchown.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27364-9 + - CCE-27083-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 + - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the chown rule in rules.d when on x86 +- name: Inserts/replaces the lchown rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_dac_modification_chown | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_lchown | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27364-9 + - CCE-27083-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 + - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the chown rule in rules.d when on x86_64 +- name: Inserts/replaces the lchown rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_dac_modification_chown | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_lchown | bool - low_disruption | bool - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27364-9 + - CCE-27083-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 + - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the chown rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the lchown rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_dac_modification_chown | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_lchown | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27364-9 + - CCE-27083-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 + - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the chown rule in audit.rules when on x86_64 +- name: Inserts/replaces the lchown rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_dac_modification_chown | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_lchown | bool - low_disruption | bool - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27364-9 + - CCE-27083-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 + - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit lsetxattr tasks +- name: Set architecture for audit chown tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_dac_modification_lsetxattr | bool + - audit_rules_dac_modification_chown | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool @@ -7239,15 +6599,15 @@ - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27280-7 + - CCE-27364-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 + - DISA-STIG-RHEL-07-030370 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity @@ -7260,9 +6620,9 @@ recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_lsetxattr + register: find_chown when: - - audit_rules_dac_modification_lsetxattr | bool + - audit_rules_dac_modification_chown | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool @@ -7270,15 +6630,15 @@ - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27280-7 + - CCE-27364-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 + - DISA-STIG-RHEL-07-030370 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity @@ -7290,24 +6650,24 @@ all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_dac_modification_lsetxattr | bool + - audit_rules_dac_modification_chown | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool - - find_lsetxattr.matched is defined and find_lsetxattr.matched == 0 + - find_chown.matched is defined and find_chown.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27280-7 + - CCE-27364-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 + - DISA-STIG-RHEL-07-030370 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity @@ -7317,39 +6677,39 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_lsetxattr.files | map(attribute=''path'') | list | first }}' + - '{{ find_chown.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_dac_modification_lsetxattr | bool + - audit_rules_dac_modification_chown | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool - - find_lsetxattr.matched is defined and find_lsetxattr.matched > 0 + - find_chown.matched is defined and find_chown.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27280-7 + - CCE-27364-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 + - DISA-STIG-RHEL-07-030370 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the lsetxattr rule in rules.d when on x86 +- name: Inserts/replaces the chown rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_dac_modification_lsetxattr | bool + - audit_rules_dac_modification_chown | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool @@ -7357,28 +6717,28 @@ - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27280-7 + - CCE-27364-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 + - DISA-STIG-RHEL-07-030370 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the lsetxattr rule in rules.d when on x86_64 +- name: Inserts/replaces the chown rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_dac_modification_lsetxattr | bool + - audit_rules_dac_modification_chown | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool @@ -7387,29 +6747,29 @@ - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27280-7 + - CCE-27364-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 + - DISA-STIG-RHEL-07-030370 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the lsetxattr rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the chown rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_dac_modification_lsetxattr | bool + - audit_rules_dac_modification_chown | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool @@ -7417,29 +6777,29 @@ - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27280-7 + - CCE-27364-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 + - DISA-STIG-RHEL-07-030370 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the lsetxattr rule in audit.rules when on x86_64 +- name: Inserts/replaces the chown rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_dac_modification_lsetxattr | bool + - audit_rules_dac_modification_chown | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool @@ -7448,42 +6808,42 @@ - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27280-7 + - CCE-27364-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 + - DISA-STIG-RHEL-07-030370 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit chmod tasks +- name: Set architecture for audit fchown tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: + - audit_rules_dac_modification_fchown | bool - restrict_strategy | bool - reboot_required | bool - - audit_rules_dac_modification_chmod | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27339-1 + - CCE-27356-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030410 + - DISA-STIG-RHEL-07-030380 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity @@ -7496,25 +6856,25 @@ recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_chmod + register: find_fchown when: + - audit_rules_dac_modification_fchown | bool - restrict_strategy | bool - reboot_required | bool - - audit_rules_dac_modification_chmod | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27339-1 + - CCE-27356-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030410 + - DISA-STIG-RHEL-07-030380 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity @@ -7526,24 +6886,24 @@ all_files: - /etc/audit/rules.d/privileged.rules when: + - audit_rules_dac_modification_fchown | bool - restrict_strategy | bool - reboot_required | bool - - audit_rules_dac_modification_chmod | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool - - find_chmod.matched is defined and find_chmod.matched == 0 + - find_fchown.matched is defined and find_fchown.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27339-1 + - CCE-27356-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030410 + - DISA-STIG-RHEL-07-030380 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity @@ -7553,173 +6913,173 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_chmod.files | map(attribute=''path'') | list | first }}' + - '{{ find_fchown.files | map(attribute=''path'') | list | first }}' when: + - audit_rules_dac_modification_fchown | bool - restrict_strategy | bool - reboot_required | bool - - audit_rules_dac_modification_chmod | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool - - find_chmod.matched is defined and find_chmod.matched > 0 + - find_fchown.matched is defined and find_fchown.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27339-1 + - CCE-27356-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030410 + - DISA-STIG-RHEL-07-030380 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the chmod rule in rules.d when on x86 +- name: Inserts/replaces the fchown rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: + - audit_rules_dac_modification_fchown | bool - restrict_strategy | bool - reboot_required | bool - - audit_rules_dac_modification_chmod | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27339-1 + - CCE-27356-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030410 + - DISA-STIG-RHEL-07-030380 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the chmod rule in rules.d when on x86_64 +- name: Inserts/replaces the fchown rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: + - audit_rules_dac_modification_fchown | bool - restrict_strategy | bool - reboot_required | bool - - audit_rules_dac_modification_chmod | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27339-1 + - CCE-27356-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030410 + - DISA-STIG-RHEL-07-030380 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the chmod rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the fchown rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: + - audit_rules_dac_modification_fchown | bool - restrict_strategy | bool - reboot_required | bool - - audit_rules_dac_modification_chmod | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27339-1 + - CCE-27356-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030410 + - DISA-STIG-RHEL-07-030380 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the chmod rule in audit.rules when on x86_64 +- name: Inserts/replaces the fchown rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: + - audit_rules_dac_modification_fchown | bool - restrict_strategy | bool - reboot_required | bool - - audit_rules_dac_modification_chmod | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27339-1 + - CCE-27356-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030410 + - DISA-STIG-RHEL-07-030380 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit removexattr tasks +- name: Set architecture for audit fsetxattr tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: + - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_removexattr | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27367-2 + - CCE-27389-6 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 + - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity @@ -7732,25 +7092,25 @@ recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_removexattr + register: find_fsetxattr when: + - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_removexattr | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27367-2 + - CCE-27389-6 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 + - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity @@ -7762,24 +7122,24 @@ all_files: - /etc/audit/rules.d/privileged.rules when: + - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_removexattr | bool - low_disruption | bool - low_complexity | bool - - find_removexattr.matched is defined and find_removexattr.matched == 0 + - find_fsetxattr.matched is defined and find_fsetxattr.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27367-2 + - CCE-27389-6 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 + - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity @@ -7789,173 +7149,173 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_removexattr.files | map(attribute=''path'') | list | first }}' + - '{{ find_fsetxattr.files | map(attribute=''path'') | list | first }}' when: + - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_removexattr | bool - low_disruption | bool - low_complexity | bool - - find_removexattr.matched is defined and find_removexattr.matched > 0 + - find_fsetxattr.matched is defined and find_fsetxattr.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27367-2 + - CCE-27389-6 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 + - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the removexattr rule in rules.d when on x86 +- name: Inserts/replaces the fsetxattr rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: + - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_removexattr | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27367-2 + - CCE-27389-6 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 + - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the removexattr rule in rules.d when on x86_64 +- name: Inserts/replaces the fsetxattr rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: + - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_removexattr | bool - low_disruption | bool - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27367-2 + - CCE-27389-6 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 + - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the removexattr rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the fsetxattr rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: + - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_removexattr | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27367-2 + - CCE-27389-6 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 + - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the removexattr rule in audit.rules when on x86_64 +- name: Inserts/replaces the fsetxattr rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: + - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_removexattr | bool - low_disruption | bool - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27367-2 + - CCE-27389-6 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 + - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit fremovexattr tasks +- name: Set architecture for audit lsetxattr tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: + - audit_rules_dac_modification_lsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_fremovexattr | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27353-2 + - CCE-27280-7 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030480 + - DISA-STIG-RHEL-07-030460 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity @@ -7968,25 +7328,25 @@ recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_fremovexattr + register: find_lsetxattr when: + - audit_rules_dac_modification_lsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_fremovexattr | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27353-2 + - CCE-27280-7 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030480 + - DISA-STIG-RHEL-07-030460 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity @@ -7998,24 +7358,24 @@ all_files: - /etc/audit/rules.d/privileged.rules when: + - audit_rules_dac_modification_lsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_fremovexattr | bool - low_disruption | bool - low_complexity | bool - - find_fremovexattr.matched is defined and find_fremovexattr.matched == 0 + - find_lsetxattr.matched is defined and find_lsetxattr.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27353-2 + - CCE-27280-7 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030480 + - DISA-STIG-RHEL-07-030460 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity @@ -8025,157 +7385,157 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_fremovexattr.files | map(attribute=''path'') | list | first }}' + - '{{ find_lsetxattr.files | map(attribute=''path'') | list | first }}' when: + - audit_rules_dac_modification_lsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_fremovexattr | bool - low_disruption | bool - low_complexity | bool - - find_fremovexattr.matched is defined and find_fremovexattr.matched > 0 + - find_lsetxattr.matched is defined and find_lsetxattr.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27353-2 + - CCE-27280-7 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030480 + - DISA-STIG-RHEL-07-030460 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fremovexattr rule in rules.d when on x86 +- name: Inserts/replaces the lsetxattr rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: + - audit_rules_dac_modification_lsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_fremovexattr | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27353-2 + - CCE-27280-7 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030480 + - DISA-STIG-RHEL-07-030460 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fremovexattr rule in rules.d when on x86_64 +- name: Inserts/replaces the lsetxattr rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: + - audit_rules_dac_modification_lsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_fremovexattr | bool - low_disruption | bool - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27353-2 + - CCE-27280-7 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030480 + - DISA-STIG-RHEL-07-030460 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fremovexattr rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the lsetxattr rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: + - audit_rules_dac_modification_lsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_fremovexattr | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27353-2 + - CCE-27280-7 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030480 + - DISA-STIG-RHEL-07-030460 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fremovexattr rule in audit.rules when on x86_64 +- name: Inserts/replaces the lsetxattr rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: + - audit_rules_dac_modification_lsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_fremovexattr | bool - low_disruption | bool - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27353-2 + - CCE-27280-7 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030480 + - DISA-STIG-RHEL-07-030460 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit fchownat tasks +- name: Set architecture for audit setxattr tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_dac_modification_fchownat | bool + - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool @@ -8183,15 +7543,15 @@ - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27387-0 + - CCE-27213-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 + - DISA-STIG-RHEL-07-030440 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_setxattr - low_complexity - low_disruption - medium_severity @@ -8204,9 +7564,9 @@ recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_fchownat + register: find_setxattr when: - - audit_rules_dac_modification_fchownat | bool + - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool @@ -8214,15 +7574,15 @@ - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27387-0 + - CCE-27213-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 + - DISA-STIG-RHEL-07-030440 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_setxattr - low_complexity - low_disruption - medium_severity @@ -8234,24 +7594,24 @@ all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_dac_modification_fchownat | bool + - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool - - find_fchownat.matched is defined and find_fchownat.matched == 0 + - find_setxattr.matched is defined and find_setxattr.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27387-0 + - CCE-27213-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 + - DISA-STIG-RHEL-07-030440 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_setxattr - low_complexity - low_disruption - medium_severity @@ -8261,39 +7621,39 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_fchownat.files | map(attribute=''path'') | list | first }}' + - '{{ find_setxattr.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_dac_modification_fchownat | bool + - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool - - find_fchownat.matched is defined and find_fchownat.matched > 0 + - find_setxattr.matched is defined and find_setxattr.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27387-0 + - CCE-27213-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 + - DISA-STIG-RHEL-07-030440 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_setxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchownat rule in rules.d when on x86 +- name: Inserts/replaces the setxattr rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_dac_modification_fchownat | bool + - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool @@ -8301,28 +7661,28 @@ - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27387-0 + - CCE-27213-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 + - DISA-STIG-RHEL-07-030440 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_setxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchownat rule in rules.d when on x86_64 +- name: Inserts/replaces the setxattr rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_dac_modification_fchownat | bool + - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool @@ -8331,29 +7691,29 @@ - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27387-0 + - CCE-27213-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 + - DISA-STIG-RHEL-07-030440 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_setxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchownat rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the setxattr rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_dac_modification_fchownat | bool + - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool @@ -8361,29 +7721,29 @@ - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27387-0 + - CCE-27213-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 + - DISA-STIG-RHEL-07-030440 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_setxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchownat rule in audit.rules when on x86_64 +- name: Inserts/replaces the setxattr rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_dac_modification_fchownat | bool + - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool @@ -8392,42 +7752,42 @@ - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27387-0 + - CCE-27213-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 + - DISA-STIG-RHEL-07-030440 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_setxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit fchmod tasks +- name: Set architecture for audit fchownat tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: + - audit_rules_dac_modification_fchownat | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_fchmod | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27393-8 + - CCE-27387-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 + - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity @@ -8440,25 +7800,25 @@ recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_fchmod + register: find_fchownat when: + - audit_rules_dac_modification_fchownat | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_fchmod | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27393-8 + - CCE-27387-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 + - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity @@ -8470,24 +7830,24 @@ all_files: - /etc/audit/rules.d/privileged.rules when: + - audit_rules_dac_modification_fchownat | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_fchmod | bool - low_disruption | bool - low_complexity | bool - - find_fchmod.matched is defined and find_fchmod.matched == 0 + - find_fchownat.matched is defined and find_fchownat.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27393-8 + - CCE-27387-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 + - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity @@ -8497,173 +7857,173 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_fchmod.files | map(attribute=''path'') | list | first }}' + - '{{ find_fchownat.files | map(attribute=''path'') | list | first }}' when: + - audit_rules_dac_modification_fchownat | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_fchmod | bool - low_disruption | bool - low_complexity | bool - - find_fchmod.matched is defined and find_fchmod.matched > 0 + - find_fchownat.matched is defined and find_fchownat.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27393-8 + - CCE-27387-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 + - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchmod rule in rules.d when on x86 +- name: Inserts/replaces the fchownat rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: + - audit_rules_dac_modification_fchownat | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_fchmod | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27393-8 + - CCE-27387-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 + - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchmod rule in rules.d when on x86_64 +- name: Inserts/replaces the fchownat rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: + - audit_rules_dac_modification_fchownat | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_fchmod | bool - low_disruption | bool - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27393-8 + - CCE-27387-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 + - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchmod rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the fchownat rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: + - audit_rules_dac_modification_fchownat | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_fchmod | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27393-8 + - CCE-27387-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 + - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchmod rule in audit.rules when on x86_64 +- name: Inserts/replaces the fchownat rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: + - audit_rules_dac_modification_fchownat | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_fchmod | bool - low_disruption | bool - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27393-8 + - CCE-27387-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 + - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit lchown tasks +- name: Set architecture for audit chmod tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - restrict_strategy | bool - reboot_required | bool + - audit_rules_dac_modification_chmod | bool - medium_severity | bool - - audit_rules_dac_modification_lchown | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27083-5 + - CCE-27339-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 + - DISA-STIG-RHEL-07-030410 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity @@ -8676,25 +8036,25 @@ recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_lchown + register: find_chmod when: - restrict_strategy | bool - reboot_required | bool + - audit_rules_dac_modification_chmod | bool - medium_severity | bool - - audit_rules_dac_modification_lchown | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27083-5 + - CCE-27339-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 + - DISA-STIG-RHEL-07-030410 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity @@ -8708,22 +8068,22 @@ when: - restrict_strategy | bool - reboot_required | bool + - audit_rules_dac_modification_chmod | bool - medium_severity | bool - - audit_rules_dac_modification_lchown | bool - low_disruption | bool - low_complexity | bool - - find_lchown.matched is defined and find_lchown.matched == 0 + - find_chmod.matched is defined and find_chmod.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27083-5 + - CCE-27339-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 + - DISA-STIG-RHEL-07-030410 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity @@ -8733,173 +8093,173 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_lchown.files | map(attribute=''path'') | list | first }}' + - '{{ find_chmod.files | map(attribute=''path'') | list | first }}' when: - restrict_strategy | bool - reboot_required | bool + - audit_rules_dac_modification_chmod | bool - medium_severity | bool - - audit_rules_dac_modification_lchown | bool - low_disruption | bool - low_complexity | bool - - find_lchown.matched is defined and find_lchown.matched > 0 + - find_chmod.matched is defined and find_chmod.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27083-5 + - CCE-27339-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 + - DISA-STIG-RHEL-07-030410 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the lchown rule in rules.d when on x86 +- name: Inserts/replaces the chmod rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - restrict_strategy | bool - reboot_required | bool + - audit_rules_dac_modification_chmod | bool - medium_severity | bool - - audit_rules_dac_modification_lchown | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27083-5 + - CCE-27339-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 + - DISA-STIG-RHEL-07-030410 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the lchown rule in rules.d when on x86_64 +- name: Inserts/replaces the chmod rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - restrict_strategy | bool - reboot_required | bool + - audit_rules_dac_modification_chmod | bool - medium_severity | bool - - audit_rules_dac_modification_lchown | bool - low_disruption | bool - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27083-5 + - CCE-27339-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 + - DISA-STIG-RHEL-07-030410 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the lchown rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the chmod rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - restrict_strategy | bool - reboot_required | bool + - audit_rules_dac_modification_chmod | bool - medium_severity | bool - - audit_rules_dac_modification_lchown | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27083-5 + - CCE-27339-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 + - DISA-STIG-RHEL-07-030410 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the lchown rule in audit.rules when on x86_64 +- name: Inserts/replaces the chmod rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - restrict_strategy | bool - reboot_required | bool + - audit_rules_dac_modification_chmod | bool - medium_severity | bool - - audit_rules_dac_modification_lchown | bool - low_disruption | bool - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27083-5 + - CCE-27339-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 + - DISA-STIG-RHEL-07-030410 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit fsetxattr tasks +- name: Set architecture for audit lremovexattr tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_lremovexattr | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27389-6 + - CCE-27410-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 + - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption - medium_severity @@ -8912,25 +8272,25 @@ recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_fsetxattr + register: find_lremovexattr when: - - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_lremovexattr | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27389-6 + - CCE-27410-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 + - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption - medium_severity @@ -8942,935 +8302,1497 @@ all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_lremovexattr | bool + - low_disruption | bool + - low_complexity | bool + - find_lremovexattr.matched is defined and find_lremovexattr.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27410-0 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030490 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_lremovexattr.files | map(attribute=''path'') | list | first }}' + when: + - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_lremovexattr | bool + - low_disruption | bool + - low_complexity | bool + - find_lremovexattr.matched is defined and find_lremovexattr.matched > 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27410-0 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030490 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lremovexattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: + - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_lremovexattr | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27410-0 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030490 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lremovexattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: + - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_lremovexattr | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27410-0 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030490 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lremovexattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_lremovexattr | bool - low_disruption | bool - low_complexity | bool - - find_fsetxattr.matched is defined and find_fsetxattr.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27389-6 + - CCE-27410-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 + - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_fsetxattr.files | map(attribute=''path'') | list | first }}' +- name: Inserts/replaces the lremovexattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_lremovexattr | bool - low_disruption | bool - low_complexity | bool - - find_fsetxattr.matched is defined and find_fsetxattr.matched > 0 + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27389-6 + - CCE-27410-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 + - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fsetxattr rule in rules.d when on x86 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod - create: true +- name: Set architecture for audit fchmod tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_fchmod | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27389-6 + - CCE-27393-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 + - DISA-STIG-RHEL-07-030420 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fsetxattr rule in rules.d when on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod - create: true +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fchmod when: - - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_fchmod | bool - low_disruption | bool - low_complexity | bool - - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27389-6 + - CCE-27393-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 + - DISA-STIG-RHEL-07-030420 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fsetxattr rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules - create: true +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_fchmod | bool - low_disruption | bool - low_complexity | bool + - find_fchmod.matched is defined and find_fchmod.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27389-6 + - CCE-27393-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 + - DISA-STIG-RHEL-07-030420 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fsetxattr rule in audit.rules when on x86_64 - lineinfile: - line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules - create: true +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_fchmod.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_fchmod | bool - low_disruption | bool - low_complexity | bool - - audit_arch is defined and audit_arch == 'b64' + - find_fchmod.matched is defined and find_fchmod.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27389-6 + - CCE-27393-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 + - DISA-STIG-RHEL-07-030420 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit fchmodat tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Inserts/replaces the fchmod rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_fchmod | bool - low_disruption | bool - - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27388-8 + - CCE-27393-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030430 + - DISA-STIG-RHEL-07-030420 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ - patterns: '*.rules' - register: find_fchmodat +- name: Inserts/replaces the fchmod rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_fchmod | bool - low_disruption | bool - - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27388-8 + - CCE-27393-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030430 + - DISA-STIG-RHEL-07-030420 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules +- name: Inserts/replaces the fchmod rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_fchmod | bool - low_disruption | bool - - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool - - find_fchmodat.matched is defined and find_fchmodat.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27388-8 + - CCE-27393-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030430 + - DISA-STIG-RHEL-07-030420 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_fchmodat.files | map(attribute=''path'') | list | first }}' +- name: Inserts/replaces the fchmod rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - restrict_strategy | bool - reboot_required | bool - medium_severity | bool + - audit_rules_dac_modification_fchmod | bool - low_disruption | bool - - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool - - find_fchmodat.matched is defined and find_fchmodat.matched > 0 + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27388-8 + - CCE-27393-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030430 + - DISA-STIG-RHEL-07-030420 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchmodat rule in rules.d when on x86 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod - create: true +- name: Perform remediation of Audit rules for stime syscall for x86 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - stime + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - stime + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls when: + - audit_rules_time_stime | bool + - no_reboot_needed | bool - restrict_strategy | bool - - reboot_required | bool - medium_severity | bool - low_disruption | bool - - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27388-8 + - CCE-27299-7 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030430 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_stime - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the fchmodat rule in rules.d when on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod - create: true +- name: Check if watch rule for /etc/localtime already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d when: + - audit_rules_time_watch_localtime | bool + - no_reboot_needed | bool - restrict_strategy | bool - - reboot_required | bool - medium_severity | bool - low_disruption | bool - - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool - - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27388-8 + - CCE-27310-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030430 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the fchmodat rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules - create: true +- name: Search /etc/audit/rules.d for other rules with specified key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_watch_key when: + - audit_rules_time_watch_localtime | bool + - no_reboot_needed | bool - restrict_strategy | bool - - reboot_required | bool - medium_severity | bool - low_disruption | bool - - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27388-8 + - CCE-27310-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030430 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the fchmodat rule in audit.rules when on x86_64 - lineinfile: - line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules - create: true +- name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules when: + - audit_rules_time_watch_localtime | bool + - no_reboot_needed | bool - restrict_strategy | bool - - reboot_required | bool - medium_severity | bool - low_disruption | bool - - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool - - audit_arch is defined and audit_arch == 'b64' + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27388-8 + - CCE-27310-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030430 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Set architecture for audit lremovexattr tasks +- name: Use matched file as the recipient for the rule set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: + - audit_rules_time_watch_localtime | bool + - no_reboot_needed | bool - restrict_strategy | bool - - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_lremovexattr | bool - low_disruption | bool - low_complexity | bool + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27410-0 + - CCE-27310-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ - patterns: '*.rules' - register: find_lremovexattr +- name: Add watch rule for /etc/localtime in /etc/audit/rules.d/ + lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/localtime -p wa -k audit_time_rules + create: true when: + - audit_rules_time_watch_localtime | bool + - no_reboot_needed | bool - restrict_strategy | bool - - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_lremovexattr | bool - low_disruption | bool - low_complexity | bool + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27410-0 + - CCE-27310-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules +- name: Check if watch rule for /etc/localtime already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules when: + - audit_rules_time_watch_localtime | bool + - no_reboot_needed | bool - restrict_strategy | bool - - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_lremovexattr | bool - low_disruption | bool - low_complexity | bool - - find_lremovexattr.matched is defined and find_lremovexattr.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27410-0 + - CCE-27310-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_lremovexattr.files | map(attribute=''path'') | list | first }}' +- name: Add watch rule for /etc/localtime in /etc/audit/audit.rules + lineinfile: + line: -w /etc/localtime -p wa -k audit_time_rules + state: present + dest: /etc/audit/audit.rules + create: true when: + - audit_rules_time_watch_localtime | bool + - no_reboot_needed | bool - restrict_strategy | bool - - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_lremovexattr | bool - low_disruption | bool - low_complexity | bool - - find_lremovexattr.matched is defined and find_lremovexattr.matched > 0 + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27410-0 + - CCE-27310-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the lremovexattr rule in rules.d when on x86 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod - create: true +- name: Set architecture for audit tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: + - no_reboot_needed | bool - restrict_strategy | bool - - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_lremovexattr | bool + - audit_rules_time_adjtimex | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27410-0 + - CCE-27290-6 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_adjtimex - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the lremovexattr rule in rules.d when on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod - create: true +- name: Perform remediation of Audit rules for adjtimex for x86 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - adjtimex + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - adjtimex + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls when: + - no_reboot_needed | bool - restrict_strategy | bool - - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_lremovexattr | bool + - audit_rules_time_adjtimex | bool - low_disruption | bool - low_complexity | bool - - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27410-0 + - CCE-27290-6 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_adjtimex - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the lremovexattr rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules - create: true +- name: Perform remediation of Audit rules for adjtimex for x86_64 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - adjtimex + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b64_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - adjtimex + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b64_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls when: + - no_reboot_needed | bool - restrict_strategy | bool - - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_lremovexattr | bool + - audit_rules_time_adjtimex | bool - low_disruption | bool - low_complexity | bool + - audit_arch == "b64" - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27410-0 + - CCE-27290-6 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_adjtimex - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the lremovexattr rule in audit.rules when on x86_64 - lineinfile: - line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules - create: true +- name: Set architecture for audit tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: + - no_reboot_needed | bool + - audit_rules_time_clock_settime | bool - restrict_strategy | bool - - reboot_required | bool - medium_severity | bool - - audit_rules_dac_modification_lremovexattr | bool - low_disruption | bool - low_complexity | bool - - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27410-0 + - CCE-27219-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_clock_settime - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search for privileged commands - shell: find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype - ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs - -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o - -perm -2000 \) 2> /dev/null - args: - warn: false - executable: /bin/bash - check_mode: false - register: find_result - changed_when: false - failed_when: false +- name: Perform remediation of Audit rules for clock_settime for x86 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - clock_settime + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key time-change + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)time-change$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/time-change.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/time-change.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - clock_settime + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls when: - no_reboot_needed | bool - - audit_rules_privileged_commands | bool + - audit_rules_time_clock_settime | bool - restrict_strategy | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27437-3 + - CCE-27219-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030360 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_clock_settime - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for audit rule entries - find: - paths: /etc/audit/rules.d - recurse: false - contains: ^.*path={{ item }} .*$ - patterns: '*.rules' - with_items: - - '{{ find_result.stdout_lines }}' - register: files_result +- name: Perform remediation of Audit rules for clock_settime for x86_64 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - clock_settime + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b64_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key time-change + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)time-change$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/time-change.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/time-change.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - clock_settime + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b64_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls when: - no_reboot_needed | bool - - audit_rules_privileged_commands | bool + - audit_rules_time_clock_settime | bool - restrict_strategy | bool - medium_severity | bool - low_disruption | bool - low_complexity | bool + - audit_arch == "b64" - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27437-3 + - CCE-27219-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030360 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_clock_settime - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Overwrites the rule in rules.d - lineinfile: - path: '{{ item.1.path }}' - line: -a always,exit -F path={{ item.0.item }} -F auid>=1000 -F auid!=unset -F key=privileged - create: false - regexp: ^.*path={{ item.0.item }} .*$ - with_subelements: - - '{{ files_result.results }}' - - files +- name: Set architecture for audit tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - no_reboot_needed | bool - - audit_rules_privileged_commands | bool - restrict_strategy | bool - medium_severity | bool + - audit_rules_time_settimeofday | bool - low_disruption | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27437-3 + - CCE-27216-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030360 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_settimeofday - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Adds the rule in rules.d - lineinfile: - path: /etc/audit/rules.d/privileged.rules - line: -a always,exit -F path={{ item.item }} -F auid>=1000 -F auid!=unset -F key=privileged - create: true - with_items: - - '{{ files_result.results }}' +- name: Perform remediation of Audit rules for settimeofday for x86 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - settimeofday + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - settimeofday + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls when: - no_reboot_needed | bool - - audit_rules_privileged_commands | bool - restrict_strategy | bool - medium_severity | bool + - audit_rules_time_settimeofday | bool - low_disruption | bool - low_complexity | bool - - files_result.results is defined and item.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27437-3 + - CCE-27216-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030360 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_settimeofday - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path={{ item.item }} -F auid>=1000 -F auid!=unset -F key=privileged - create: true - regexp: ^.*path={{ item.item }} .*$ - with_items: - - '{{ files_result.results }}' +- name: Perform remediation of Audit rules for settimeofday for x86_64 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - settimeofday + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b64_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - settimeofday + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b64_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls when: - no_reboot_needed | bool - - audit_rules_privileged_commands | bool - restrict_strategy | bool - medium_severity | bool + - audit_rules_time_settimeofday | bool - low_disruption | bool - low_complexity | bool + - audit_arch == "b64" - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27437-3 + - CCE-27216-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030360 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_settimeofday - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Configure daily log rotation in /etc/logrotate.conf - lineinfile: - create: true - dest: /etc/logrotate.conf - regexp: ^daily$ - line: daily - when: - - no_reboot_needed | bool - - medium_severity | bool - - configure_strategy | bool - - low_disruption | bool - - ensure_logrotate_activated | bool - - low_complexity | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80195-1 - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.7 - - configure_strategy - - ensure_logrotate_activated - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf - lineinfile: - create: false - dest: /etc/logrotate.conf - regexp: ^(weekly|monthly|yearly)$ - state: absent - when: - - no_reboot_needed | bool - - medium_severity | bool - - configure_strategy | bool - - low_disruption | bool - - ensure_logrotate_activated | bool - - low_complexity | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80195-1 - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.7 - - configure_strategy - - ensure_logrotate_activated - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Configure cron.daily if not already - block: - - name: Add shebang - lineinfile: - path: /etc/cron.daily/logrotate - line: '#!/bin/sh' - insertbefore: BOF - create: true - - name: Add logrotate call - lineinfile: - path: /etc/cron.daily/logrotate - line: /usr/sbin/logrotate /etc/logrotate.conf - regexp: ^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$ +- name: Test for existence /boot/grub2/grub.cfg + stat: + path: /boot/grub2/grub.cfg + register: file_exists when: + - file_owner_grub2_cfg | bool - no_reboot_needed | bool - medium_severity | bool - configure_strategy | bool - low_disruption | bool - - ensure_logrotate_activated | bool - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80195-1 + - CCE-82026-6 + - CJIS-5.5.2.2 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.7 + - PCI-DSS-Req-7.1 - configure_strategy - - ensure_logrotate_activated - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Ensure libreswan is installed - package: - name: libreswan - state: present - tags: - - CCE-80170-4 - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-4.1 - - enable_strategy + - file_owner_grub2_cfg - low_complexity - low_disruption - medium_severity - no_reboot_needed - - package_libreswan_installed - when: - - no_reboot_needed | bool - - medium_severity | bool - - package_libreswan_installed | bool - - enable_strategy | bool - - low_disruption | bool - - low_complexity | bool -- name: Test for existence /boot/grub2/grub.cfg - stat: +- name: Ensure owner 0 on /boot/grub2/grub.cfg + file: path: /boot/grub2/grub.cfg - register: file_exists + owner: '0' when: - file_owner_grub2_cfg | bool - no_reboot_needed | bool @@ -9878,6 +9800,7 @@ - configure_strategy | bool - low_disruption | bool - low_complexity | bool + - file_exists.stat is defined and file_exists.stat.exists - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-82026-6 @@ -9893,37 +9816,36 @@ - medium_severity - no_reboot_needed -- name: Ensure owner 0 on /boot/grub2/grub.cfg - file: +- name: Test for existence /boot/grub2/grub.cfg + stat: path: /boot/grub2/grub.cfg - owner: '0' + register: file_exists when: - - file_owner_grub2_cfg | bool - no_reboot_needed | bool - medium_severity | bool - configure_strategy | bool + - file_groupowner_grub2_cfg | bool - low_disruption | bool - low_complexity | bool - - file_exists.stat is defined and file_exists.stat.exists - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82026-6 + - CCE-82023-3 - CJIS-5.5.2.2 - NIST-800-171-3.4.5 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-7.1 - configure_strategy - - file_owner_grub2_cfg + - file_groupowner_grub2_cfg - low_complexity - low_disruption - medium_severity - no_reboot_needed -- name: Test for existence /boot/grub2/grub.cfg - stat: +- name: Ensure group owner 0 on /boot/grub2/grub.cfg + file: path: /boot/grub2/grub.cfg - register: file_exists + group: '0' when: - no_reboot_needed | bool - medium_severity | bool @@ -9931,6 +9853,7 @@ - file_groupowner_grub2_cfg | bool - low_disruption | bool - low_complexity | bool + - file_exists.stat is defined and file_exists.stat.exists - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-82023-3 @@ -9946,28 +9869,50 @@ - medium_severity - no_reboot_needed -- name: Ensure group owner 0 on /boot/grub2/grub.cfg - file: - path: /boot/grub2/grub.cfg - group: '0' +- name: Test for existence /etc/group + stat: + path: /etc/group + register: file_exists + tags: + - CCE-82031-6 + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - configure_strategy + - file_owner_etc_group + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed when: + - file_owner_etc_group | bool + - medium_severity | bool + - configure_strategy | bool - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + +- name: Ensure owner 0 on /etc/group + file: + path: /etc/group + owner: '0' + when: + - file_owner_etc_group | bool - medium_severity | bool - configure_strategy | bool - - file_groupowner_grub2_cfg | bool + - no_reboot_needed | bool - low_disruption | bool - low_complexity | bool - file_exists.stat is defined and file_exists.stat.exists - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82023-3 + - CCE-82031-6 - CJIS-5.5.2.2 - - NIST-800-171-3.4.5 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-7.1 + - PCI-DSS-Req-8.7.c - configure_strategy - - file_groupowner_grub2_cfg + - file_owner_etc_group - low_complexity - low_disruption - medium_severity @@ -10027,45 +9972,45 @@ path: /etc/shadow register: file_exists tags: - - CCE-82051-4 + - CCE-82042-3 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_groupowner_etc_shadow + - file_permissions_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: + - file_permissions_etc_shadow | bool - no_reboot_needed | bool - - configure_strategy | bool - medium_severity | bool - - file_groupowner_etc_shadow | bool + - configure_strategy | bool - low_disruption | bool - low_complexity | bool -- name: Ensure group owner 0 on /etc/shadow +- name: Ensure permission 0000 on /etc/shadow file: path: /etc/shadow - group: '0' + mode: '0000' when: + - file_permissions_etc_shadow | bool - no_reboot_needed | bool - - configure_strategy | bool - medium_severity | bool - - file_groupowner_etc_shadow | bool + - configure_strategy | bool - low_disruption | bool - low_complexity | bool - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-82051-4 + - CCE-82042-3 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_groupowner_etc_shadow + - file_permissions_etc_shadow - low_complexity - low_disruption - medium_severity @@ -10076,45 +10021,45 @@ path: /etc/shadow register: file_exists tags: - - CCE-82042-3 + - CCE-82022-5 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_permissions_etc_shadow + - file_owner_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - - file_permissions_etc_shadow | bool + - file_owner_etc_shadow | bool - no_reboot_needed | bool - - medium_severity | bool - configure_strategy | bool + - medium_severity | bool - low_disruption | bool - low_complexity | bool -- name: Ensure permission 0000 on /etc/shadow +- name: Ensure owner 0 on /etc/shadow file: path: /etc/shadow - mode: '0000' + owner: '0' when: - - file_permissions_etc_shadow | bool + - file_owner_etc_shadow | bool - no_reboot_needed | bool - - medium_severity | bool - configure_strategy | bool + - medium_severity | bool - low_disruption | bool - low_complexity | bool - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-82042-3 + - CCE-82022-5 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_permissions_etc_shadow + - file_owner_etc_shadow - low_complexity - low_disruption - medium_severity @@ -10125,13 +10070,13 @@ path: /etc/passwd register: file_exists tags: - - CCE-82052-2 + - CCE-82029-0 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_owner_etc_passwd + - file_permissions_etc_passwd - low_complexity - low_disruption - medium_severity @@ -10139,80 +10084,80 @@ when: - no_reboot_needed | bool - medium_severity | bool - - file_owner_etc_passwd | bool - configure_strategy | bool - low_disruption | bool + - file_permissions_etc_passwd | bool - low_complexity | bool -- name: Ensure owner 0 on /etc/passwd +- name: Ensure permission 0644 on /etc/passwd file: path: /etc/passwd - owner: '0' + mode: '0644' when: - no_reboot_needed | bool - medium_severity | bool - - file_owner_etc_passwd | bool - configure_strategy | bool - low_disruption | bool + - file_permissions_etc_passwd | bool - low_complexity | bool - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-82052-2 + - CCE-82029-0 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_owner_etc_passwd + - file_permissions_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed -- name: Test for existence /etc/group +- name: Test for existence /etc/passwd stat: - path: /etc/group + path: /etc/passwd register: file_exists tags: - - CCE-82031-6 + - CCE-26639-5 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_owner_etc_group + - file_groupowner_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - - file_owner_etc_group | bool + - no_reboot_needed | bool - medium_severity | bool + - file_groupowner_etc_passwd | bool - configure_strategy | bool - - no_reboot_needed | bool - low_disruption | bool - low_complexity | bool -- name: Ensure owner 0 on /etc/group +- name: Ensure group owner 0 on /etc/passwd file: - path: /etc/group - owner: '0' + path: /etc/passwd + group: '0' when: - - file_owner_etc_group | bool + - no_reboot_needed | bool - medium_severity | bool + - file_groupowner_etc_passwd | bool - configure_strategy | bool - - no_reboot_needed | bool - low_disruption | bool - low_complexity | bool - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-82031-6 + - CCE-26639-5 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_owner_etc_group + - file_groupowner_etc_passwd - low_complexity - low_disruption - medium_severity @@ -10272,13 +10217,13 @@ path: /etc/passwd register: file_exists tags: - - CCE-82029-0 + - CCE-82052-2 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_permissions_etc_passwd + - file_owner_etc_passwd - low_complexity - low_disruption - medium_severity @@ -10286,31 +10231,31 @@ when: - no_reboot_needed | bool - medium_severity | bool + - file_owner_etc_passwd | bool - configure_strategy | bool - low_disruption | bool - - file_permissions_etc_passwd | bool - low_complexity | bool -- name: Ensure permission 0644 on /etc/passwd +- name: Ensure owner 0 on /etc/passwd file: path: /etc/passwd - mode: '0644' + owner: '0' when: - no_reboot_needed | bool - medium_severity | bool + - file_owner_etc_passwd | bool - configure_strategy | bool - low_disruption | bool - - file_permissions_etc_passwd | bool - low_complexity | bool - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-82029-0 + - CCE-82052-2 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_permissions_etc_passwd + - file_owner_etc_passwd - low_complexity - low_disruption - medium_severity @@ -10321,98 +10266,153 @@ path: /etc/shadow register: file_exists tags: - - CCE-82022-5 + - CCE-82051-4 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_owner_etc_shadow + - file_groupowner_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - - file_owner_etc_shadow | bool - no_reboot_needed | bool - configure_strategy | bool - medium_severity | bool + - file_groupowner_etc_shadow | bool - low_disruption | bool - low_complexity | bool -- name: Ensure owner 0 on /etc/shadow +- name: Ensure group owner 0 on /etc/shadow file: path: /etc/shadow - owner: '0' + group: '0' when: - - file_owner_etc_shadow | bool - no_reboot_needed | bool - configure_strategy | bool - medium_severity | bool + - file_groupowner_etc_shadow | bool - low_disruption | bool - low_complexity | bool - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-82022-5 + - CCE-82051-4 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_owner_etc_shadow + - file_groupowner_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed -- name: Test for existence /etc/passwd - stat: - path: /etc/passwd - register: file_exists +- name: Configure daily log rotation in /etc/logrotate.conf + lineinfile: + create: true + dest: /etc/logrotate.conf + regexp: ^daily$ + line: daily + when: + - no_reboot_needed | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - ensure_logrotate_activated | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-26639-5 - - CJIS-5.5.2.2 - - NIST-800-53-AC-6(1) + - CCE-80195-1 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.7.c + - PCI-DSS-Req-10.7 - configure_strategy - - file_groupowner_etc_passwd + - ensure_logrotate_activated - low_complexity - low_disruption - medium_severity - no_reboot_needed + +- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf + lineinfile: + create: false + dest: /etc/logrotate.conf + regexp: ^[\s]*(weekly|monthly|yearly)$ + state: absent when: - no_reboot_needed | bool - medium_severity | bool - - file_groupowner_etc_passwd | bool - configure_strategy | bool - low_disruption | bool + - ensure_logrotate_activated | bool - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80195-1 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.7 + - configure_strategy + - ensure_logrotate_activated + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed -- name: Ensure group owner 0 on /etc/passwd - file: - path: /etc/passwd - group: '0' +- name: Configure cron.daily if not already + block: + - name: Add shebang + lineinfile: + path: /etc/cron.daily/logrotate + line: '#!/bin/sh' + insertbefore: BOF + create: true + - name: Add logrotate call + lineinfile: + path: /etc/cron.daily/logrotate + line: /usr/sbin/logrotate /etc/logrotate.conf + regexp: ^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$ when: - no_reboot_needed | bool - medium_severity | bool - - file_groupowner_etc_passwd | bool - configure_strategy | bool - low_disruption | bool + - ensure_logrotate_activated | bool - low_complexity | bool - - file_exists.stat is defined and file_exists.stat.exists + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-26639-5 - - CJIS-5.5.2.2 - - NIST-800-53-AC-6(1) + - CCE-80195-1 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.7.c + - PCI-DSS-Req-10.7 - configure_strategy - - file_groupowner_etc_passwd + - ensure_logrotate_activated + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure libreswan is installed + package: + name: libreswan + state: present + tags: + - CCE-80170-4 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-4.1 + - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed + - package_libreswan_installed + when: + - no_reboot_needed | bool + - medium_severity | bool + - package_libreswan_installed | bool + - enable_strategy | bool + - low_disruption | bool + - low_complexity | bool - name: Set SSH Client Alive Count Max block: @@ -10448,6 +10448,7 @@ - NIST-800-53-AC-2(5) - NIST-800-53-CM-6(a) - NIST-800-53-SC-10 + - PCI-DSS-Req-8.1.8 - low_complexity - low_disruption - medium_severity