diff --git a/Gemfile b/Gemfile index 8fb25d6a..a9dd9de0 100644 --- a/Gemfile +++ b/Gemfile @@ -1,4 +1,14 @@ source 'https://rubygems.org' -gem 'inspec' +gem "test-kitchen" +gem 'highline' gem 'inspec-bin' +gem 'inspec_tools' +gem 'kitchen-ansible' +gem 'kitchen-docker' +gem 'kitchen-ec2' +gem 'kitchen-inspec' +gem 'kitchen-sync' +gem 'kitchen-vagrant' +gem 'rake' +gem 'rubocop' \ No newline at end of file diff --git a/hardened.threshold.yml b/hardened.threshold.yml index d7abca9d..043ddab1 100644 --- a/hardened.threshold.yml +++ b/hardened.threshold.yml @@ -1,3 +1,3 @@ --- compliance.min: 75 -error.total.max: 0 \ No newline at end of file +error.total.max: 0 diff --git a/kitchen.inputs.yml b/kitchen.inputs.yml new file mode 100644 index 00000000..41a9c3a7 --- /dev/null +++ b/kitchen.inputs.yml @@ -0,0 +1,3 @@ +--- + +disable_slow_controls: true \ No newline at end of file diff --git a/kitchen.vagrant.yml b/kitchen.vagrant.yml index 32b3abc1..d0cfbf4d 100644 --- a/kitchen.vagrant.yml +++ b/kitchen.vagrant.yml @@ -1,34 +1,33 @@ - --- driver: name: vagrant - # driver_config: - # ssl_verify_mode: ":verify_none" - # customize: - # cpus: 4 - # memory: 8192 - # accelerate3d: "off" - # accelerate2dvideo: "off" - # audio: "none" - # usbcardreader: "off" - # vrde: "off" - # usb: "off" - # nictype1: "82540EM" - # clipboard: "disabled" + driver_config: + ssl_verify_mode: ":verify_none" + customize: + cpus: 4 + memory: 8192 + accelerate3d: "off" + accelerate2dvideo: "off" + audio: "none" + usbcardreader: "off" + vrde: "off" + usb: "off" + nictype1: "82540EM" + clipboard: "disabled" #nestedpaging: "off -# provisioner: -# name: ansible_playbook -# hosts: all -# # require_ansible_repo: false -# # require_ansible_omnibus: false -# require_chef_for_busser: false -# require_ruby_for_busser: false -# ansible_binary_path: /usr/local/bin -# require_pip3: true -# ansible_verbose: true -# roles_path: spec/ansible/roles -# galaxy_ignore_certs: true +provisioner: + name: ansible_playbook + hosts: all + # require_ansible_repo: false + # require_ansible_omnibus: false + require_chef_for_busser: false + require_ruby_for_busser: false + ansible_binary_path: /usr/local/bin + require_pip3: true + ansible_verbose: true + roles_path: spec/ansible/roles + galaxy_ignore_certs: true platforms: - name: rhel-8 @@ -46,4 +45,4 @@ lifecycle: echo "NOTICE - Updating root passwd" echo 'password' | sudo passwd --stdin root echo "NOTICE - updating vagrant sudo config" - sudo chmod 600 /etc/sudoers && sudo sed -i'' "/vagrant/d" /etc/sudoers && sudo chmod 400 /etc/sudoers \ No newline at end of file + sudo chmod 600 /etc/sudoers && sudo sed -i'' "/vagrant/d" /etc/sudoers && sudo chmod 400 /etc/sudoers diff --git a/kitchen.yml b/kitchen.yml index d687dbe2..be18bf4b 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -1,48 +1,24 @@ -provisioner: - name: dummy - -platforms: - - name: rhel8-ec2 - driver: - name: ec2 - aws_ssh_key_id: <%= ENV['AWS_SSH_KEY_ID'] %> - user_data: ./user_data.sh - tags: - POC: <%= ENV['POC_TAG'] %> - security_group_ids: <%= ENV['SECURITY_GROUP_IDS'] %> - region: <%= ENV['AWS_REGION'] %> - subnet_id: <%= ENV['SUBNET_ID'] %> - instance_type: t2.large - associate_public_ip: true - transport: - username: ec2-user - ssh_key: ./ssh_key - connection_timeout: 10 - connection_retries: 5 - - name: rhel8-ubi - driver: - name: dokken - pull_platform_image: false - transport: - name: dokken - +--- verifier: name: inspec sudo: true reporter: - cli - - json:reports/raw/%{suite}/%{platform}.json + - json:spec/results/%{platform}_%{suite}.json inspec_tests: - - name: RedHat Enterprise Linux 8 STIG + - name: Red Hat 8 STIG path: . + input_files: + - kitchen.inputs.yml load_plugins: true +platforms: + - name: rhel-8 + suites: - name: vanilla - driver: - image_id: <%= ENV['VANILLA_AMI_ID'] %> - image: <%= ENV['VANILLA_CONTAINER_IMAGE'] %> + provisioner: + playbook: spec/ansible/roles/ansible-role-rhel-vanilla.yml - name: hardened - driver: - image_id: <%= ENV['HARDENED_AMI_ID'] %> - image: <%= ENV['HARDENED_CONTAINER_IMAGE'] %> + provisioner: + playbook: spec/ansible/roles/ansible-role-rhel-hardened.yml diff --git a/spec/.DS_Store b/spec/.DS_Store new file mode 100644 index 00000000..921f8a86 Binary files /dev/null and b/spec/.DS_Store differ diff --git a/spec/ansible/roles/ansible-role-rhel-hardened.yml b/spec/ansible/roles/ansible-role-rhel-hardened.yml new file mode 100644 index 00000000..05bb56c9 --- /dev/null +++ b/spec/ansible/roles/ansible-role-rhel-hardened.yml @@ -0,0 +1,10 @@ +--- +- hosts: + - localhost + roles: + - roles/ansible-role-rhel-vanilla + - roles/rhel8STIG + serial: 50 + become: yes + #vars: + # - deployment_task: configure_apps.yml \ No newline at end of file diff --git a/spec/ansible/roles/ansible-role-rhel-vanilla.yml b/spec/ansible/roles/ansible-role-rhel-vanilla.yml new file mode 100644 index 00000000..bbd4d90a --- /dev/null +++ b/spec/ansible/roles/ansible-role-rhel-vanilla.yml @@ -0,0 +1,8 @@ +--- +- hosts: + - localhost + roles: + - roles/ansible-role-rhel-vanilla + serial: 50 + #vars: + # - deployment_task: configure_apps.yml \ No newline at end of file diff --git a/spec/ansible/roles/ansible-role-rhel-vanilla/.travis.yml b/spec/ansible/roles/ansible-role-rhel-vanilla/.travis.yml new file mode 100644 index 00000000..36bbf620 --- /dev/null +++ b/spec/ansible/roles/ansible-role-rhel-vanilla/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/spec/ansible/roles/ansible-role-rhel-vanilla/README.md b/spec/ansible/roles/ansible-role-rhel-vanilla/README.md new file mode 100644 index 00000000..225dd44b --- /dev/null +++ b/spec/ansible/roles/ansible-role-rhel-vanilla/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/spec/ansible/roles/ansible-role-rhel-vanilla/defaults/main.yml b/spec/ansible/roles/ansible-role-rhel-vanilla/defaults/main.yml new file mode 100644 index 00000000..a73b6d31 --- /dev/null +++ b/spec/ansible/roles/ansible-role-rhel-vanilla/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for ansible-role-rhel-stig-vanilla diff --git a/spec/ansible/roles/ansible-role-rhel-vanilla/handlers/main.yml b/spec/ansible/roles/ansible-role-rhel-vanilla/handlers/main.yml new file mode 100644 index 00000000..f9eecb6b --- /dev/null +++ b/spec/ansible/roles/ansible-role-rhel-vanilla/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: Reboot the box if kernel updated + reboot: + msg: "Reboot initiated by Ansible for kernel updates" + connect_timeout: 5 + reboot_timeout: 600 + pre_reboot_delay: 0 + post_reboot_delay: 30 + test_command: whoami + when: reboot_required_file.stat.exists \ No newline at end of file diff --git a/spec/ansible/roles/ansible-role-rhel-vanilla/meta/main.yml b/spec/ansible/roles/ansible-role-rhel-vanilla/meta/main.yml new file mode 100644 index 00000000..6cbf229c --- /dev/null +++ b/spec/ansible/roles/ansible-role-rhel-vanilla/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: Will Dower + description: Ansible Role for RHEL 8 Vanilla install + company: MITRE + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license Apache-2.0 + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/spec/ansible/roles/ansible-role-rhel-vanilla/tasks/_config.yml b/spec/ansible/roles/ansible-role-rhel-vanilla/tasks/_config.yml new file mode 100644 index 00000000..e69de29b diff --git a/spec/ansible/roles/ansible-role-rhel-vanilla/tasks/_packages.yml b/spec/ansible/roles/ansible-role-rhel-vanilla/tasks/_packages.yml new file mode 100644 index 00000000..c936fae0 --- /dev/null +++ b/spec/ansible/roles/ansible-role-rhel-vanilla/tasks/_packages.yml @@ -0,0 +1,13 @@ +--- +- name: Upgrade all packages + yum: + name: '*' + state: latest +- name: Install required packages + yum: + name: + - jq + - vim + - bc + state: latest + \ No newline at end of file diff --git a/spec/ansible/roles/ansible-role-rhel-vanilla/tasks/main.yml b/spec/ansible/roles/ansible-role-rhel-vanilla/tasks/main.yml new file mode 100644 index 00000000..ed59dd5d --- /dev/null +++ b/spec/ansible/roles/ansible-role-rhel-vanilla/tasks/main.yml @@ -0,0 +1,3 @@ +--- +- include_tasks: _packages.yml +- include_tasks: _config.yml \ No newline at end of file diff --git a/spec/ansible/roles/ansible-role-rhel-vanilla/tests/inventory b/spec/ansible/roles/ansible-role-rhel-vanilla/tests/inventory new file mode 100644 index 00000000..878877b0 --- /dev/null +++ b/spec/ansible/roles/ansible-role-rhel-vanilla/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/spec/ansible/roles/ansible-role-rhel-vanilla/tests/test.yml b/spec/ansible/roles/ansible-role-rhel-vanilla/tests/test.yml new file mode 100644 index 00000000..ccd2b8ac --- /dev/null +++ b/spec/ansible/roles/ansible-role-rhel-vanilla/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - ansible-role-rhel-stig-vanilla diff --git a/spec/ansible/roles/ansible-role-rhel-vanilla/vars/main.yml b/spec/ansible/roles/ansible-role-rhel-vanilla/vars/main.yml new file mode 100644 index 00000000..4ec0c97a --- /dev/null +++ b/spec/ansible/roles/ansible-role-rhel-vanilla/vars/main.yml @@ -0,0 +1,6 @@ +--- +– hosts: all +sudo: yes +roles: +– { role: “ansible-role-rhel-stig-vanilla”} + diff --git a/spec/ansible/roles/rhel8STIG/ansible.cfg b/spec/ansible/roles/rhel8STIG/ansible.cfg new file mode 100644 index 00000000..27ae314f --- /dev/null +++ b/spec/ansible/roles/rhel8STIG/ansible.cfg @@ -0,0 +1,2 @@ +[defaults] +callback_whitelist = stig_xml diff --git a/spec/ansible/roles/rhel8STIG/enforce.sh b/spec/ansible/roles/rhel8STIG/enforce.sh new file mode 100644 index 00000000..d697c92c --- /dev/null +++ b/spec/ansible/roles/rhel8STIG/enforce.sh @@ -0,0 +1 @@ +ansible-playbook -v -b -i /dev/null site.yml diff --git a/spec/ansible/roles/rhel8STIG/roles/rhel8STIG/callback_plugins/stig_xml.py b/spec/ansible/roles/rhel8STIG/roles/rhel8STIG/callback_plugins/stig_xml.py new file mode 100644 index 00000000..cfff078b --- /dev/null +++ b/spec/ansible/roles/rhel8STIG/roles/rhel8STIG/callback_plugins/stig_xml.py @@ -0,0 +1,86 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +from ansible.plugins.callback import CallbackBase +from time import gmtime, strftime +import platform +import tempfile +import re +import sys +import os +import xml.etree.ElementTree as ET +import xml.dom.minidom + +class CallbackModule(CallbackBase): + CALLBACK_VERSION = 2.0 + CALLBACK_TYPE = 'xml' + CALLBACK_NAME = 'stig_xml' + + CALLBACK_NEEDS_WHITELIST = True + + def _get_STIG_path(self): + cwd = os.path.abspath('.') + for dirpath, dirs, files in os.walk(cwd): + if os.path.sep + 'files' in dirpath and '.xml' in files[0]: + return os.path.join(cwd, dirpath, files[0]) + + def __init__(self): + super(CallbackModule, self).__init__() + self.rules = {} + self.stig_path = os.environ.get('STIG_PATH') + self.XML_path = os.environ.get('XML_PATH') + if self.stig_path is None: + self.stig_path = self._get_STIG_path() + self._display.display('Using STIG_PATH: {}'.format(self.stig_path)) + if self.XML_path is None: + self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml" + self._display.display('Using XML_PATH: {}'.format(self.XML_path)) + + print("Writing: {}".format(self.XML_path)) + STIG_name = os.path.basename(self.stig_path) + ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2') + self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult') + self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name)) + endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime()) + self.tr.set('end-time', endtime) + tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target') + tg.text = platform.node() + + def _get_rev(self, nid): + with open(self.stig_path, 'r') as f: + r = 'SV-{}r(?P\d+)_rule'.format(nid) + m = re.search(r, f.read()) + if m: + rev = m.group('rev') + else: + rev = '0' + return rev + + def v2_runner_on_ok(self, result): + name = result._task.get_name() + m = re.search('stigrule_(?P\d+)', name) + if m: + nid = m.group('id') + else: + return + rev = self._get_rev(nid) + key = "{}r{}".format(nid, rev) + if self.rules.get(key, 'Unknown') != False: + self.rules[key] = result.is_changed() + + def v2_playbook_on_stats(self, stats): + for rule, changed in self.rules.items(): + state = 'fail' if changed else 'pass' + rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result') + rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule)) + rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result') + rs.text = state + passing = len(self.rules) - sum(self.rules.values()) + sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score') + sc.set('maximum', str(len(self.rules))) + sc.set('system', 'urn:xccdf:scoring:flat-unweighted') + sc.text = str(passing) + with open(self.XML_path, 'wb') as f: + out = ET.tostring(self.tr) + pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8') + f.write(pretty) diff --git a/spec/ansible/roles/rhel8STIG/roles/rhel8STIG/defaults/main.yml b/spec/ansible/roles/rhel8STIG/roles/rhel8STIG/defaults/main.yml new file mode 100644 index 00000000..a1ef0136 --- /dev/null +++ b/spec/ansible/roles/rhel8STIG/roles/rhel8STIG/defaults/main.yml @@ -0,0 +1,574 @@ +# R-230225 RHEL-08-010040 +rhel8STIG_stigrule_230225_Manage: True +rhel8STIG_stigrule_230225_banner_Line: banner /etc/issue +# R-230226 RHEL-08-010050 +rhel8STIG_stigrule_230226_Manage: True +rhel8STIG_stigrule_230226__etc_dconf_db_local_d_01_banner_message_Value: '''You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.''' +# R-230227 RHEL-08-010060 +rhel8STIG_stigrule_230227_Manage: True +rhel8STIG_stigrule_230227__etc_issue_Dest: /etc/issue +rhel8STIG_stigrule_230227__etc_issue_Content: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. + +' +# R-230228 RHEL-08-010070 +rhel8STIG_stigrule_230228_Manage: True +rhel8STIG_stigrule_230228__etc_rsyslog_conf_Line: 'auth.*;authpriv.*;daemon.* /var/log/secure' +# R-230231 RHEL-08-010110 +rhel8STIG_stigrule_230231_Manage: True +rhel8STIG_stigrule_230231__etc_login_defs_Line: 'ENCRYPT_METHOD SHA512' +# R-230236 RHEL-08-010151 +rhel8STIG_stigrule_230236_Manage: True +rhel8STIG_stigrule_230236__usr_lib_systemd_system_rescue_service_Value: '-/usr/lib/systemd/systemd-sulogin-shell rescue' +# R-230239 RHEL-08-010162 +rhel8STIG_stigrule_230239_Manage: True +rhel8STIG_stigrule_230239_krb5_workstation_State: removed +# R-230240 RHEL-08-010170 +rhel8STIG_stigrule_230240_Manage: True +rhel8STIG_stigrule_230240__etc_selinux_config_Line: 'SELINUX=enforcing' +# R-230241 RHEL-08-010171 +rhel8STIG_stigrule_230241_Manage: True +rhel8STIG_stigrule_230241_policycoreutils_State: installed +# R-230244 RHEL-08-010200 +rhel8STIG_stigrule_230244_Manage: True +rhel8STIG_stigrule_230244_ClientAliveCountMax_Line: ClientAliveCountMax 0 +# R-230252 RHEL-08-010291 +rhel8STIG_stigrule_230252_Manage: True +rhel8STIG_stigrule_230252__etc_sysconfig_sshd_Line: '# CRYPTO_POLICY=' +# R-230255 RHEL-08-010294 +rhel8STIG_stigrule_230255_Manage: True +rhel8STIG_stigrule_230255__etc_crypto_policies_back_ends_opensslcnf_config_Line: 'MinProtocol = TLSv1.2' +# R-230256 RHEL-08-010295 +rhel8STIG_stigrule_230256_Manage: True +rhel8STIG_stigrule_230256__etc_crypto_policies_back_ends_opensslcnf_config_Line: '+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0' +# R-230265 RHEL-08-010371 +rhel8STIG_stigrule_230265_Manage: True +rhel8STIG_stigrule_230265__etc_dnf_dnf_conf_Value: 'True' +# R-230266 RHEL-08-010372 +rhel8STIG_stigrule_230266_Manage: True +rhel8STIG_stigrule_230266__etc_sysctl_d_99_sysctl_conf_Line: 'kernel.kexec_load_disabled = 1' +# R-230267 RHEL-08-010373 +rhel8STIG_stigrule_230267_Manage: True +rhel8STIG_stigrule_230267__etc_sysctl_d_99_sysctl_conf_Line: 'fs.protected_symlinks = 1' +# R-230268 RHEL-08-010374 +rhel8STIG_stigrule_230268_Manage: True +rhel8STIG_stigrule_230268__etc_sysctl_d_99_sysctl_conf_Line: 'fs.protected_hardlinks = 1' +# R-230269 RHEL-08-010375 +rhel8STIG_stigrule_230269_Manage: True +rhel8STIG_stigrule_230269__etc_sysctl_d_99_sysctl_conf_Line: 'kernel.dmesg_restrict = 1' +# R-230270 RHEL-08-010376 +rhel8STIG_stigrule_230270_Manage: True +rhel8STIG_stigrule_230270__etc_sysctl_d_99_sysctl_conf_Line: 'kernel.perf_event_paranoid = 2' +# R-230273 RHEL-08-010390 +rhel8STIG_stigrule_230273_Manage: True +rhel8STIG_stigrule_230273_esc_State: installed +rhel8STIG_stigrule_230273_openssl_pkcs11_State: installed +# R-230275 RHEL-08-010410 +rhel8STIG_stigrule_230275_Manage: True +rhel8STIG_stigrule_230275_opensc_State: installed +# R-230280 RHEL-08-010430 +rhel8STIG_stigrule_230280_Manage: True +rhel8STIG_stigrule_230280__etc_sysctl_d_99_sysctl_conf_Line: 'kernel.randomize_va_space = 2' +# R-230281 RHEL-08-010440 +rhel8STIG_stigrule_230281_Manage: True +rhel8STIG_stigrule_230281__etc_dnf_dnf_conf_Value: 'True' +# R-230282 RHEL-08-010450 +rhel8STIG_stigrule_230282_Manage: True +rhel8STIG_stigrule_230282__etc_selinux_config_Line: 'SELINUXTYPE=targeted' +# R-230285 RHEL-08-010471 +rhel8STIG_stigrule_230285_Manage: True +rhel8STIG_stigrule_230285_rngd_enable_Enabled: yes +rhel8STIG_stigrule_230285_rngd_start_State: started +# R-230288 RHEL-08-010500 +rhel8STIG_stigrule_230288_Manage: True +rhel8STIG_stigrule_230288_StrictModes_Line: StrictModes yes +# R-230289 RHEL-08-010510 +rhel8STIG_stigrule_230289_Manage: True +rhel8STIG_stigrule_230289_Compression_Line: Compression no +# R-230290 RHEL-08-010520 +rhel8STIG_stigrule_230290_Manage: True +rhel8STIG_stigrule_230290_IgnoreUserKnownHosts_Line: IgnoreUserKnownHosts yes +# R-230291 RHEL-08-010521 +rhel8STIG_stigrule_230291_Manage: True +rhel8STIG_stigrule_230291_KerberosAuthentication_Line: KerberosAuthentication no +# R-230296 RHEL-08-010550 +rhel8STIG_stigrule_230296_Manage: True +rhel8STIG_stigrule_230296_PermitRootLogin_Line: PermitRootLogin no +# R-230298 RHEL-08-010561 +rhel8STIG_stigrule_230298_Manage: True +rhel8STIG_stigrule_230298_rsyslog_enable_Enabled: yes +rhel8STIG_stigrule_230298_rsyslog_start_State: started +# R-230310 RHEL-08-010670 +# If kernel core dumps are required, document the need with the ISSO. +rhel8STIG_stigrule_230310_Manage: True +rhel8STIG_stigrule_230310_kdump_disable_Enabled: no +# R-230311 RHEL-08-010671 +rhel8STIG_stigrule_230311_Manage: True +rhel8STIG_stigrule_230311__etc_sysctl_d_99_sysctl_conf_Line: 'kernel.core_pattern=|/bin/false' +rhel8STIG_stigrule_230311_kernel_core_pattern_Value: '|/bin/false' +# R-230313 RHEL-08-010673 +rhel8STIG_stigrule_230313_Manage: True +rhel8STIG_stigrule_230313__etc_security_limits_conf_Line: '* hard core 0' +# R-230314 RHEL-08-010674 +rhel8STIG_stigrule_230314_Manage: True +rhel8STIG_stigrule_230314__etc_systemd_coredump_conf_Line: 'Storage=none' +# R-230315 RHEL-08-010675 +rhel8STIG_stigrule_230315_Manage: True +rhel8STIG_stigrule_230315__etc_systemd_coredump_conf_Line: 'ProcessSizeMax=0' +# R-230324 RHEL-08-010760 +rhel8STIG_stigrule_230324_Manage: True +rhel8STIG_stigrule_230324__etc_login_defs_Line: 'CREATE_HOME yes' +# R-230329 RHEL-08-010820 +rhel8STIG_stigrule_230329_Manage: True +rhel8STIG_stigrule_230329__etc_gdm_custom_conf_Value: 'false' +# R-230330 RHEL-08-010830 +rhel8STIG_stigrule_230330_Manage: True +rhel8STIG_stigrule_230330_PermitUserEnvironment_Line: PermitUserEnvironment no +# R-230346 RHEL-08-020024 +rhel8STIG_stigrule_230346_Manage: True +rhel8STIG_stigrule_230346__etc_security_limits_conf_Line: '* hard maxlogins 10' +# R-230347 RHEL-08-020030 +rhel8STIG_stigrule_230347_Manage: True +rhel8STIG_stigrule_230347__etc_dconf_db_local_d_00_screensaver_Value: 'true' +# R-230348 RHEL-08-020040 +rhel8STIG_stigrule_230348_Manage: True +rhel8STIG_stigrule_230348_ensure_tmux_is_installed_State: installed +rhel8STIG_stigrule_230348__etc_tmux_conf_Line: 'set -g lock-command vlock' +# R-230349 RHEL-08-020041 +rhel8STIG_stigrule_230349_Manage: True +rhel8STIG_stigrule_230349__etc_bashrc_Line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux' +# R-230352 RHEL-08-020060 +rhel8STIG_stigrule_230352_Manage: True +rhel8STIG_stigrule_230352__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 900' +# R-230353 RHEL-08-020070 +rhel8STIG_stigrule_230353_Manage: True +rhel8STIG_stigrule_230353__etc_tmux_conf_Line: 'set -g lock-after-time 900' +# R-230354 RHEL-08-020080 +rhel8STIG_stigrule_230354_Manage: True +rhel8STIG_stigrule_230354__etc_dconf_db_local_d_locks_session_lock_delay_Line: '/org/gnome/desktop/screensaver/lock-delay' +# R-230357 RHEL-08-020110 +rhel8STIG_stigrule_230357_Manage: True +rhel8STIG_stigrule_230357__etc_security_pwquality_conf_Line: 'ucredit = -1' +# R-230358 RHEL-08-020120 +rhel8STIG_stigrule_230358_Manage: True +rhel8STIG_stigrule_230358__etc_security_pwquality_conf_Line: 'lcredit = -1' +# R-230359 RHEL-08-020130 +rhel8STIG_stigrule_230359_Manage: True +rhel8STIG_stigrule_230359__etc_security_pwquality_conf_Line: 'dcredit = -1' +# R-230360 RHEL-08-020140 +rhel8STIG_stigrule_230360_Manage: True +rhel8STIG_stigrule_230360__etc_security_pwquality_conf_Line: 'maxclassrepeat = 4' +# R-230361 RHEL-08-020150 +rhel8STIG_stigrule_230361_Manage: True +rhel8STIG_stigrule_230361__etc_security_pwquality_conf_Line: 'maxrepeat = 3' +# R-230362 RHEL-08-020160 +rhel8STIG_stigrule_230362_Manage: True +rhel8STIG_stigrule_230362__etc_security_pwquality_conf_Line: 'minclass = 4' +# R-230363 RHEL-08-020170 +rhel8STIG_stigrule_230363_Manage: True +rhel8STIG_stigrule_230363__etc_security_pwquality_conf_Line: 'difok = 8' +# R-230365 RHEL-08-020190 +rhel8STIG_stigrule_230365_Manage: True +rhel8STIG_stigrule_230365__etc_login_defs_Line: 'PASS_MIN_DAYS 1' +# R-230366 RHEL-08-020200 +rhel8STIG_stigrule_230366_Manage: True +rhel8STIG_stigrule_230366__etc_login_defs_Line: 'PASS_MAX_DAYS 60' +# R-230369 RHEL-08-020230 +rhel8STIG_stigrule_230369_Manage: True +rhel8STIG_stigrule_230369__etc_security_pwquality_conf_Line: 'minlen = 15' +# R-230370 RHEL-08-020231 +rhel8STIG_stigrule_230370_Manage: True +rhel8STIG_stigrule_230370__etc_login_defs_Line: 'PASS_MIN_LEN 15' +# R-230375 RHEL-08-020280 +rhel8STIG_stigrule_230375_Manage: True +rhel8STIG_stigrule_230375__etc_security_pwquality_conf_Line: 'ocredit = -1' +# R-230377 RHEL-08-020300 +rhel8STIG_stigrule_230377_Manage: True +rhel8STIG_stigrule_230377__etc_security_pwquality_conf_Line: 'dictcheck = 1' +# R-230378 RHEL-08-020310 +rhel8STIG_stigrule_230378_Manage: True +rhel8STIG_stigrule_230378__etc_login_defs_Line: 'FAIL_DELAY 4' +# R-230382 RHEL-08-020350 +rhel8STIG_stigrule_230382_Manage: True +rhel8STIG_stigrule_230382_PrintLastLog_Line: PrintLastLog yes +# R-230383 RHEL-08-020351 +rhel8STIG_stigrule_230383_Manage: True +rhel8STIG_stigrule_230383__etc_login_defs_Line: 'UMASK 077' +# R-230386 RHEL-08-030000 +rhel8STIG_stigrule_230386_Manage: True +rhel8STIG_stigrule_230386__etc_audit_rules_d_audit_rules_execve_euid_b32_Line: '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv' +rhel8STIG_stigrule_230386__etc_audit_rules_d_audit_rules_execve_euid_b64_Line: '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv' +rhel8STIG_stigrule_230386__etc_audit_rules_d_audit_rules_execve_egid_b32_Line: '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv' +rhel8STIG_stigrule_230386__etc_audit_rules_d_audit_rules_execve_egid_b64_Line: '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv' +# R-230387 RHEL-08-030010 +rhel8STIG_stigrule_230387_Manage: True +rhel8STIG_stigrule_230387__etc_rsyslog_conf_Line: 'cron.* /var/log/cron' +# R-230388 RHEL-08-030020 +rhel8STIG_stigrule_230388_Manage: True +rhel8STIG_stigrule_230388__etc_audit_auditd_conf_Line: 'action_mail_acct = root' +# R-230389 RHEL-08-030030 +rhel8STIG_stigrule_230389_Manage: True +rhel8STIG_stigrule_230389__etc_aliases_Line: 'postmaster: root' +# R-230390 RHEL-08-030040 +rhel8STIG_stigrule_230390_Manage: True +rhel8STIG_stigrule_230390__etc_audit_auditd_conf_Line: 'disk_error_action = HALT' +# R-230392 RHEL-08-030060 +rhel8STIG_stigrule_230392_Manage: True +rhel8STIG_stigrule_230392__etc_audit_auditd_conf_Line: 'disk_full_action = HALT' +# R-230393 RHEL-08-030061 +rhel8STIG_stigrule_230393_Manage: True +rhel8STIG_stigrule_230393__etc_audit_auditd_conf_Line: 'local_events = yes' +# R-230394 RHEL-08-030062 +rhel8STIG_stigrule_230394_Manage: True +rhel8STIG_stigrule_230394__etc_audit_auditd_conf_Line: 'name_format = hostname' +# R-230395 RHEL-08-030063 +rhel8STIG_stigrule_230395_Manage: True +rhel8STIG_stigrule_230395__etc_audit_auditd_conf_Line: 'log_format = ENRICHED' +# R-230396 RHEL-08-030070 +rhel8STIG_stigrule_230396_Manage: True +rhel8STIG_stigrule_230396__etc_audit_auditd_conf_Line: 'log_group = root' +# R-230398 RHEL-08-030090 +# A duplicate of 230396 +# duplicate of 230396 +# R-230402 RHEL-08-030121 +rhel8STIG_stigrule_230402_Manage: True +rhel8STIG_stigrule_230402__etc_audit_rules_d_audit_rules_e2_Line: '-e 2' +# R-230403 RHEL-08-030122 +rhel8STIG_stigrule_230403_Manage: True +rhel8STIG_stigrule_230403__etc_audit_rules_d_audit_rules_loginuid_immutable_Line: '--loginuid-immutable' +# R-230404 RHEL-08-030130 +rhel8STIG_stigrule_230404_Manage: True +rhel8STIG_stigrule_230404__etc_audit_rules_d_audit_rules__etc_shadow_Line: '-w /etc/shadow -p wa -k identity' +# R-230405 RHEL-08-030140 +rhel8STIG_stigrule_230405_Manage: True +rhel8STIG_stigrule_230405__etc_audit_rules_d_audit_rules__etc_security_opasswd_Line: '-w /etc/security/opasswd -p wa -k identity' +# R-230406 RHEL-08-030150 +rhel8STIG_stigrule_230406_Manage: True +rhel8STIG_stigrule_230406__etc_audit_rules_d_audit_rules__etc_passwd_Line: '-w /etc/passwd -p wa -k identity' +# R-230407 RHEL-08-030160 +rhel8STIG_stigrule_230407_Manage: True +rhel8STIG_stigrule_230407__etc_audit_rules_d_audit_rules__etc_gshadow_Line: '-w /etc/gshadow -p wa -k identity' +# R-230408 RHEL-08-030170 +rhel8STIG_stigrule_230408_Manage: True +rhel8STIG_stigrule_230408__etc_audit_rules_d_audit_rules__etc_group_Line: '-w /etc/group -p wa -k identity' +# R-230409 RHEL-08-030171 +rhel8STIG_stigrule_230409_Manage: True +rhel8STIG_stigrule_230409__etc_audit_rules_d_audit_rules__etc_sudoers_Line: '-w /etc/sudoers -p wa -k identity' +# R-230410 RHEL-08-030172 +rhel8STIG_stigrule_230410_Manage: True +rhel8STIG_stigrule_230410__etc_audit_rules_d_audit_rules__etc_sudoers_d__Line: '-w /etc/sudoers.d/ -p wa -k identity' +# R-230411 RHEL-08-030180 +rhel8STIG_stigrule_230411_Manage: True +rhel8STIG_stigrule_230411_audit_State: installed +# R-230412 RHEL-08-030190 +rhel8STIG_stigrule_230412_Manage: True +rhel8STIG_stigrule_230412__etc_audit_rules_d_audit_rules__usr_bin_su_Line: '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change' +# R-230413 RHEL-08-030200 +rhel8STIG_stigrule_230413_Manage: True +rhel8STIG_stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b32_unset_Line: '-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod' +rhel8STIG_stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b64_unset_Line: '-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod' +rhel8STIG_stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b32_Line: '-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod' +rhel8STIG_stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b64_Line: '-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod' +# R-230418 RHEL-08-030250 +rhel8STIG_stigrule_230418_Manage: True +rhel8STIG_stigrule_230418__etc_audit_rules_d_audit_rules__usr_bin_chage_Line: '-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage' +# R-230419 RHEL-08-030260 +rhel8STIG_stigrule_230419_Manage: True +rhel8STIG_stigrule_230419__etc_audit_rules_d_audit_rules__usr_bin_chcon_Line: '-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod' +# R-230421 RHEL-08-030280 +rhel8STIG_stigrule_230421_Manage: True +rhel8STIG_stigrule_230421__etc_audit_rules_d_audit_rules__usr_bin_ssh_agent_Line: '-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh' +# R-230422 RHEL-08-030290 +rhel8STIG_stigrule_230422_Manage: True +rhel8STIG_stigrule_230422__etc_audit_rules_d_audit_rules__usr_bin_passwd_Line: '-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd' +# R-230423 RHEL-08-030300 +rhel8STIG_stigrule_230423_Manage: True +rhel8STIG_stigrule_230423__etc_audit_rules_d_audit_rules__usr_bin_mount_Line: '-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount' +# R-230424 RHEL-08-030301 +rhel8STIG_stigrule_230424_Manage: True +rhel8STIG_stigrule_230424__etc_audit_rules_d_audit_rules__usr_bin_umount_Line: '-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount' +# R-230425 RHEL-08-030302 +rhel8STIG_stigrule_230425_Manage: True +rhel8STIG_stigrule_230425__etc_audit_rules_d_audit_rules_mount_b32_Line: '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount' +rhel8STIG_stigrule_230425__etc_audit_rules_d_audit_rules_mount_b64_Line: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount' +# R-230426 RHEL-08-030310 +rhel8STIG_stigrule_230426_Manage: True +rhel8STIG_stigrule_230426__etc_audit_rules_d_audit_rules__usr_sbin_unix_update_Line: '-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update' +# R-230427 RHEL-08-030311 +rhel8STIG_stigrule_230427_Manage: True +rhel8STIG_stigrule_230427__etc_audit_rules_d_audit_rules__usr_sbin_postdrop_Line: '-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update' +# R-230428 RHEL-08-030312 +rhel8STIG_stigrule_230428_Manage: True +rhel8STIG_stigrule_230428__etc_audit_rules_d_audit_rules__usr_sbin_postqueue_Line: '-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update' +# R-230429 RHEL-08-030313 +rhel8STIG_stigrule_230429_Manage: True +rhel8STIG_stigrule_230429__etc_audit_rules_d_audit_rules__usr_sbin_semanage_Line: '-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update' +# R-230430 RHEL-08-030314 +rhel8STIG_stigrule_230430_Manage: True +rhel8STIG_stigrule_230430__etc_audit_rules_d_audit_rules__usr_sbin_setfiles_Line: '-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update' +# R-230431 RHEL-08-030315 +rhel8STIG_stigrule_230431_Manage: True +rhel8STIG_stigrule_230431__etc_audit_rules_d_audit_rules__usr_sbin_userhelper_Line: '-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update' +# R-230432 RHEL-08-030316 +rhel8STIG_stigrule_230432_Manage: True +rhel8STIG_stigrule_230432__etc_audit_rules_d_audit_rules__usr_sbin_setsebool_Line: '-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update' +# R-230433 RHEL-08-030317 +rhel8STIG_stigrule_230433_Manage: True +rhel8STIG_stigrule_230433__etc_audit_rules_d_audit_rules__usr_sbin_unix_chkpwd_Line: '-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update' +# R-230434 RHEL-08-030320 +rhel8STIG_stigrule_230434_Manage: True +rhel8STIG_stigrule_230434__etc_audit_rules_d_audit_rules__usr_libexec_openssh_ssh_keysign_Line: '-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh' +# R-230435 RHEL-08-030330 +rhel8STIG_stigrule_230435_Manage: True +rhel8STIG_stigrule_230435__etc_audit_rules_d_audit_rules__usr_bin_setfacl_Line: '-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod' +# R-230436 RHEL-08-030340 +rhel8STIG_stigrule_230436_Manage: True +rhel8STIG_stigrule_230436__etc_audit_rules_d_audit_rules__usr_sbin_pam_timestamp_check_Line: '-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check' +# R-230437 RHEL-08-030350 +rhel8STIG_stigrule_230437_Manage: True +rhel8STIG_stigrule_230437__etc_audit_rules_d_audit_rules__usr_bin_newgrp_Line: '-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd' +# R-230438 RHEL-08-030360 +rhel8STIG_stigrule_230438_Manage: True +rhel8STIG_stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b32_Line: '-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng' +rhel8STIG_stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b64_Line: '-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng' +# R-230439 RHEL-08-030361 +rhel8STIG_stigrule_230439_Manage: True +rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32_Line: '-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k module_chng' +rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64_Line: '-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k module_chng' +# R-230444 RHEL-08-030370 +rhel8STIG_stigrule_230444_Manage: True +rhel8STIG_stigrule_230444__etc_audit_rules_d_audit_rules__usr_bin_gpasswd_Line: '-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd' +# R-230446 RHEL-08-030390 +rhel8STIG_stigrule_230446_Manage: True +rhel8STIG_stigrule_230446__etc_audit_rules_d_audit_rules_delete_module_b32_Line: '-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng' +rhel8STIG_stigrule_230446__etc_audit_rules_d_audit_rules_delete_module_b64_Line: '-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng' +# R-230447 RHEL-08-030400 +rhel8STIG_stigrule_230447_Manage: True +rhel8STIG_stigrule_230447__etc_audit_rules_d_audit_rules__usr_bin_crontab_Line: '-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab' +# R-230448 RHEL-08-030410 +rhel8STIG_stigrule_230448_Manage: True +rhel8STIG_stigrule_230448__etc_audit_rules_d_audit_rules__usr_bin_chsh_Line: '-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd' +# R-230449 RHEL-08-030420 +rhel8STIG_stigrule_230449_Manage: True +rhel8STIG_stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EPERM_b32_Line: '-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access' +rhel8STIG_stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EPERM_b64_Line: '-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access' +rhel8STIG_stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EACCES_b32_Line: '-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access' +rhel8STIG_stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EACCES_b64_Line: '-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access' +# R-230455 RHEL-08-030480 +rhel8STIG_stigrule_230455_Manage: True +rhel8STIG_stigrule_230455__etc_audit_rules_d_audit_rules_chown_b32_Line: '-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod' +rhel8STIG_stigrule_230455__etc_audit_rules_d_audit_rules_chown_b64_Line: '-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod' +# R-230456 RHEL-08-030490 +rhel8STIG_stigrule_230456_Manage: True +rhel8STIG_stigrule_230456__etc_audit_rules_d_audit_rules_chmod_b32_Line: '-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod' +rhel8STIG_stigrule_230456__etc_audit_rules_d_audit_rules_chmod_b64_Line: '-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod' +# R-230462 RHEL-08-030550 +rhel8STIG_stigrule_230462_Manage: True +rhel8STIG_stigrule_230462__etc_audit_rules_d_audit_rules__usr_bin_sudo_Line: '-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd' +# R-230463 RHEL-08-030560 +rhel8STIG_stigrule_230463_Manage: True +rhel8STIG_stigrule_230463__etc_audit_rules_d_audit_rules__usr_sbin_usermod_Line: '-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod' +# R-230464 RHEL-08-030570 +rhel8STIG_stigrule_230464_Manage: True +rhel8STIG_stigrule_230464__etc_audit_rules_d_audit_rules__usr_bin_chacl_Line: '-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod' +# R-230465 RHEL-08-030580 +rhel8STIG_stigrule_230465_Manage: True +rhel8STIG_stigrule_230465__etc_audit_rules_d_audit_rules__usr_bin_kmod_Line: '-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules' +# R-230466 RHEL-08-030590 +rhel8STIG_stigrule_230466_Manage: True +rhel8STIG_stigrule_230466__etc_audit_rules_d_audit_rules__var_log_faillock_Line: '-w /var/log/faillock -p wa -k logins' +# R-230467 RHEL-08-030600 +rhel8STIG_stigrule_230467_Manage: True +rhel8STIG_stigrule_230467__etc_audit_rules_d_audit_rules__var_log_lastlog_Line: '-w /var/log/lastlog -p wa -k logins' +# R-230477 RHEL-08-030670 +rhel8STIG_stigrule_230477_Manage: True +rhel8STIG_stigrule_230477_rsyslog_State: installed +# R-230478 RHEL-08-030680 +rhel8STIG_stigrule_230478_Manage: True +rhel8STIG_stigrule_230478_rsyslog_gnutls_State: installed +# R-230480 RHEL-08-030700 +rhel8STIG_stigrule_230480_Manage: True +rhel8STIG_stigrule_230480__etc_audit_auditd_conf_Line: 'overflow_action = syslog' +# R-230481 RHEL-08-030710 +rhel8STIG_stigrule_230481_Manage: True +rhel8STIG_stigrule_230481__etc_rsyslog_conf_DefaultNetstreamDriver_Line: '$DefaultNetstreamDriver gtls' +rhel8STIG_stigrule_230481__etc_rsyslog_conf_ActionSendStreamDriverMode_Line: '$ActionSendStreamDriverMode 1' +# R-230482 RHEL-08-030720 +rhel8STIG_stigrule_230482_Manage: True +rhel8STIG_stigrule_230482__etc_rsyslog_conf_DefaultNetstreamDriver_Line: '$ActionSendStreamDriverAuthMode x509/name' +# R-230483 RHEL-08-030730 +rhel8STIG_stigrule_230483_Manage: True +rhel8STIG_stigrule_230483__etc_audit_auditd_conf_space_left_Line: 'space_left = 25%' +# R-230487 RHEL-08-040000 +rhel8STIG_stigrule_230487_Manage: True +rhel8STIG_stigrule_230487_telnet_server_State: removed +# R-230488 RHEL-08-040001 +rhel8STIG_stigrule_230488_Manage: True +rhel8STIG_stigrule_230488_abrt__State: removed +# R-230489 RHEL-08-040002 +rhel8STIG_stigrule_230489_Manage: True +rhel8STIG_stigrule_230489_sendmail_State: removed +# R-230492 RHEL-08-040010 +rhel8STIG_stigrule_230492_Manage: True +rhel8STIG_stigrule_230492_rsh_server_State: removed +# R-230502 RHEL-08-040070 +rhel8STIG_stigrule_230502_Manage: True +rhel8STIG_stigrule_230502_autofs_stop_State: stopped +rhel8STIG_stigrule_230502_autofs_disable_Enabled: no +# R-230505 RHEL-08-040100 +rhel8STIG_stigrule_230505_Manage: True +rhel8STIG_stigrule_230505_firewalld_noarch_State: installed +# R-230506 RHEL-08-040110 +rhel8STIG_stigrule_230506_Manage: True +rhel8STIG_stigrule_230506_nmcli_radio_wifi_off_Command: nmcli radio wifi off +# R-230526 RHEL-08-040160 +rhel8STIG_stigrule_230526_Manage: True +rhel8STIG_stigrule_230526_ensure_openssh_server_x86_64_is_installed_State: installed +rhel8STIG_stigrule_230526_sshd_enable_Enabled: yes +# R-230527 RHEL-08-040161 +rhel8STIG_stigrule_230527_Manage: True +rhel8STIG_stigrule_230527_RekeyLimit_Line: RekeyLimit 1G 1h +# R-230529 RHEL-08-040170 +rhel8STIG_stigrule_230529_Manage: True +rhel8STIG_stigrule_230529_systemctl_mask_ctrl_alt_del_target_Command: systemctl mask ctrl-alt-del.target +# R-230531 RHEL-08-040172 +rhel8STIG_stigrule_230531_Manage: True +rhel8STIG_stigrule_230531__etc_systemd_system_conf_Value: 'none' +# R-230533 RHEL-08-040190 +rhel8STIG_stigrule_230533_Manage: True +rhel8STIG_stigrule_230533_tftp_server_State: removed +# R-230535 RHEL-08-040210 +rhel8STIG_stigrule_230535_Manage: True +rhel8STIG_stigrule_230535_net_ipv6_conf_default_accept_redirects_Value: 0 +# R-230536 RHEL-08-040220 +rhel8STIG_stigrule_230536_Manage: True +rhel8STIG_stigrule_230536_net_ipv4_conf_all_send_redirects_Value: 0 +# R-230537 RHEL-08-040230 +rhel8STIG_stigrule_230537_Manage: True +rhel8STIG_stigrule_230537_net_ipv4_icmp_echo_ignore_broadcasts_Value: 1 +# R-230538 RHEL-08-040240 +rhel8STIG_stigrule_230538_Manage: True +rhel8STIG_stigrule_230538_net_ipv6_conf_all_accept_source_route_Value: 0 +# R-230539 RHEL-08-040250 +rhel8STIG_stigrule_230539_Manage: True +rhel8STIG_stigrule_230539_net_ipv6_conf_default_accept_source_route_Value: 0 +# R-230540 RHEL-08-040260 +rhel8STIG_stigrule_230540_Manage: True +rhel8STIG_stigrule_230540_net_ipv4_ip_forward_Value: 0 +rhel8STIG_stigrule_230540_net_ipv6_conf_all_forwarding_Value: 0 +# R-230541 RHEL-08-040261 +rhel8STIG_stigrule_230541_Manage: True +rhel8STIG_stigrule_230541_net_ipv6_conf_all_accept_ra_Value: 0 +# R-230542 RHEL-08-040262 +rhel8STIG_stigrule_230542_Manage: True +rhel8STIG_stigrule_230542_net_ipv6_conf_default_accept_ra_Value: 0 +# R-230543 RHEL-08-040270 +rhel8STIG_stigrule_230543_Manage: True +rhel8STIG_stigrule_230543_net_ipv4_conf_default_send_redirects_Value: 0 +# R-230544 RHEL-08-040280 +rhel8STIG_stigrule_230544_Manage: True +rhel8STIG_stigrule_230544_net_ipv6_conf_all_accept_redirects_Value: 0 +# R-230545 RHEL-08-040281 +rhel8STIG_stigrule_230545_Manage: True +rhel8STIG_stigrule_230545__etc_sysctl_d_99_sysctl_conf_Line: 'kernel.unprivileged_bpf_disabled = 1' +# R-230546 RHEL-08-040282 +rhel8STIG_stigrule_230546_Manage: True +rhel8STIG_stigrule_230546__etc_sysctl_d_99_sysctl_conf_Line: 'kernel.yama.ptrace_scope = 1' +rhel8STIG_stigrule_230546_kernel_yama_ptrace_scope_Value: 1 +# R-230547 RHEL-08-040283 +rhel8STIG_stigrule_230547_Manage: True +rhel8STIG_stigrule_230547__etc_sysctl_d_99_sysctl_conf_Line: 'kernel.kptr_restrict = 1' +# R-230548 RHEL-08-040284 +rhel8STIG_stigrule_230548_Manage: True +rhel8STIG_stigrule_230548__etc_sysctl_d_99_sysctl_conf_Line: 'user.max_user_namespaces = 0' +rhel8STIG_stigrule_230548_user_max_user_namespaces_Value: 0 +# R-230549 RHEL-08-040285 +rhel8STIG_stigrule_230549_Manage: True +rhel8STIG_stigrule_230549__etc_sysctl_d_99_sysctl_conf_Line: 'net.ipv4.conf.all.rp_filter = 1' +# R-230555 RHEL-08-040340 +rhel8STIG_stigrule_230555_Manage: True +rhel8STIG_stigrule_230555_X11Forwarding_Line: X11Forwarding no +# R-230556 RHEL-08-040341 +rhel8STIG_stigrule_230556_Manage: True +rhel8STIG_stigrule_230556_X11UseLocalhost_Line: X11UseLocalhost yes +# R-230558 RHEL-08-040360 +rhel8STIG_stigrule_230558_Manage: True +rhel8STIG_stigrule_230558_vsftpd_State: removed +# R-230559 RHEL-08-040370 +# A duplicate of 230490 +# duplicate of 230490 +# R-230560 RHEL-08-040380 +rhel8STIG_stigrule_230560_Manage: True +rhel8STIG_stigrule_230560_iprutils_State: removed +# R-230561 RHEL-08-040390 +rhel8STIG_stigrule_230561_Manage: True +rhel8STIG_stigrule_230561_tuned_State: removed +# R-244519 RHEL-08-010049 +rhel8STIG_stigrule_244519_Manage: True +rhel8STIG_stigrule_244519__etc_dconf_db_local_d_01_banner_message_Value: 'true' +# R-244523 RHEL-08-010152 +rhel8STIG_stigrule_244523_Manage: True +rhel8STIG_stigrule_244523__usr_lib_systemd_system_emergency_service_Value: '-/usr/lib/systemd/systemd-sulogin-shell emergency' +# R-244525 RHEL-08-010201 +rhel8STIG_stigrule_244525_Manage: True +rhel8STIG_stigrule_244525_ClientAliveInterval_Line: ClientAliveInterval 600 +# R-244527 RHEL-08-010472 +rhel8STIG_stigrule_244527_Manage: True +rhel8STIG_stigrule_244527_rng_tools_State: installed +# R-244528 RHEL-08-010522 +rhel8STIG_stigrule_244528_Manage: True +rhel8STIG_stigrule_244528_GSSAPIAuthentication_Line: GSSAPIAuthentication no +# R-244535 RHEL-08-020031 +rhel8STIG_stigrule_244535_Manage: True +rhel8STIG_stigrule_244535__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 5' +# R-244536 RHEL-08-020032 +rhel8STIG_stigrule_244536_Manage: True +rhel8STIG_stigrule_244536__etc_dconf_db_local_d_02_login_screen_Value: 'true' +# R-244537 RHEL-08-020039 +rhel8STIG_stigrule_244537_Manage: True +rhel8STIG_stigrule_244537_tmux_State: installed +# R-244538 RHEL-08-020081 +rhel8STIG_stigrule_244538_Manage: True +rhel8STIG_stigrule_244538__etc_dconf_db_local_d_locks_session_idle_delay_Line: '/org/gnome/desktop/session/idle-delay' +# R-244539 RHEL-08-020082 +rhel8STIG_stigrule_244539_Manage: True +rhel8STIG_stigrule_244539__etc_dconf_db_local_d_locks_session_lock_enabled_Line: '/org/gnome/desktop/screensaver/lock-enabled' +# R-244542 RHEL-08-030181 +rhel8STIG_stigrule_244542_Manage: True +rhel8STIG_stigrule_244542_auditd_enable_Enabled: yes +rhel8STIG_stigrule_244542_auditd_start_State: started +# R-244543 RHEL-08-030731 +rhel8STIG_stigrule_244543_Manage: True +rhel8STIG_stigrule_244543__etc_audit_auditd_conf_space_left_action_Line: 'space_left_action = email' +# R-244544 RHEL-08-040101 +rhel8STIG_stigrule_244544_Manage: True +rhel8STIG_stigrule_244544_firewalld_enable_Enabled: yes +# R-244549 RHEL-08-040159 +rhel8STIG_stigrule_244549_Manage: True +rhel8STIG_stigrule_244549_openssh_server_x86_64_State: installed +# R-244550 RHEL-08-040209 +rhel8STIG_stigrule_244550_Manage: True +rhel8STIG_stigrule_244550_net_ipv4_conf_default_accept_redirects_Value: 0 +# R-244551 RHEL-08-040239 +rhel8STIG_stigrule_244551_Manage: True +rhel8STIG_stigrule_244551_net_ipv4_conf_all_accept_source_route_Value: 0 +# R-244552 RHEL-08-040249 +rhel8STIG_stigrule_244552_Manage: True +rhel8STIG_stigrule_244552_net_ipv4_conf_default_accept_source_route_Value: 0 +# R-244553 RHEL-08-040279 +rhel8STIG_stigrule_244553_Manage: True +rhel8STIG_stigrule_244553_net_ipv4_conf_all_accept_redirects_Value: 0 +# R-244554 RHEL-08-040286 +rhel8STIG_stigrule_244554_Manage: True +rhel8STIG_stigrule_244554__etc_sysctl_d_99_sysctl_conf_Line: 'net.core.bpf_jit_harden = 2' diff --git a/spec/ansible/roles/rhel8STIG/roles/rhel8STIG/files/U_Red_Hat_Enterprise_Linux_8_STIG_V1R6_Manual-xccdf.xml b/spec/ansible/roles/rhel8STIG/roles/rhel8STIG/files/U_Red_Hat_Enterprise_Linux_8_STIG_V1R6_Manual-xccdf.xml new file mode 100644 index 00000000..849ab06f --- /dev/null +++ b/spec/ansible/roles/rhel8STIG/roles/rhel8STIG/files/U_Red_Hat_Enterprise_Linux_8_STIG_V1R6_Manual-xccdf.xml @@ -0,0 +1,7220 @@ +acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 6 Benchmark Date: 27 Apr 20223.3.0.273751.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>