Release to main final v3r11 (#456)

* Specify missing state parameter for package Signed-off-by: Anže Luzar <anze.luzar@xlab.si> * Correct with_items indentation for package Signed-off-by: Anže Luzar <anze.luzar@xlab.si> * Replace inline strings with module parameters Signed-off-by: Anže Luzar <anze.luzar@xlab.si> * updated link Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * lint updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed old Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * added new defined secrets file Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * added precommit Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * lint updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * added pragma allow list Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated due to galaxy changes Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * moved file Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated path Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed quality badge since galaxy-ng Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Adding additional condition for rhel7stig_grub2_user_cfg for task Signed-off-by: layluke <layluke@protonmail.com> * updated the workflow version and galaxy setup Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed file Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * lint update Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix typo Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * rhel7stig_boot_part variable now discovered Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tidy up of rhel7stig_boot_part variable Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * changed logic on 20620 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated logic for uuid Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed extra line Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed doc dir Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/gitleaks/gitleaks: v8.18.0 → v8.18.1](gitleaks/gitleaks@v8.18.0...v8.18.1) - [github.com/ansible-community/ansible-lint: v6.21.1 → v6.22.2](ansible/ansible-lint@v6.21.1...v6.22.2) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0) * Issue #446 tag update to always - thanks to @prestonSeaman2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * conditional updated 021000 & 021010 #448 thanks @erosen03 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * [pre-commit.ci] pre-commit autoupdate (#451) updates: - [github.com/gitleaks/gitleaks: v8.18.1 → v8.18.2](gitleaks/gitleaks@v8.18.1...v8.18.2) - [github.com/ansible-community/ansible-lint: v6.22.2 → v24.2.0](ansible/ansible-lint@v6.22.2...v24.2.0) - [github.com/adrienverge/yamllint.git: v1.33.0 → v1.34.0](https://github.com/adrienverge/yamllint.git/compare/v1.33.0...v1.34.0) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> * [pre-commit.ci] pre-commit autoupdate (#454) updates: - [github.com/adrienverge/yamllint.git: v1.34.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.34.0...v1.35.1) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> * Feb 24 updates (#455) * issue #452 addressed * issue #453 addressed * updated for galaxy_ng reqs --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Anže Luzar <anze.luzar@xlab.si> Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> Signed-off-by: layluke <layluke@protonmail.com> Signed-off-by: uk-bolly <mark.bollyuk@gmail.com> Co-authored-by: Anže Luzar <anze.luzar@xlab.si> Co-authored-by: layluke <layluke@protonmail.com> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
ansible-lockdown · Mar 6, 2024 · aa3a58a · aa3a58a
1 parent dd187dd
commit aa3a58a
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 45 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -36,13 +36,13 @@ repos:
     args: [ '--baseline', '.config/.secrets.baseline' ]
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.18.1
+  rev: v8.18.2
   hooks:
   - id: gitleaks
     args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v6.22.2
+  rev: v24.2.0
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -61,6 +61,6 @@ repos:
     - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.33.0  # or higher tag
+  rev: v1.35.1  # or higher tag
   hooks:
   - id: yamllint
diff --git a/README.md b/README.md
@@ -220,3 +220,7 @@ pre-commit run
 ## Credits
 
 This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig)
+
+Massive thanks to the fantastic community and all its members.
+This includes a huge thanks and credit to the original authors and maintainers.
+Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell
diff --git a/meta/main.yml b/meta/main.yml
@@ -1,6 +1,6 @@
 ---
 galaxy_info:
-    author: "Sam Doran, Josh Springer, Daniel Shepherd, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell"
+    author: "MindPoint Group"
     description: "Apply the DISA RHEL 7 STIG"
     company: "MindPoint Group"
     license: MIT
@@ -10,7 +10,7 @@ galaxy_info:
     platforms:
         - name: EL
           versions:
-              - 7
+              - '7'
     galaxy_tags:
         - system
         - security

diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2
@@ -8,41 +8,41 @@
 {% endif %}
 
 {% if rhel_07_030370 %}
--a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod
--a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod
+-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod
+-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod
 {% endif %}
 
 {% if rhel_07_030410 %}
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod
 {% endif %}
 
 {% if rhel_07_030440 %}
--a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod
--a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod
+-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod
+-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod
 {% endif %}
 
 {% if rhel_07_030510 %}
--a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k access
--a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k access
--a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k access
--a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k access
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k access
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k access
 {% endif %}
 
 {% if rhel_07_030560 %}
--a always,exit -F path=/usr/sbin/semanage -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change
+-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change
 {% endif %}
 
 {% if rhel_07_030570 %}
--a always,exit -F path=/usr/sbin/setsebool -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change
+-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change
 {% endif %}
 
 {% if rhel_07_030580 %}
--a always,exit -F path=/usr/bin/chcon -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change
+-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change
 {% endif %}
 
 {% if rhel_07_030590 %}
--a always,exit -F path=/usr/sbin/setfiles -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change
+-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change
 {% endif %}
 
 {% if rhel_07_030610 %}
@@ -54,31 +54,31 @@
 {% endif %}
 
 {% if rhel_07_030630 %}
--a always,exit -F path=/usr/bin/passwd -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-passwd
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-passwd
 {% endif %}
 
 {% if rhel_07_030640 %}
--a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-passwd
+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-passwd
 {% endif %}
 
 {% if rhel_07_030650 %}
--a always,exit -F path=/usr/bin/gpasswd -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-passwd
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-passwd
 {% endif %}
 
 {% if rhel_07_030660 %}
--a always,exit -F path=/usr/bin/chage -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-passwd
+-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-passwd
 {% endif %}
 
 {% if rhel_07_030670 %}
--a always,exit -F path=/usr/sbin/userhelper -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-passwd
+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-passwd
 {% endif %}
 
 {% if rhel_07_030680 %}
--a always,exit -F path=/usr/bin/su -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change
+-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change
 {% endif %}
 
 {% if rhel_07_030690 %}
--a always,exit -F path=/usr/bin/sudo -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change
+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change
 {% endif %}
 
 {% if rhel_07_030700 %}
@@ -87,56 +87,56 @@
 {% endif %}
 
 {% if rhel_07_030710 %}
--a always,exit -F path=/usr/bin/newgrp -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change
 {% endif %}
 
 {% if rhel_07_030720 %}
--a always,exit -F path=/usr/bin/chsh -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change
+-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change
 {% endif %}
 
 {% if rhel_07_030740 %}
--a always,exit -F arch=b32 -S mount -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-mount
--a always,exit -F arch=b64 -S mount -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-mount
--a always,exit -F path=/usr/bin/mount -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-mount
+-a always,exit -F arch=b32 -S mount -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-mount
+-a always,exit -F arch=b64 -S mount -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-mount
+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-mount
 {% endif %}
 
 {% if rhel_07_030750 %}
--a always,exit -F path=/usr/bin/umount -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-mount
+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-mount
 {% endif %}
 
 {% if rhel_07_030760 %}
--a always,exit -F path=/usr/sbin/postdrop -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-postfix
+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-postfix
 {% endif %}
 
 {% if rhel_07_030770 %}
--a always,exit -F path=/usr/sbin/postqueue -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-postfix
+-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-postfix
 {% endif %}
 
 {% if rhel_07_030780 %}
--a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-ssh
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-ssh
 {% endif %}
 
 {% if rhel_07_030800 %}
--a always,exit -F path=/usr/bin/crontab -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-cron
+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-cron
 {% endif %}
 
 {% if rhel_07_030810 %}
--a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-pam
+-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-pam
 {% endif %}
 
 {% if rhel_07_030819 %}
--a always,exit -F arch=b32 -S create_module -k module-change
--a always,exit -F arch=b64 -S create_module -k module-change
+-a always,exit -F arch=b32 -S create_module -F auid>={{ rhel7stig_interactive_uid_start }} -k module-change
+-a always,exit -F arch=b64 -S create_module -F auid>={{ rhel7stig_interactive_uid_start }} -k module-change
 {% endif %}
 
 {% if rhel_07_030820 %}
--a always,exit -F arch=b32 -S init_module,finit_module -k modulechange
--a always,exit -F arch=b64 -S init_module,finit_module -k modulechange
+-a always,exit -F arch=b32 -S init_module,finit_module -F auid>={{ rhel7stig_interactive_uid_start }} -k modulechange
+-a always,exit -F arch=b64 -S init_module,finit_module -F auid>={{ rhel7stig_interactive_uid_start }} -k modulechange
 {% endif %}
 
 {% if rhel_07_030830 %}
--a always,exit -F arch=b32 -S delete_module -k module-change
--a always,exit -F arch=b64 -S delete_module -k module-change
+-a always,exit -F arch=b32 -S delete_module -F auid>={{ rhel7stig_interactive_uid_start }} -k module-change
+-a always,exit -F arch=b64 -S delete_module -F auid>={{ rhel7stig_interactive_uid_start }} -k module-change
 {% endif %}
 
 {% if rhel_07_030840 %}
@@ -164,6 +164,6 @@
 {% endif %}
 
 {% if rhel_07_030910 %}
--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k delete
--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k delete
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k delete
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k delete
 {% endif %}