From ed80516a92c4061e486937b54bce1edb0089f702 Mon Sep 17 00:00:00 2001 From: ComplianceAsCode development team Date: Wed, 7 Feb 2024 19:46:38 -0500 Subject: [PATCH] Updated tasks/main.yml --- tasks/main.yml | 622 +++++++++++++++++++++++++++++++++++-------------- 1 file changed, 448 insertions(+), 174 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 6971074..a0478fa 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1739,6 +1739,7 @@ - NIST-800-53-SC-12(2) - NIST-800-53-SC-12(3) - NIST-800-53-SC-13 + - PCI-DSSv4-2.2.7 - configure_crypto_policy - high_severity - low_complexity @@ -1766,6 +1767,7 @@ - NIST-800-53-SC-12(2) - NIST-800-53-SC-12(3) - NIST-800-53-SC-13 + - PCI-DSSv4-2.2.7 - configure_crypto_policy - high_severity - low_complexity @@ -1932,7 +1934,6 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SC-13 - PCI-DSS-Req-2.2 - - PCI-DSSv4-2.2 - configure_libreswan_crypto_policy - high_severity - low_complexity @@ -1965,7 +1966,6 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SC-13 - PCI-DSS-Req-2.2 - - PCI-DSSv4-2.2 - configure_openssl_crypto_policy - low_complexity - medium_disruption @@ -1998,7 +1998,6 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SC-13 - PCI-DSS-Req-2.2 - - PCI-DSSv4-2.2 - configure_openssl_crypto_policy - low_complexity - medium_disruption @@ -2042,7 +2041,6 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SC-13 - PCI-DSS-Req-2.2 - - PCI-DSSv4-2.2 - configure_openssl_crypto_policy - low_complexity - medium_disruption @@ -2078,7 +2076,6 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SC-13 - PCI-DSS-Req-2.2 - - PCI-DSSv4-2.2 - configure_openssl_crypto_policy - low_complexity - medium_disruption @@ -2100,7 +2097,7 @@ - NIST-800-53-MA-4(6) - NIST-800-53-SC-13 - PCI-DSS-Req-2.2 - - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.7 - configure_ssh_crypto_policy - disable_strategy - low_complexity @@ -2746,6 +2743,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(b) + - PCI-DSSv4-8.3.1 - gnome_gdm_disable_automatic_login - high_severity - low_complexity @@ -2786,6 +2784,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(b) + - PCI-DSSv4-8.3.1 - gnome_gdm_disable_automatic_login - high_severity - low_complexity @@ -2892,6 +2891,7 @@ - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_lock_delay - low_complexity - medium_disruption @@ -2932,6 +2932,7 @@ - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_lock_delay - low_complexity - medium_disruption @@ -2958,6 +2959,7 @@ - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_lock_delay - low_complexity - medium_disruption @@ -3235,6 +3237,85 @@ - no_reboot_needed - unknown_strategy +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-87261-4 + - CJIS-5.5.5 + - DISA-STIG-RHEL-08-020082 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_locked + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + when: + - DISA_STIG_RHEL_08_020082 | bool + - dconf_gnome_screensaver_lock_locked | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + +- name: Prevent user modification of GNOME Screensaver lock-enabled + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/screensaver/lock-enabled$ + line: /org/gnome/desktop/screensaver/lock-enabled + create: true + when: + - DISA_STIG_RHEL_08_020082 | bool + - dconf_gnome_screensaver_lock_locked | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + tags: + - CCE-87261-4 + - CJIS-5.5.5 + - DISA-STIG-RHEL-08-020082 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_locked + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - DISA_STIG_RHEL_08_020082 | bool + - dconf_gnome_screensaver_lock_locked | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + tags: + - CCE-87261-4 + - CJIS-5.5.5 + - DISA-STIG-RHEL-08-020082 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_locked + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + - name: Gather the package facts package_facts: manager: auto @@ -3505,7 +3586,7 @@ - unknown_strategy - name: Find /etc/sudoers.d/ files - find: + ansible.builtin.find: paths: - /etc/sudoers.d/ register: sudoers @@ -3530,7 +3611,7 @@ - sudo_remove_no_authenticate | bool - name: Remove lines containing !authenticate from sudoers files - replace: + ansible.builtin.replace: regexp: (^(?!#).*[\s]+\!authenticate.*$) replace: '# \g<1>' path: '{{ item.path }}' @@ -3559,7 +3640,7 @@ - sudo_remove_no_authenticate | bool - name: Find /etc/sudoers.d/ files - find: + ansible.builtin.find: paths: - /etc/sudoers.d/ register: sudoers @@ -3584,7 +3665,7 @@ - sudo_remove_nopasswd | bool - name: Remove lines containing NOPASSWD from sudoers files - replace: + ansible.builtin.replace: regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$) replace: '# \g<1>' path: '{{ item.path }}' @@ -3619,6 +3700,7 @@ - CCE-87838-9 - DISA-STIG-RHEL-08-010384 - NIST-800-53-IA-11 + - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity @@ -3634,8 +3716,8 @@ - restrict_strategy | bool - sudo_require_reauthentication | bool -- name: Find out if /etc/sudoers.d/* files contain 'Defaults timestamp_timeout' to be deduplicated - find: +- name: Require Re-Authentication When Using the sudo Command - Find /etc/sudoers.d/* files containing 'Defaults timestamp_timeout' + ansible.builtin.find: path: /etc/sudoers.d patterns: '*' contains: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=.* @@ -3653,6 +3735,7 @@ - CCE-87838-9 - DISA-STIG-RHEL-08-010384 - NIST-800-53-IA-11 + - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity @@ -3660,8 +3743,9 @@ - restrict_strategy - sudo_require_reauthentication -- name: Remove found occurrences of 'Defaults timestamp_timeout' from /etc/sudoers.d/* files - lineinfile: +- name: Require Re-Authentication When Using the sudo Command - Remove 'Defaults timestamp_timeout' from /etc/sudoers.d/* + files + ansible.builtin.lineinfile: path: '{{ item.path }}' regexp: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=.* state: absent @@ -3679,6 +3763,7 @@ - CCE-87838-9 - DISA-STIG-RHEL-08-010384 - NIST-800-53-IA-11 + - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity @@ -3686,8 +3771,8 @@ - restrict_strategy - sudo_require_reauthentication -- name: Ensure timestamp_timeout is enabled with the appropriate value in /etc/sudoers - lineinfile: +- name: Require Re-Authentication When Using the sudo Command - Ensure timestamp_timeout has the appropriate value in /etc/sudoers + ansible.builtin.lineinfile: path: /etc/sudoers regexp: ^[\s]*Defaults\s(.*)\btimestamp_timeout[\s]*=[\s]*[-]?\w+\b(.*)$ line: Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2 @@ -3707,6 +3792,7 @@ - CCE-87838-9 - DISA-STIG-RHEL-08-010384 - NIST-800-53-IA-11 + - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity @@ -3714,8 +3800,8 @@ - restrict_strategy - sudo_require_reauthentication -- name: Enable timestamp_timeout option with appropriate value in /etc/sudoers - lineinfile: +- name: Require Re-Authentication When Using the sudo Command - Enable timestamp_timeout option with correct value in /etc/sudoers + ansible.builtin.lineinfile: path: /etc/sudoers line: Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }} validate: /usr/sbin/visudo -cf %s @@ -3728,11 +3814,41 @@ - restrict_strategy | bool - sudo_require_reauthentication | bool - '"sudo" in ansible_facts.packages' - - edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed + - 'edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed + + ' tags: - CCE-87838-9 - DISA-STIG-RHEL-08-010384 - NIST-800-53-IA-11 + - PCI-DSSv4-2.2.6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudo_require_reauthentication + +- name: Require Re-Authentication When Using the sudo Command - Remove timestamp_timeout wrong values in /etc/sudoers + ansible.builtin.lineinfile: + path: /etc/sudoers + regexp: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=[\s]*(?!{{ var_sudo_timestamp_timeout }}\b)[-]?\w+\b.*$ + state: absent + validate: /usr/sbin/visudo -cf %s + when: + - DISA_STIG_RHEL_08_010384 | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sudo_require_reauthentication | bool + - '"sudo" in ansible_facts.packages' + tags: + - CCE-87838-9 + - DISA-STIG-RHEL-08-010384 + - NIST-800-53-IA-11 + - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity @@ -5004,6 +5120,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 - ensure_redhat_gpgkey_installed - high_severity - medium_complexity @@ -5035,6 +5152,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 - ensure_redhat_gpgkey_installed - high_severity - medium_complexity @@ -5066,6 +5184,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 - ensure_redhat_gpgkey_installed - high_severity - medium_complexity @@ -5095,6 +5214,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 - ensure_redhat_gpgkey_installed - high_severity - medium_complexity @@ -5137,6 +5257,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 - ensure_redhat_gpgkey_installed - high_severity - medium_complexity @@ -6000,6 +6121,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_password_auth - configure_strategy - low_complexity @@ -6036,6 +6158,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_password_auth - configure_strategy - low_complexity @@ -6066,6 +6189,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_password_auth - configure_strategy - low_complexity @@ -6132,6 +6256,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_password_auth - configure_strategy - low_complexity @@ -6317,6 +6442,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_password_auth - configure_strategy - low_complexity @@ -6345,6 +6471,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_password_auth - configure_strategy - low_complexity @@ -6512,6 +6639,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_password_auth - configure_strategy - low_complexity @@ -6729,6 +6857,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_password_auth - configure_strategy - low_complexity @@ -6747,6 +6876,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_system_auth - configure_strategy - low_complexity @@ -6783,6 +6913,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_system_auth - configure_strategy - low_complexity @@ -6813,6 +6944,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_system_auth - configure_strategy - low_complexity @@ -6879,6 +7011,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_system_auth - configure_strategy - low_complexity @@ -7064,6 +7197,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_system_auth - configure_strategy - low_complexity @@ -7092,6 +7226,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_system_auth - configure_strategy - low_complexity @@ -7257,6 +7392,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_system_auth - configure_strategy - low_complexity @@ -7474,6 +7610,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_system_auth - configure_strategy - low_complexity @@ -11535,7 +11672,6 @@ - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - PCI-DSSv4-8.3.6 - - PCI-DSSv4-8.3.9 - accounts_password_pam_dcredit - low_complexity - low_disruption @@ -11575,7 +11711,6 @@ - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - PCI-DSSv4-8.3.6 - - PCI-DSSv4-8.3.9 - accounts_password_pam_dcredit - low_complexity - low_disruption @@ -11706,7 +11841,6 @@ - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - PCI-DSSv4-8.3.6 - - PCI-DSSv4-8.3.9 - accounts_password_pam_lcredit - low_complexity - low_disruption @@ -11746,7 +11880,6 @@ - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - PCI-DSSv4-8.3.6 - - PCI-DSSv4-8.3.9 - accounts_password_pam_lcredit - low_complexity - low_disruption @@ -11928,7 +12061,6 @@ - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - PCI-DSSv4-8.3.6 - - PCI-DSSv4-8.3.9 - accounts_password_pam_minlen - low_complexity - low_disruption @@ -11969,7 +12101,6 @@ - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - PCI-DSSv4-8.3.6 - - PCI-DSSv4-8.3.9 - accounts_password_pam_minlen - low_complexity - low_disruption @@ -12961,8 +13092,6 @@ - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - - PCI-DSSv4-8.3.6 - - PCI-DSSv4-8.3.9 - accounts_password_pam_ucredit - low_complexity - low_disruption @@ -13001,8 +13130,6 @@ - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - - PCI-DSSv4-8.3.6 - - PCI-DSSv4-8.3.9 - accounts_password_pam_ucredit - low_complexity - low_disruption @@ -14351,7 +14478,6 @@ - DISA-STIG-RHEL-08-010390 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.3 - - PCI-DSSv4-8.4 - enable_strategy - install_smartcard_packages - low_complexity @@ -14431,7 +14557,7 @@ - NIST-800-53-IA-5(1)(d) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.4 - - PCI-DSSv4-8.3.10.1 + - PCI-DSSv4-8.3.9 - accounts_maximum_age_login_defs - low_complexity - low_disruption @@ -14471,7 +14597,7 @@ - NIST-800-53-IA-5(1)(d) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.4 - - PCI-DSSv4-8.3.10.1 + - PCI-DSSv4-8.3.9 - accounts_maximum_age_login_defs - low_complexity - low_disruption @@ -14490,7 +14616,6 @@ - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(d) - NIST-800-53-IA-5(f) - - PCI-DSSv4-8.3.9 - accounts_minimum_age_login_defs - low_complexity - low_disruption @@ -14529,7 +14654,6 @@ - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(d) - NIST-800-53-IA-5(f) - - PCI-DSSv4-8.3.9 - accounts_minimum_age_login_defs - low_complexity - low_disruption @@ -14604,6 +14728,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(d) - NIST-800-53-IA-5(f) + - PCI-DSSv4-8.3.9 - accounts_password_set_max_life_existing - low_complexity - low_disruption @@ -14639,6 +14764,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(d) - NIST-800-53-IA-5(f) + - PCI-DSSv4-8.3.9 - accounts_password_set_max_life_existing - low_complexity - low_disruption @@ -14724,8 +14850,7 @@ - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - - PCI-DSSv4-8.3.6 - - PCI-DSSv4-8.3.9 + - PCI-DSSv4-8.3.1 - configure_strategy - high_severity - low_complexity @@ -14795,8 +14920,7 @@ - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - - PCI-DSSv4-8.3.6 - - PCI-DSSv4-8.3.9 + - PCI-DSSv4-8.3.1 - configure_strategy - high_severity - low_complexity @@ -14833,8 +14957,7 @@ - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - - PCI-DSSv4-8.3.6 - - PCI-DSSv4-8.3.9 + - PCI-DSSv4-8.3.1 - configure_strategy - high_severity - low_complexity @@ -14861,6 +14984,7 @@ - DISA-STIG-RHEL-08-010121 - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) + - PCI-DSSv4-2.2.2 - high_severity - low_complexity - low_disruption @@ -14888,6 +15012,7 @@ - DISA-STIG-RHEL-08-010121 - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) + - PCI-DSSv4-2.2.2 - high_severity - low_complexity - low_disruption @@ -14908,8 +15033,7 @@ - NIST-800-53-IA-2 - NIST-800-53-IA-4(b) - PCI-DSS-Req-8.5 - - PCI-DSSv4-8.2.2 - - PCI-DSSv4-8.2.3 + - PCI-DSSv4-8.2.1 - accounts_no_uid_except_zero - high_severity - low_complexity @@ -14946,8 +15070,7 @@ - NIST-800-53-IA-2 - NIST-800-53-IA-4(b) - PCI-DSS-Req-8.5 - - PCI-DSSv4-8.2.2 - - PCI-DSSv4-8.2.3 + - PCI-DSSv4-8.2.1 - accounts_no_uid_except_zero - high_severity - low_complexity @@ -15774,7 +15897,6 @@ - DISA-STIG-RHEL-08-020353 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_bashrc - low_complexity - low_disruption @@ -15812,7 +15934,6 @@ - DISA-STIG-RHEL-08-020353 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_bashrc - low_complexity - low_disruption @@ -15840,7 +15961,6 @@ - DISA-STIG-RHEL-08-020353 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_bashrc - low_complexity - low_disruption @@ -15868,7 +15988,6 @@ - DISA-STIG-RHEL-08-020353 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_bashrc - low_complexity - low_disruption @@ -15964,7 +16083,6 @@ - DISA-STIG-RHEL-08-020351 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_login_defs - low_complexity - low_disruption @@ -16002,7 +16120,6 @@ - DISA-STIG-RHEL-08-020351 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_login_defs - low_complexity - low_disruption @@ -16030,7 +16147,6 @@ - DISA-STIG-RHEL-08-020351 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_login_defs - low_complexity - low_disruption @@ -16058,7 +16174,6 @@ - DISA-STIG-RHEL-08-020351 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_login_defs - low_complexity - low_disruption @@ -16080,7 +16195,6 @@ - DISA-STIG-RHEL-08-020353 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_profile - low_complexity - low_disruption @@ -16117,7 +16231,6 @@ - DISA-STIG-RHEL-08-020353 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_profile - low_complexity - low_disruption @@ -16146,7 +16259,6 @@ - DISA-STIG-RHEL-08-020353 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_profile - low_complexity - low_disruption @@ -16166,7 +16278,6 @@ - DISA-STIG-RHEL-08-020353 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_profile - low_complexity - low_disruption @@ -16335,7 +16446,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-IR-5(1) - PCI-DSS-Req-10.3 - - PCI-DSSv4-10.7 + - PCI-DSSv4-10.7.3 - grub2_audit_argument - low_disruption - low_severity @@ -16374,7 +16485,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-IR-5(1) - PCI-DSS-Req-10.3 - - PCI-DSSv4-10.7 + - PCI-DSSv4-10.7.3 - grub2_audit_argument - low_disruption - low_severity @@ -16389,6 +16500,7 @@ - CCE-80943-4 - DISA-STIG-RHEL-08-030602 - NIST-800-53-CM-6(a) + - PCI-DSSv4-10.7.2 - grub2_audit_backlog_limit_argument - low_disruption - low_severity @@ -16420,6 +16532,7 @@ - CCE-80943-4 - DISA-STIG-RHEL-08-030602 - NIST-800-53-CM-6(a) + - PCI-DSSv4-10.7.2 - grub2_audit_backlog_limit_argument - low_disruption - low_severity @@ -17389,6 +17502,7 @@ - NIST-800-53-AU-7(b) - NIST-800-53-AU-8(b) - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 - audit_rules_suid_privilege_function - low_complexity - low_disruption @@ -17425,6 +17539,7 @@ - NIST-800-53-AU-7(b) - NIST-800-53-AU-8(b) - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 - audit_rules_suid_privilege_function - low_complexity - low_disruption @@ -17456,6 +17571,7 @@ - NIST-800-53-AU-7(b) - NIST-800-53-AU-8(b) - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 - audit_rules_suid_privilege_function - low_complexity - low_disruption @@ -17493,6 +17609,7 @@ - NIST-800-53-AU-7(b) - NIST-800-53-AU-8(b) - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 - audit_rules_suid_privilege_function - low_complexity - low_disruption @@ -17529,6 +17646,7 @@ - NIST-800-53-AU-7(b) - NIST-800-53-AU-8(b) - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 - audit_rules_suid_privilege_function - low_complexity - low_disruption @@ -17565,6 +17683,7 @@ - NIST-800-53-AU-7(b) - NIST-800-53-AU-8(b) - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 - audit_rules_suid_privilege_function - low_complexity - low_disruption @@ -17595,6 +17714,7 @@ - NIST-800-53-AU-7(b) - NIST-800-53-AU-8(b) - NIST-800-53-CM-5(1) + - PCI-DSSv4-10.2.1.2 - audit_rules_suid_privilege_function - low_complexity - low_disruption @@ -27003,8 +27123,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption @@ -27045,8 +27163,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption @@ -27177,8 +27293,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption @@ -27310,8 +27424,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption @@ -27442,8 +27554,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption @@ -27575,8 +27685,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption @@ -27596,8 +27704,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption @@ -27637,8 +27743,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption @@ -27768,8 +27872,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption @@ -27900,8 +28002,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption @@ -28031,8 +28131,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption @@ -28163,8 +28261,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption @@ -28184,8 +28280,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption @@ -28226,8 +28320,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption @@ -28358,8 +28450,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption @@ -28491,8 +28581,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption @@ -28623,8 +28711,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption @@ -28756,8 +28842,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption @@ -28777,8 +28861,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_open_by_handle_at - low_complexity - low_disruption @@ -28818,8 +28900,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_open_by_handle_at - low_complexity - low_disruption @@ -28949,8 +29029,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_open_by_handle_at - low_complexity - low_disruption @@ -29081,8 +29159,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_open_by_handle_at - low_complexity - low_disruption @@ -29212,8 +29288,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_open_by_handle_at - low_complexity - low_disruption @@ -29344,8 +29418,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_open_by_handle_at - low_complexity - low_disruption @@ -29365,8 +29437,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption @@ -29406,8 +29476,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption @@ -29537,8 +29605,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption @@ -29669,8 +29735,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption @@ -29800,8 +29864,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption @@ -29932,8 +29994,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption @@ -29953,8 +30013,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption @@ -29994,8 +30052,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption @@ -30125,8 +30181,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption @@ -30257,8 +30311,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption @@ -30388,8 +30440,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption @@ -30520,8 +30570,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption @@ -30541,7 +30589,6 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_delete - configure_strategy - low_complexity @@ -30581,7 +30628,6 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_delete - configure_strategy - low_complexity @@ -30697,7 +30743,6 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_delete - configure_strategy - low_complexity @@ -30814,7 +30859,6 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_delete - configure_strategy - low_complexity @@ -30834,7 +30878,6 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_finit - configure_strategy - low_complexity @@ -30874,7 +30917,6 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_finit - configure_strategy - low_complexity @@ -30994,7 +31036,6 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_finit - configure_strategy - low_complexity @@ -31115,7 +31156,6 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_finit - configure_strategy - low_complexity @@ -31135,7 +31175,6 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_init - configure_strategy - low_complexity @@ -31175,7 +31214,6 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_init - configure_strategy - low_complexity @@ -31295,7 +31333,6 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_init - configure_strategy - low_complexity @@ -31416,7 +31453,6 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_init - configure_strategy - low_complexity @@ -34889,7 +34925,6 @@ - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1) - PCI-DSS-Req-10.7.a - - PCI-DSSv4-10.5.1 - auditd_data_retention_action_mail_acct - low_complexity - low_disruption @@ -34931,7 +34966,6 @@ - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1) - PCI-DSS-Req-10.7.a - - PCI-DSSv4-10.5.1 - auditd_data_retention_action_mail_acct - low_complexity - low_disruption @@ -35914,6 +35948,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MA-3 + - PCI-DSSv4-1.4.5 - low_complexity - low_disruption - medium_severity @@ -35943,6 +35978,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MA-3 + - PCI-DSSv4-1.4.5 - low_complexity - low_disruption - medium_severity @@ -35950,6 +35986,74 @@ - no_reboot_needed - restrict_strategy +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86506-3 + - DISA-STIG-RHEL-08-040150 + - NIST-800-53-SC-5 + - firewalld-backend + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - DISA_STIG_RHEL_08_040150 | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Setting unquoted shell-style assignment of 'FirewallBackend' to 'nftables' in '/etc/firewalld/firewalld.conf' + block: + - name: Check for duplicate values + lineinfile: + path: /etc/firewalld/firewalld.conf + create: true + regexp: ^\s*FirewallBackend= + state: absent + check_mode: true + changed_when: false + register: dupes + - name: Deduplicate values from /etc/firewalld/firewalld.conf + lineinfile: + path: /etc/firewalld/firewalld.conf + create: true + regexp: ^\s*FirewallBackend= + state: absent + when: dupes.found is defined and dupes.found > 1 + - name: Insert correct line to /etc/firewalld/firewalld.conf + lineinfile: + path: /etc/firewalld/firewalld.conf + create: true + regexp: ^\s*FirewallBackend= + line: FirewallBackend=nftables + state: present + insertbefore: ^# FirewallBackend + validate: /usr/bin/bash -n %s + when: + - DISA_STIG_RHEL_08_040150 | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"firewalld" in ansible_facts.packages' + tags: + - CCE-86506-3 + - DISA-STIG-RHEL-08-040150 + - NIST-800-53-SC-5 + - firewalld-backend + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - name: Ensure firewalld is installed package: name: firewalld @@ -35987,6 +36091,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(21) + - PCI-DSSv4-1.2.1 - enable_strategy - low_complexity - low_disruption @@ -36035,6 +36140,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(21) + - PCI-DSSv4-1.2.1 - enable_strategy - low_complexity - low_disruption @@ -36632,6 +36738,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption @@ -36664,6 +36771,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption @@ -36697,6 +36805,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption @@ -37011,6 +37120,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -37042,6 +37152,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -37074,6 +37185,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -37110,6 +37222,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -37142,6 +37255,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -37175,6 +37289,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -37308,6 +37423,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption @@ -37339,6 +37455,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption @@ -37371,6 +37488,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption @@ -37407,7 +37525,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - - PCI-DSSv4-1.4.2 + - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption @@ -37440,7 +37558,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - - PCI-DSSv4-1.4.2 + - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption @@ -37474,7 +37592,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - - PCI-DSSv4-1.4.2 + - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption @@ -37511,6 +37629,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) + - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption @@ -37543,6 +37662,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) + - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption @@ -37576,6 +37696,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) + - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption @@ -37937,7 +38058,8 @@ - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - PCI-DSS-Req-1.3.3 - - PCI-DSSv4-1.4.3 + - PCI-DSSv4-1.3.3 + - PCI-DSSv4-2.3 - low_complexity - medium_disruption - medium_severity @@ -37970,7 +38092,8 @@ - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - PCI-DSS-Req-1.3.3 - - PCI-DSSv4-1.4.3 + - PCI-DSSv4-1.3.3 + - PCI-DSSv4-2.3 - low_complexity - medium_disruption - medium_severity @@ -38008,7 +38131,8 @@ - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - PCI-DSS-Req-1.3.3 - - PCI-DSSv4-1.4.3 + - PCI-DSSv4-1.3.3 + - PCI-DSSv4-2.3 - low_complexity - medium_disruption - medium_severity @@ -38285,6 +38409,7 @@ - DISA-STIG-RHEL-08-010190 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption @@ -38314,6 +38439,7 @@ - DISA-STIG-RHEL-08-010190 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption @@ -38339,6 +38465,7 @@ - DISA-STIG-RHEL-08-010190 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption @@ -38374,6 +38501,7 @@ - DISA-STIG-RHEL-08-010190 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption @@ -38400,6 +38528,7 @@ - DISA-STIG-RHEL-08-010190 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption @@ -38415,6 +38544,7 @@ - DISA-STIG-RHEL-08-010190 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption @@ -38441,6 +38571,7 @@ - DISA-STIG-RHEL-08-010190 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption @@ -38466,6 +38597,7 @@ - DISA-STIG-RHEL-08-010190 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption @@ -38492,6 +38624,7 @@ - DISA-STIG-RHEL-08-010190 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption @@ -40427,6 +40560,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 + - PCI-DSSv4-3.4.2 - disable_strategy - kernel_module_usb-storage_disabled - low_complexity @@ -40456,6 +40590,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 + - PCI-DSSv4-3.4.2 - disable_strategy - kernel_module_usb-storage_disabled - low_complexity @@ -43643,6 +43778,60 @@ - mount_option_var_tmp_nosuid - no_reboot_needed +- name: Ensure kernel module 'uvcvideo' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/uvcvideo.conf + regexp: install\s+uvcvideo + line: install uvcvideo /bin/true + when: + - DISA_STIG_RHEL_08_040020 | bool + - disable_strategy | bool + - kernel_module_uvcvideo_disabled | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86960-2 + - DISA-STIG-RHEL-08-040020 + - NIST-800-53-CM-7 (5) (b) + - NIST-800-53-CM-7 (a) + - disable_strategy + - kernel_module_uvcvideo_disabled + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + +- name: Ensure kernel module 'uvcvideo' is blacklisted + lineinfile: + create: true + dest: /etc/modprobe.d/uvcvideo.conf + regexp: ^blacklist uvcvideo$ + line: blacklist uvcvideo + when: + - DISA_STIG_RHEL_08_040020 | bool + - disable_strategy | bool + - kernel_module_uvcvideo_disabled | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86960-2 + - DISA-STIG-RHEL-08-040020 + - NIST-800-53-CM-7 (5) (b) + - NIST-800-53-CM-7 (a) + - disable_strategy + - kernel_module_uvcvideo_disabled + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - name: List /etc/sysctl.d/*.conf files find: paths: @@ -43666,6 +43855,7 @@ - CCE-82215-5 - DISA-STIG-RHEL-08-010671 - NIST-800-53-SC-7(10) + - PCI-DSSv4-3.3.1 - disable_strategy - low_complexity - medium_disruption @@ -43692,6 +43882,7 @@ - CCE-82215-5 - DISA-STIG-RHEL-08-010671 - NIST-800-53-SC-7(10) + - PCI-DSSv4-3.3.1 - disable_strategy - low_complexity - medium_disruption @@ -43719,6 +43910,7 @@ - CCE-82215-5 - DISA-STIG-RHEL-08-010671 - NIST-800-53-SC-7(10) + - PCI-DSSv4-3.3.1 - disable_strategy - low_complexity - medium_disruption @@ -44382,9 +44574,7 @@ - DISA-STIG-RHEL-08-010675 - NIST-800-53-CM-6 - PCI-DSS-Req-3.2 - - PCI-DSSv4-3.3.1.1 - - PCI-DSSv4-3.3.1.2 - - PCI-DSSv4-3.3.1.3 + - PCI-DSSv4-3.3.1 - coredump_disable_backtraces - low_complexity - low_disruption @@ -44439,9 +44629,7 @@ - DISA-STIG-RHEL-08-010675 - NIST-800-53-CM-6 - PCI-DSS-Req-3.2 - - PCI-DSSv4-3.3.1.1 - - PCI-DSSv4-3.3.1.2 - - PCI-DSSv4-3.3.1.3 + - PCI-DSSv4-3.3.1 - coredump_disable_backtraces - low_complexity - low_disruption @@ -44457,9 +44645,7 @@ - DISA-STIG-RHEL-08-010674 - NIST-800-53-CM-6 - PCI-DSS-Req-3.2 - - PCI-DSSv4-3.3.1.1 - - PCI-DSSv4-3.3.1.2 - - PCI-DSSv4-3.3.1.3 + - PCI-DSSv4-3.3.1 - coredump_disable_storage - low_complexity - low_disruption @@ -44514,9 +44700,7 @@ - DISA-STIG-RHEL-08-010674 - NIST-800-53-CM-6 - PCI-DSS-Req-3.2 - - PCI-DSSv4-3.3.1.1 - - PCI-DSSv4-3.3.1.2 - - PCI-DSSv4-3.3.1.3 + - PCI-DSSv4-3.3.1 - coredump_disable_storage - low_complexity - low_disruption @@ -44532,9 +44716,7 @@ - DISA-STIG-RHEL-08-010673 - NIST-800-53-CM-6 - NIST-800-53-SC-7(10) - - PCI-DSSv4-3.3.1.1 - - PCI-DSSv4-3.3.1.2 - - PCI-DSSv4-3.3.1.3 + - PCI-DSSv4-3.3.1 - disable_users_coredumps - low_complexity - low_disruption @@ -44570,9 +44752,7 @@ - DISA-STIG-RHEL-08-010673 - NIST-800-53-CM-6 - NIST-800-53-SC-7(10) - - PCI-DSSv4-3.3.1.1 - - PCI-DSSv4-3.3.1.2 - - PCI-DSSv4-3.3.1.3 + - PCI-DSSv4-3.3.1 - disable_users_coredumps - low_complexity - low_disruption @@ -44699,7 +44879,7 @@ - NIST-800-53-SC-30 - NIST-800-53-SC-30(2) - PCI-DSS-Req-2.2.1 - - PCI-DSSv4-2.2.3 + - PCI-DSSv4-3.3.1 - disable_strategy - low_complexity - medium_disruption @@ -44730,7 +44910,7 @@ - NIST-800-53-SC-30 - NIST-800-53-SC-30(2) - PCI-DSS-Req-2.2.1 - - PCI-DSSv4-2.2.3 + - PCI-DSSv4-3.3.1 - disable_strategy - low_complexity - medium_disruption @@ -44762,7 +44942,7 @@ - NIST-800-53-SC-30 - NIST-800-53-SC-30(2) - PCI-DSS-Req-2.2.1 - - PCI-DSSv4-2.2.3 + - PCI-DSSv4-3.3.1 - disable_strategy - low_complexity - medium_disruption @@ -44926,6 +45106,7 @@ - NIST-800-53-AC-3(3)(a) - NIST-800-53-AU-9 - NIST-800-53-SC-7(21) + - PCI-DSSv4-1.2.6 - low_complexity - low_disruption - medium_severity @@ -45156,6 +45337,99 @@ - no_reboot_needed - service_fapolicyd_enabled +- name: Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software + Programs. - Ensure a Final Rule Denying Everything + ansible.builtin.copy: + content: '# Red Hat KCS 7003854 (https://access.redhat.com/solutions/7003854) + + deny perm=any all : all + + ' + dest: /etc/fapolicyd/rules.d/99-deny-everything.rules + owner: root + group: fapolicyd + mode: '0644' + register: result_fapolicyd_final_rule + when: + - DISA_STIG_RHEL_08_040137 | bool + - fapolicy_default_deny | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86478-5 + - DISA-STIG-RHEL-08-040137 + - NIST-800-53-CM-6 b + - NIST-800-53-CM-7 (2) + - NIST-800-53-CM-7 (5) (b) + - fapolicy_default_deny + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software + Programs. - Ensure fapolicyd is Not Permissive + ansible.builtin.lineinfile: + path: /etc/fapolicyd/fapolicyd.conf + regexp: ^(permissive\s*=).*$ + line: \1 0 + backrefs: true + register: result_fapolicyd_enforced + when: + - DISA_STIG_RHEL_08_040137 | bool + - fapolicy_default_deny | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86478-5 + - DISA-STIG-RHEL-08-040137 + - NIST-800-53-CM-6 b + - NIST-800-53-CM-7 (2) + - NIST-800-53-CM-7 (5) (b) + - fapolicy_default_deny + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software + Programs. - Restart fapolicyd If Permissive Mode or Final Rule is Changed + ansible.builtin.service: + name: fapolicyd + state: restarted + when: + - DISA_STIG_RHEL_08_040137 | bool + - fapolicy_default_deny | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - result_fapolicyd_final_rule is changed or result_fapolicyd_enforced is changed + tags: + - CCE-86478-5 + - DISA-STIG-RHEL-08-040137 + - NIST-800-53-CM-6 b + - NIST-800-53-CM-7 (2) + - NIST-800-53-CM-7 (5) (b) + - fapolicy_default_deny + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - name: Ensure vsftpd is removed package: name: vsftpd @@ -45170,7 +45444,6 @@ - NIST-800-53-CM-7.1(ii) - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(1).1(v) - - PCI-DSSv4-2.2.4 - disable_strategy - high_severity - low_complexity @@ -46024,6 +46297,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-IA-5(1)(c) + - PCI-DSSv4-2.2.4 - disable_strategy - high_severity - low_complexity @@ -46540,6 +46814,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) + - PCI-DSSv4-2.2.4 - disable_strategy - high_severity - low_complexity @@ -47378,7 +47653,7 @@ - CCE-83360-8 - DISA-STIG-RHEL-08-040340 - NIST-800-53-CM-6(b) - - PCI-DSSv4-2.2.4 + - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity @@ -47536,7 +47811,6 @@ - NIST-800-53-AC-8(c) - NIST-800-53-CM-6(a) - PCI-DSS-Req-2.2.4 - - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity