We have been trying to use a service account instead of root. We have been able to successfully create a password in the vault and use the ansible password to perform SUDO and run the playbook. It all works until it we make a change to the /etc/pam.d/system-auth or /etc/pam.d/password-auth files. When we make a change such as enabling pamd_faillock.so the playbooks stops running as it can no longer authenticate on the remote servers. In such situation, we are forced to use root to run the playbook.

Please note that the service account is an LDAP account NOT a local account at this time.

While running this STIG, I keep getting an error. See below

TASK [MindPointGroup.RHEL7-STIG : MEDIUM | RHEL-07-040180 | PATCH | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.] *************** fatal: [lab-redjack-01.rogue]: FAILED! => {"failed": true, "msg": "The conditional check ''yes' in rhel_07_040180_audit.stdout' failed. The error was: error while evaluating conditional ('yes' in rhel_07_040180_audit.stdout): Unable to look up a name or access an attribute in template string ({% if 'yes' in rhel_07_040180_audit.stdout %} True {% else %} False {% endif %}).\nMake sure your variable name does not contain invalid characters like '-': argument of type 'StrictUndefined' is not iterable\n\nThe error appears to have been in '/cyclops-ansible/roles/MindPointGroup.RHEL7-STIG/tasks/fix-cat2.yml': line 1805, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: \"MEDIUM | RHEL-07-040180 | PATCH | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.\"\n ^ here\n"}

It seems to be having an issue with command: - "'yes' in rhel_07_040180_audit.stdout" within:

- name: "MEDIUM | RHEL-07-040180 | PATCH | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications."
  command: "true"
  changed_when: no
  when:
      - "'yes' in rhel_07_040180_audit.stdout"
      - rhel_07_040180
  tags:
      - cat2
      - medium
      - patch
      - RHEL-07-040180
      - notimplemented

I'm running this on a CentOS 7 server with Ansible 2.4.0.0.

When running this role via the molecule tests, this task fails on the centos/systemd docker image.

Need to validate if this is just an issue with the CentOS image or across other images as well.

      - block:
            - name: "MEDIUM | RHEL-07-020260 | PATCH | Vendor packaged system security patches and updates must be installed and up to date. | Install yum-cron"
              yum:
                  name: yum-cron
                  state: "{{ (rhel7stig_auto_package_updates.enabled) | ternary('present','absent')}}"
                  enablerepo: "{{ (ansible_distribution == 'RedHat') | ternary('rhel-7-' +
                          (rhel_07_020260_rhel_type.rc == 0) | ternary('workstation', 'server') +
                          '-optional-rpms','') }}"
        rescue:
              # Might be an AWS RHEL instance, try it...
            - name: "MEDIUM | RHEL-07-020260 | PATCH | Vendor packaged system security patches and updates must be installed and up to date. | Install yum-cron"
              yum:
                  name: yum-cron
                  state: "{{ (rhel7stig_auto_package_updates.enabled) | ternary('present','absent')}}"
                  enablerepo: rhui-REGION-rhel-server-optional

First failure

    TASK [RHEL7-STIG : MEDIUM | RHEL-07-020260 | PATCH | Vendor packaged system security patches and updates must be installed and up to date. | Install yum-cron] ***
    fatal: [centOS]: FAILED! => {"changed": false, "msg": "Error setting/accessing repos: Error getting repository data for , repository not found"}

It also has a rescue statement that is attempted that fails as well.

    TASK [RHEL7-STIG : MEDIUM | RHEL-07-020260 | PATCH | Vendor packaged system security patches and updates must be installed and up to date. | Install yum-cron] ***
    fatal: [centOS]: FAILED! => {"changed": false, "msg": "Error setting/accessing repos: Error getting repository data for rhui-REGION-rhel-server-optional, repository not found"}

PR incoming.

After I pulled in the role, with "ansible-galaxy install MindPointGroup.RHEL7-STIG", the permissions on the role directory exclude non-root users.

I worked around this with a pair of find commands, but could you fix this, in the repo?

RHEL7-STIG-devel/tasks/fix-cat1.yml line 38:

notify: restart sshd

should be:

notify: restart ssh

Starting point for how tasks should be organized before a 1.0 release.

Things I'm assuming:

• prelim.yml contains audit checks relevant to multiple tasks
• audit-cat[123].yml files get deprecated, content mostly moved to fix-cat[123].yml
• fix-cat[123].yml files contain blocks with audit and patch tasks, so that the same tags and when conditions can be applied to both tasks
• registers for audit tasks named rhel_07_NNNNNN_audit
• result registers for lineinfile and related file modification tasks use result | failed and result.rc != 257 when files are missing (rsyslog, for example).

A Wiki page could be good for this, too, but no idea about how that gets set up.

After running the STIG playbook on RHEL7, it creates an issue with pam.d/system-auth file.

It appears it adds a duplicate or extraneous information in two places. As a result, it creates a problem with logging in, especially for my SSSD AD Integration. After i remove it, it removes the problem.

"ignore=ignore default=die] ignore=ignore default=die]"
"success=ok user_unknown=ignore] success=ok user_unknown=ignore]"

Any suggestions?

Below is the full export of system-auth

#%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] ignore=ignore default=die] ignore=ignore default=die] pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] success=ok user_unknown=ignore] success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so

-session optional pam_systemd.so

session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

I was working on updating RHEL-07-010270 to the v2 STIG standard and noticed several issues with the pamd module that spread across several of our other rules.

The pamd module is not idempotent in most invocations. It seems to both make changes it doesn't need to make AND not make changes that it needs to make.

Unless I'm going crazy this is what I found...if you use state: before or state: after to insert a rule that doesn't exist it will happily report ok even if the arguments for the rule need to be updated. So on first pass if the rule does not exist it will insert it and use the correct arguments. However if the rule exists and new arguments need to be inserted or existing arguments need to have values changed it will just move past it and report all is good.

I tried splitting the pamd actions out into two separate actions. One action that does the rule insert and a second action that should ensure the rule arguments are properly set using state: updated. However...that results in the pamd module ALWAYS reporting a change with state: updated.

I'm trying to see if the state: updated problem is a known issue with the module. I know its a fairly complicated module so I'm not sure what the status of it is.

While running CAT1 patches, certain ssh tasks keep failing. Specifically, RHEL-07-010300 & RHEL-07-040390, however RHEL-07-040710 does complete.

These are the results of running each STIG:

RHEL-07-010300

TASK [MindPointGroup.RHEL7-STIG : HIGH | RHEL-07-010300 | PATCH | The SSH daemon must not allow authentication using an empty password.] 
fatal: [lab-system]: FAILED! => {"changed": false, "cmd": "sshd -tf /tmp/tmppYXE_o", "failed": true, "msg": "[Errno 2] No such file or directory", "rc": 2}

RHEL-07-040390

TASK [MindPointGroup.RHEL7-STIG : HIGH | RHEL-07-040390 | PATCH | The SSH daemon must be configured to only use the SSHv2 protocol.] 
fatal: [lab-system]: FAILED! => {"changed": false, "cmd": "sshd -t -f /tmp/tmpR2L_QS", "failed": true, "msg": "[Errno 2] No such file or directory", "rc": 2}

RHEL-07-040710

TASK [MindPointGroup.RHEL7-STIG : HIGH | RHEL-07-040710 | PATCH | Remote X connections for interactive users must be encrypted.] 
ok: [lab-system]

The validate line appears to be the issue. Has this been reproduced by anyone? I've attempted this on multiple machines with the same result.

TASK [R7S : MEDIUM | RHEL-07-020630 | PATCH | All local interactive user home directories must have mode 0750 or less permissive.] **
--- before
+++ after
@@ -1,4 +1,4 @@
 {
-    "mode": "0700",
+    "mode": "0750",
     "path": "/home/admin"
 }

we should only downgrade the permissions, not upgrade.

We should come up with a convention for items that are not remediated automatically, or items that require manual review. Preferably, this could be configured both on-the-fly with tags, and statically with variables.

In my opinion, we can't expect a user to read thru all the ansible-playbook output, looking for items that might require intervention.

This task:

https://github.com/MindPointGroup/RHEL7-STIG/blob/df72d02aaa8d20bffd2270a2c61266af23cbb16b/tasks/fix-cat2.yml#L620-L635

Adds ^blacklist usb-storage$ to /etc/modprobe.d/blacklist.conf.

This is not valid modprobe.d syntax and is probably the result of a copy-paste-error.

https://github.com/MindPointGroup/RHEL7-STIG/blob/78fafdf83214d1c1840df384804e69760f0298e0/tasks/fix-cat2.yml#L375

By default in defaults/main.yml:

rhel7stig_pam_faillock:
    attempts: 3
    interval: 900
    unlock_time: 604800
    fail_for_root: yes

If the playbook has already been run and the PAM files have been updated with faillock settings, it doesn't appear that the pamd lines will not modify module arguments once the faillock lines have been added.

One possible fix is to add additional pamd tasks that ensure the arguments are set correctly, resulting in something like:

- block:
      - name: |
              "MEDIUM | RHEL-07-010320 | PATCH | Accounts subject to three unsuccessful login attempts within 15 minutes must be locked for the maximum configurable period."
              "MEDIUM | RHEL-07-010330 | PATCH | If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked."
        pamd:
            name: "{{ item }}"
            state: before
            type: auth
            control: sufficient
            module_path: pam_unix.so
            new_type: auth
            new_control: required
            new_module_path: pam_faillock.so
            module_arguments: "preauth silent audit deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }} unlock_time={{ rhel7stig_pam_faillock.unlock_time }}"
        with_items:
            - "system-auth"
            - "password-auth"

      - name: |
              "MEDIUM | RHEL-07-010320 | PATCH | Accounts subject to three unsuccessful login attempts within 15 minutes must be locked for the maximum configurable period (update preauth)."
              "MEDIUM | RHEL-07-010330 | PATCH | If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked (update preauth)."
        pamd:
            name: "{{ item }}"
            state: updated
            type: auth
            control: required
            module_path: pam_faillock.so
            module_arguments: "preauth silent audit deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }} unlock_time={{ rhel7stig_pam_faillock.unlock_time }}"
        with_items:
            - "system-auth"
            - "password-auth"

      - name: "MEDIUM | RHEL-07-010330 | PATCH | If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked."
        pamd:
            name: "{{ item }}"
            state: after
            type: auth
            control: sufficient
            module_path: pam_unix.so
            new_type: auth
            new_control: "[default=die]"
            new_module_path: pam_faillock.so
            module_arguments: "authfail audit deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }} unlock_time={{ rhel7stig_pam_faillock.unlock_time }}"
        with_items:
            - "system-auth"
            - "password-auth"

      - name: "MEDIUM | RHEL-07-010330 | PATCH | If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked (update authfail)."
        pamd:
            name: "{{ item }}"
            state: updated
            type: auth
            control: "[default=die]"
            module_path: pam_faillock.so
            module_arguments: "authfail audit deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }} unlock_time={{ rhel7stig_pam_faillock.unlock_time }}"
        with_items:
            - "system-auth"
            - "password-auth"

      - name: "MEDIUM | RHEL-07-010330 | PATCH | If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked."
        pamd:
            name: "{{ item }}"
            state: before
            type: account
            control: required
            module_path: pam_unix.so
            new_type: account
            new_control: required
            new_module_path: pam_faillock.so
        with_items:
            - "system-auth"
            - "password-auth"

  when: rhel_07_010320 or rhel_07_010330
  tags:
      - RHEL-07-010320
      - RHEL-07-010330
      - pamd

To reduce code duplication, it might be possible to remove the module_arguments from the before/after tasks, and only have them in the additional tasks.

Thoughts?

TASK [R7S : Replace sha256+sha512 entries with sha512] **
--- before: /etc/aide.conf
+++ after: /etc/aide.conf
@@ -60,8 +60,8 @@

 # You can create custom rules like this.
 # With MHASH...
-# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
-ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
+# ALLXTRAHASHES = sha1+rmd160+sha512+whirlpool+tiger+haval+gost+crc32
+ALLXTRAHASHES = sha1+rmd160+sha512+tiger

There's nothing wrong with leaving sha256 in the list of hashes.

Why not collaborate with the https://github.com/openstack/ansible-hardening project instead? Appears to be a lot farther along for RHEL7/Centos7 and very well documented, including why each STIG is implemented or not.

Here's a fairly comprehensive list:

Global Changes

• Every rule title was changed to include "Red Hat Enterprise Linux" in some form
• Throughout, a required, but commented-out configuration setting fails (this is obvious; will handle compliance on a rule-by-rule basis; some rule are okay w/ unconfigured setting)

Modified Rules

• RHEL-07-010010: if non-RPM-verified (user/group ownership, permissions) files are not documented, it is a finding (should subtract a list of documented bad files and/or packages from the list of found bad files and/or packages)

• RHEL-07-010250: "If passwords are not being used for authentication, this is Not Applicable."

• RHEL-07-010310: "If passwords are not being used for authentication, this is Not Applicable."

• RHEL-07-010500: "--smartcardaction=1" -> "--smartcardaction=0"

• RHEL-07-020020: "If an HBSS or HIPS is active on the system, this is Not Applicable."

• RHEL-07-020210: "If an HBSS or HIPS is active on the system, this is Not Applicable."

• RHEL-07-020220: "If an HBSS or HIPS is active on the system, this is Not Applicable."

• RHEL-07-020230: "ctrl.alt.del.target is masked and not active" -- "not active" is new

• RHEL-07-020730: use '-xdev' when finding world-writable files (rule not yet implemented)

• RHEL-07-021020: nosuid on "file systems that are being imported via Network File System (NFS)." - mostly a wording change

• RHEL-07-031000: "/etc/rsyslog.conf" -> '"/etc/rsyslog.conf" or an "/etc/rsyslog.d/*.conf"' (should move to config snippet, add tombstone for content in rsyslog.conf main)

• RHEL-07-032000: install anti-virus -- removed reference to McAfee

• RHEL-07-040180: "If LDAP is not being utilized, this requirement is Not Applicable.", "ssl = start_tls" -> "ldap_id_use_start_tls = true", /etc/pam_ldap.conf -> /etc/sssd/sssd.conf (should create implicit_files domain explicitly to enable sssd generically and configure)

• RHEL-07-040190: "If LDAP is not being utilized, this requirement is Not Applicable.", /etc/pam_ldap.conf -> /etc/sssd/sssd.conf, "ldap_tls_reqcert = demand" (should create implicit_files domain explicitly to enable sssd generically and configure)

• RHEL-07-040200: "If LDAP is not being utilized, this requirement is Not Applicable.", /etc/pam_ldap.conf -> /etc/sssd/sssd.conf, "ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt" (should create implicit_files domain explicitly to enable sssd generically and configure)

• RHEL-07-040500: "maxpoll 17" -> "maxpoll 10", "ntpdate"->"ntpd -q"

• RHEL-07-040510: use "net.ipv4.tcp_invalid_ratelimit = 500" with sysctl instead of firewalld direct rules

• RHEL-07-040610: allow /etc/sysctl.d/ in addition to /etc/sysctl.conf, use "sysctl -system" to make effective

• RHEL-07-040620: allow /etc/sysctl.d/ in addition to /etc/sysctl.conf, use "sysctl --system" to make effective, ALSO unconfigured value is OKAY

• RHEL-07-040630: allow /etc/sysctl.d/ in addition to /etc/sysctl.conf, use "sysctl --system" to make effective, ALSO unconfigured value is OKAY

• RHEL-07-040640: allow /etc/sysctl.d/ in addition to /etc/sysctl.conf, use "sysctl --system" to make effective, ALSO unconfigured value is OKAY

• RHEL-07-040650: allow /etc/sysctl.d/ in addition to /etc/sysctl.conf, use "sysctl --system" to make effective, ALSO unconfigured value is OKAY

• RHEL-07-040660: allow /etc/sysctl.d/ in addition to /etc/sysctl.conf, use "sysctl --system" to make effective, ALSO unconfigured value is OKAY

• RHEL-07-040740: allow /etc/sysctl.d/ in addition to /etc/sysctl.conf, use "sysctl --system" to make effective

• "RHEL-07-040830: If IPv6 is not enabled, the key will not exist, and this is Not Applicable", ALSO unconfigured value is OKAY

• RHEL-07-041002: If the "pam" service is not present,present on all "services" lines, (should create implicit_files domain explicitly to enable sssd generically and configure)

• RHEL-07-021021: allow NFS binaries if documented -- "use of NFS imported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding"

• RHEL-07-030874: look in /etc/audit/audit.rules for the check content

• RHEL-07-040641: allow /etc/sysctl.d/ in addition to /etc/sysctl.conf, use "sysctl -system" to make effective

• RHEL-07-040201: allow /etc/sysctl.d/ in addition to /etc/sysctl.conf, use "sysctl -system" to make effective

• RHEL-07-010020: no longer limited to just binaries, now also includes "system files": "If there is any output from the command for system files or binaries, this is a finding." (#279)

• RHEL-07-010150: "dcredit" -> "ocredit" in the fix text

• RHEL-07-010200: reference both password-auth and system-auth instead of system-auth-ac

• RHEL-07-010270: references both password-auth and system-auth instead of system-auth-ac, "pam_unix.so"->"pam_pwhistory.so"

  • old: "password sufficient pam_unix.so use_authtok sha512 shadow remember=5"
  • new: "password requisite pam_pwhistory.so use_authtok remember=5 retry=3"

• RHEL-07-010290: references both password-auth and system-auth instead of system-auth-ac

• RHEL-07-010320: references both password-auth and system-auth instead of system-auth-ac

  • "unlock_time=604800" -> "fail_interval=900 unlock_time=900" (A huge improvement to the requirement; will reduce sysadmin load.)

• RHEL-07-010330: references both password-auth and system-auth instead of password-auth-ac and system-auth-ac

  • "unlock_time=604800" -> "unlock_time=900"

• RHEL-07-010350: non-compliant configs allowed in commented-out lines

• RHEL-07-010430: if the required config is commented, it is a finding

• RHEL-07-010480: "For systems that are running RHEL 7.2 or newer, this is Not Applicable."

• RHEL-07-010490: "For systems that are running RHEL 7.2 or newer, this is Not Applicable."

• RHEL-07-020110: stop autofs in addition to disable

• RHEL-07-020620: now considers non-privileged UID range as 1000-4999 (no change needed)

• RHEL-07-021100: also allow configs in "/etc/rsyslog.d/*.conf", remove ordering requirement (no change required)

• RHEL-07-021600: items required only on uncommented lines in /etc/aide.conf

• RHEL-07-021610: items required only on uncommented lines in /etc/aide.conf

• RHEL-07-021620: items required only on uncommented lines in /etc/aide.conf

• RHEL-07-030320: removed reference to 'network_failure_action', a different rule

• RHEL-07-030360: audit both arches, update audit key

• RHEL-07-030560: remove '-F perm=x'

• RHEL-07-030570: remove '-F perm=x'

• RHEL-07-030580: remove '-F perm=x'

• RHEL-07-030590: remove '-F perm=x'

• RHEL-07-030640: remove '-F perm=x'

• RHEL-07-030680: remove '-F perm=x'

• RHEL-07-030690: remove '-F perm=x'

• RHEL-07-030710: remove '-F perm=x'

• RHEL-07-030720: remove '-F perm=x'

• RHEL-07-030740: "command" -> "command and syscall", updated audit rules, use absolute command path

• RHEL-07-030750: update path, remove '-F perm=x'

• RHEL-07-030760: remove '-F perm=x'

• RHEL-07-030770: remove '-F perm=x'

• RHEL-07-030780: remove '-F perm=x'

• RHEL-07-030800: remove '-F perm=x'

• RHEL-07-030810: remove '-F perm=x', use absolute command path

• RHEL-07-030820: require b32 on all arches; "command" -> "syscall"

• RHEL-07-030830: require b32 on all arches; "command" -> "syscall"

• RHEL-07-030840: "insmod" -> "kmod" -- did this remove '-F perm=x'? (PR #210) added it

• RHEL-07-030880: remove '-F perm=x', "command" -> "syscall"

• RHEL-07-030890: remove '-F perm=x', "command" -> "syscall"

• RHEL-07-030900: remove '-F perm=x', "command" -> "syscall"

• RHEL-07-030910: remove '-F perm=x', "command" -> "syscall"

• RHEL-07-030920: remove '-F perm=x', "command" -> "syscall"

• RHEL-07-031010: "Modify the "/etc/rsyslog.conf" file to remove the "ModLoad imtcp", "ModLoad imudp", and "ModLoad imrelp" configuration lines, or document the system as being used for log aggregation."

• RHEL-07-040160: use /etc/profile.d/* (e.g., tmout.sh) instead of /etc/profile

• RHEL-07-040300: only require openssh-server, no longer require openssh-clients (#252)

• RHEL-07-040310: use "systemctl enable sshd.service" for the fix (no change needed)

• RHEL-07-040330: "If the release is 7.4 or newer this requirement is Not Applicable."

• RHEL-07-040340: ClientAliveCountMax -- REMOVED "If the release is 7.4 or newer this requirement is Not Applicable." -- now applicable everywhere

• RHEL-07-040360: remove "session required pam_lastlog.so showfailed", must now use "PrintLastLog yes" in /etc/ssh/sshd_config (no change required)

• RHEL-07-040420: SSH private host key files mode "0600" -> "0640"

• RHEL-07-040530: "/etc/pam.d/postlogin-ac" -> "/etc/pam.d/postlogin", remove reference to printlastlog in /etc/ssh/sshd_config

• RHEL-07-040700: tftp -> tftp-server (#261)

• RHEL-07-010119: "/etc/pam.d/passwd"->"/etc/pam.d/system-auth"

• RHEL-07-030321: "stop" -> "syslog" in the check content, but "stop" was never a valid option

• RHEL-07-030871: "audit_rules_usergroup_modification" -> "identity"

• RHEL-07-010061: run "dconf update" to make the change effective (#266)

• RHEL-07-020101: 'install dccp /bin/true' in /etc/modprobe.d/dccp.conf AND now also "blacklist dccp" in /etc/modprobe.d/blacklist.conf (#278)

• RHEL-07-030819: "command" -> "syscall", require b32 everywhere

• RHEL-07-030821: "command" -> "syscall", require b32 everywhere

Deleted

• RHEL-07-020070: removed (YAY, no more repo_gpgcheck that always fails)
• RHEL-07-030600: removed (audit /var/log/tallylog)
• RHEL-07-030730: removed (audit sudoedit)
• RHEL-07-030850: removed (audit rmmod, should modify RHEL-07-030840 first)
• RHEL-07-030860: removed (audit modprobe, should modify RHEL-07-030840 first)
• RHEL-07-032010: removed (weekly virus cvd/dat updates)
• RHEL-07-010062: removed (prevent a user from overriding the screensaver lock-enabled setting)

Added

• RHEL-07-010118: NEW ('password substack system-auth' in /etc/pam.d/passwd)
• RHEL-07-010482: NEW (really, replaces 010480 for RHEL 7.2+) (CAT I)
• RHEL-07-010491: NEW (really, replaces 010490 for RHEL 7.2+) (CAT I)
• RHEL-07-021022: NEW (nodev on /dev/shm)
• RHEL-07-021023: NEW (nosuid on /dev/shm)
• RHEL-07-021024: NEW (noexec on /dev/shm)
• RHEL-07-030200: NEW ('active = yes' in /etc/audisp/plugins.d/au-remote.conf)
• RHEL-07-030201: NEW (configure the au-remote plugin to off-load audit logs using the audisp-remote daemon)
• RHEL-07-030210: NEW (set 'overflow_action' to "syslog", "single", or "halt" in /etc/audisp/audispd.conf)
• RHEL-07-030211: NEW (set 'name_format' to "hostname", "fqd", or "numeric" in /etc/audisp/audispd.conf)

Cosmetic Changes

• RHEL-07-020030: aide cron clarification, no real change
• RHEL-07-020040: aide cron clarification, no real change
• RHEL-07-020250: updated EOL dates
• RHEL-07-030370: "command" -> "syscall"
• RHEL-07-030380: "command" -> "syscall"
• RHEL-07-030390: "command" -> "syscall"
• RHEL-07-030400: "command" -> "syscall"
• RHEL-07-030410: "command" -> "syscall"
• RHEL-07-030420: "command" -> "syscall"
• RHEL-07-030430: "command" -> "syscall"
• RHEL-07-030440: "command" -> "syscall"
• RHEL-07-030450: "command" -> "syscall"
• RHEL-07-030460: "command" -> "syscall"
• RHEL-07-030470: "command" -> "syscall"
• RHEL-07-030480: "command" -> "syscall"
• RHEL-07-030490: "command" -> "syscall"
• RHEL-07-030500: "command" -> "syscall"
• RHEL-07-030510: "command" -> "syscall"
• RHEL-07-030520: "command" -> "syscall"
• RHEL-07-030530: "command" -> "syscall"
• RHEL-07-030540: "command" -> "syscall"
• RHEL-07-030550: "command" -> "syscall"
• RHEL-07-040820: openswan -> libreswan in check content, no real change

TASK [R7S : MEDIUM | RHEL-07-021100 | PATCH | Cron logging must be implemented.] **
--- before: /etc/rsyslog.conf (content)
+++ after: /etc/rsyslog.conf (content)
@@ -61,7 +61,7 @@


 # Log cron stuff
-cron.*                                                  /var/log/cron
+cron.* /var/log/cron.log

 # Everybody gets emergency messages
 *.emerg                                                 :omusrmsg:*

The system as-shipped satisfies the STIG requirement of logging cron. It is not required to have it in "cron.log" as the file name.

Why do we have commented code on the file RHEL7-STIG/tasks/main.yml?
Is this a code that would be runned only at the sysadmin explicity descrition?
If so, couldn't it be moved to another files and just runned if the right tag was passed?
If its not absolutely necessarily anymore, we could remove from the git now in an well commented git commit and, if necessary, bring it back in the future. Could also create another branch.

Best regards

PR #61 introduced the include_tasks directive, which was intruduced in ansible 2.4. Since that is the verison currenly shipping with RHEL, do we want to upgrade the minimum supported version to 2.4? I've currently got a PR in the works that conditionalizes on ansible version, which wouldn't be necessary if the minimum is 2.4.

I am looking for some help withe the MindPointGroup.RHEL7-STIG role can some one help me understand this part of the read me it state,

rhel7stig_min_ansible_version: 2.1

rhel7stig_cat1_patch: yes
rhel7stig_cat2_patch: yes
rhel7stig_cat3_patch: yes

These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules.

PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group in order for the variables below to take effect.

CAT 1 rules
rhel_07_010010: true
rhel_07_010020: true
rhel_07_010290: true
rhel_07_010300: true
rhel_07_010440: true
rhel_07_010450: true
rhel_07_010480: true
rhel_07_010490: true
rhel_07_020000: true
rhel_07_020010: true
rhel_07_020050: true
rhel_07_020060: true

Version 1 Release 4 of the STIG was released on Jan 26 2018. These are the relevant changes:
New STIG IDs

• RHEL-07-010062 - GUI - Added a requirement to configure gnome desktop screensaver lock setting
• RHEL-07-010101 - GUI - Added a requirement to configure the gnome desktop screensaver idle setting
• RHEL-07-030819 - Added a new auditd rule requirement to audit "create_module" command
• RHEL-07-030821 - Added a new auditd rule requirement to audit "finit_module" command

Removed STIG IDs

• RHEL-07-041004 - Removed since 010500 covers all users
• RHEL-07-010080 - GUI - Removed since the gnome/dconf config item was invalid

Updated STIG IDs

• RHEL-07-010030 - GUI - Updated fix text for dconf
• RHEL-07-010081 - Updated rule title
• RHEL-07-010082 - Updated rule title
• RHEL-07-010050 - Removed "short banner" must use full banner
• RHEL-07-010100 - GUI - Updated example check content output. Updated fix command for dconf
• RHEL-07-010110 - GUI - Updated finding statement and fix command - dconf
• RHEL-07-010119 - Updated grep command and finding statement. pam.d pwquality retries
• RHEL-07-010480 - Updated finding statement and superusers account setting requirements
• RHEL-07-010490 - Updated finding statement and superusers account setting requirements
• RHEL-07-020220 - Fixed typos in check content
• RHEL-07-020320 - Removed -xdev option from check command
• RHEL-07-020330 - Removed -xdev option from check command
• RHEL-07-020640 - Updated check content and finding statement
• RHEL-07-020650 - Updated check content statement
• RHEL-07-021350 - Removed wording from fix requiring prelink be disabled and GRUB config instructions.
• RHEL-07-030360 - Corrected command in fix text for auditd rule.
• RHEL-07-030370 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030380 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030390 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030400 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030410 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030420 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030430 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030440 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030450 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030460 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030470 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030480 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030490 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030500 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030510 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030520 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030530 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030540 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030550 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030640 - Updated command path in check/fix instructions - auditd rules
• RHEL-07-030680 - Updated command path in check/fix instructions - auditd rules
• RHEL-07-030740 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030820 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030830 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030880 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030890 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030900 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030910 - Updated grep command and fix explanation - auditd rules
• RHEL-07-030920 - Updated grep command and fix explanation - auditd rules
• RHEL-07-040320 - Updated check command for clientaliveinterval and value range
• RHEL-07-040340 - Not Applicable if redhat release is 7.4 or newer
• RHEL-07-040390 - Not Applicable if redhat release is 7.4 or newer
• RHEL-07-040650 - Updated command path in check and fix content
• RHEL-07-040690 - Updated requirement vsftpd vs lsftpd
• RHEL-07-040710 - Updated typos in check and fix content
• RHEL-07-041002 - Updated ssd config file path in check/fix content
• RHEL-07-041003 - Updated check instructions - PAM config

I'm guessing it has dis-trusted centos repos or placed a restriction on certs too high for standard servers. I would expect that the playbook work on centos boxes.

"It was impossible to connect to the CentOS servers.
This could mean a connectivity issue in your environment, such as the requirement to configure a proxy,
or a transparent proxy that tampers with TLS security, or an incorrect system clock.
Please collect information about the specific failure that occurs in your environment,
using the instructions in: https://access.redhat.com/solutions/1527033 and create a bug on https://bugs.centos.org/"

The last successful task and first failure are

TASK [RHEL7-STIG : MEDIUM | RHEL-07-040250 | PATCH | The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces.] ***
Thursday 23 February 2017 10:31:35 -0600 (0:00:01.433) 0:11:13.850 *****
ok: [34...14]

TASK [RHEL7-STIG : MEDIUM | RHEL-07-040260 | PATCH | All networked systems must have SSH installed.] ***
Thursday 23 February 2017 10:31:38 -0600 (0:00:02.325) 0:11:16.175 *****
fatal: [34...14]: FAILED! => {"changed": false, "failed": true, "msg": "http://download.draios.com/stable/rpm/x86_64/repodata/repomd.xml.asc: [Errno 14] HTTP Error 403 - Forbidden\nTrying other mirror.\nTo address this issue please refer to the below knowledge base article\n\nhttps://access.redhat.com/solutions/69319\n\nIf above article doesn't help to resolve this issue please create a bug on https://bugs.centos.org/\n\n\n\n One of the configured repositories failed (Draios),\n and yum doesn't have enough cached data to continue. At this point the only\n safe thing yum can do is fail. There are a few ways to work "fix" this:\n\n 1. Contact the upstream for the repository and get them to fix the problem.\n\n 2. Reconfigure the baseurl/etc. for the repository, to point to a working\n upstream. This is most often useful if you are using a newer\n distribution release than is supported by the repository (and the\n packages for the previous distribution release still work).\n\n 3. Disable the repository, so yum won't use it by default. Yum will then\n just ignore the repository until you permanently enable it again or use\n --enablerepo for temporary usage:\n\n yum-config-manager --disable draios\n\n 4. Configure the failing repository to be skipped, if it is unavailable.\n Note that yum will try to contact the repo. when it runs most commands,\n so will have to try and fail each time (and thus. yum will be be much\n slower). If it is a very temporary problem though, this is often a nice\n compromise:\n\n yum-config-manager --save --setopt=draios.skip_if_unavailable=true\n\nfailure: repodata/repomd.xml.asc from draios: [Errno 256] No more mirrors to try.\nhttp://download.draios.com/stable/rpm/x86_64/repodata/repomd.xml.asc: [Errno 14] HTTP Error 403 - Forbidden\n", "rc": 1, "results": []}

Though the letter of 07-020320 and related rules with find commands specify particular filesystem types and mount points, I suspect they really intend for all local filesystems to be examined, regardless of filesystem type (xfs, ext4, etc.) and mount point (/, /boot, etc.).

Here's a proof of concept for 020320 and 020330 that will find files with missing UIDs and GIDs in /, /boot, etc. Will make a proper branch and PR if this looks worthwhile.

localdisks.yml.txt

RHEL-07-010240 has a task that has "changed_when: no" even though it does make a change.

PR incoming.

From DISA Benchmark V1R2:
The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. - (CCE-27303-7) - Fail

From scap-security-guide 0.1.36 (shipped with RHEL 7.5) and 0.1.38 (latest upstream version):

xccdf_org.ssgproject.content_rule_banner_etc_issue
correct banner in /etc/issue  failed because these items were missing:
Object oval:ssg-object_banner_etc_issue:obj:1 of type textfilecontent54_object

Is it okay to swap this out unconditionally for a "compliant" version, or would it be preferable to make it conditional so users can keep the current version if desired? In any case, users can easily override the default (as I have done locally for a long time.)

PR incoming.

[rhel7 ~]$ rpm -q python-passlib
python-passlib-1.6.5-2.el7.noarch

This role fails due to the required version of passlib.

This should be a trivial fix. I've added comments here:
https://github.com/MindPointGroup/RHEL7-STIG/pull/23

grub2_hash filter plugin fails when used on a machine with python 3 due to the the passlib salt value requiring bytes vs string.

TypeError: salt must be bytes, not str

Fix should be simple i.e:

salt=salt.encode()

For some reason this continues to get skipped on all of my servers/workstations.

Is there something I'm missing?

the recently-intruduced sudo remediations (RHEL-07-010340 and RHEL-07-010350) fail with error:

[Errno 2] No such file or directory

This is because the path to visudo is wrong. I'll send up a PR to fix this issue.

Other than this bug, the remediation seems to work great. Thanks for the contribution!

Any idea?

$ ansible-playbook -i hosts stig.yml
ERROR: find is not a legal parameter in an Ansible task or handler

$ cat stig.yml

• name: Apply STIG
  hosts: all
  become: yes
  roles:
  • role: RHEL7-STIG
    rhel7stig_cat2_audit: yes
    rhel7stig_cat3_audit: yes
    rhel7stig_snmp_community: testing
    rhel7stig_bootloader_password: testing

$ ansible --version
ansible 1.9.6
configured module search path = None

Some tasks do not run by default, even though there is an automated remediation available. When do we disable these?

rules file probably needs to be created from scratch each time. If a suid program added in a previous invocation is removed then augenrules --load will fail due to the non-existing binary. We plan to wipe the file at the start. Sorry corporate policy prevents me from contributing pull requests.

Hello,

I am implementing RHEL7-STIG on machines that are using AD auth with SSSD.

Our AD already implements account lockout after failed password attempts.

With the way RHEL7-STIG currently sets up faillock, AD lockout and local faillock lockout can both be triggered simultaneously.

I first thought about simply setting the faillock fail limit to 4 instead of 3, so that AD accounts would get locked out by AD after 3 tries and the faillock lockout would never trigger, but this also depends on PAM configuration.

PAM being what it is, getting this right is not trivial. Here is a PAM mailing list thread: https://www.redhat.com/archives/pam-list/2013-June/thread.html#00006

Would love to get any feedback on this - unsure if it is in scope for changes being made to RHEL7-STIG but this could be a common gotcha in the kind of (corporate) environment where RHEL7-STIG would be utilized so at least documenting it could be very helpful.

Currently there are roughly 130 19 Cat 2 STIG items that are not implemented in this role. Need to finish these before a 1.0 release.

High Priority CAT2 Items (always flagged by a benchmark):

• RHEL-07-040180 - The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications. (breaks SSSD w/ Active Directory, should RAISE w/ DISA; AD connections are encrypted/authenticated w/ KRB5)
• RHEL-07-040190 - The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications. (default setting "hard" is compliant; DISA does not accept unconfigured value)

Priority CAT2 Items (not checked by any benchmark, non-complex):

• RHEL-07-020020 - The operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. (DISRUPTIVE!)
• RHEL-07-020680 - All files and directories contained in local interactive user home directories must have mode 0750 or less permissive. (WIP #282)
• RHEL-07-020710 - All local initialization files must have mode 0740 or less permissive.
• RHEL-07-040200 - The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications. (consider configuring in /etc/openldap/ldap.conf instead of (or in addition to) sssd.conf)
• RHEL-07-040510 - The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces.

CAT2 Items (not checked by any benchmark, COMPLEX):

• RHEL-07-020720 - All local initialization files must have mode 0740 or less permissive.
• RHEL-07-020730 - Local initialization files must not execute world-writable programs.
• RHEL-07-021700 - The system must not allow removable media to be used as the boot loader unless approved.

Remaining CAT 2 items:

• RHEL-07-010500 - The operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.
• RHEL-07-021010 - File systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.
• RHEL-07-021040 - The umask must be set to 077 for all local interactive user accounts. (COMPLEX)
• RHEL-07-040100 - The host must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.
• RHEL-07-040750 - The Network File System (NFS) must be configured to use RPCSEC_GSS.
• RHEL-07-040810 - The system's access control program must be configured to grant or deny system access to specific hosts and services.
• RHEL-07-010030 - GUI The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
• RHEL-07-010040 - GUI The operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
• RHEL-07-010060 - GUI The operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.
• RHEL-07-010061 - GUI The operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.
• RHEL-07-010070 - GUI The operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.
• RHEL-07-010081 - GUI The operating system must set the lock delay setting for all connection types.
• RHEL-07-010082 - GUI The operating system must set the session idle delay setting for all connection types.
• RHEL-07-010100 - GUI The operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.
• RHEL-07-010110 - GUI The operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.
• RHEL-07-020270 - The system must not have unnecessary accounts.
• RHEL-07-020600 - All local interactive users must have a home directory assigned in the /etc/passwd file. (#276)
• RHEL-07-020660 - All files and directories contained in local interactive user home directories must be owned by the owner of the home directory.
• RHEL-07-020670 - All files and directories contained in local interactive user home directories must be group-owned by a group of which the home directory owner is a member.
• RHEL-07-020690 - All local initialization files for interactive users must be owned by the home directory user or root.
• RHEL-07-020700 - Local initialization files for local interactive users must be group-owned by the users primary group or root.
• RHEL-07-020900 - All system device files must be correctly labeled to prevent unauthorized modification.
• RHEL-07-021000 - File systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
• RHEL-07-021020 - File systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
• RHEL-07-021021 - File systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
• RHEL-07-021030 - All world-writable directories must be group-owned by root, sys, bin, or an application group.
• RHEL-07-030300 - The operating system must off-load audit records onto a different system or media from the system being audited.
• RHEL-07-030310 - The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.
• RHEL-07-030360 - All privileged function executions must be audited.
• RHEL-07-032010 - The system must update the DoD-approved virus scan program every seven days or more frequently.
• RHEL-07-041003 - The operating system must implement certificate status checking for PKI authentication.
• RHEL-07-041004 - The operating system must implement smart card logons for multifactor authentication for access to privileged accounts. Item removed from STIG

new in V2R3

• RHEL-07-010062 revent a user from overriding the screensaver lock-enabled setting for the graphical user interface. (#266)
• RHEL-07-040611 use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
• RHEL-07-040612 use a reverse-path filter for IPv4 network traffic when possible by default.
• RHEL-07-020019 must have a host-based intrusion detection tool installed.

Currently there are 9 3 Cat 3 STIG items that are not implemented (i.e. they always pass and do nothing). These need to be completed prior to a 1.0 release.

• RHEL-07-021600 - The file integrity tool must be configured to verify Access Control Lists (ACLs).
• RHEL-07-021610 - The file integrity tool must be configured to verify extended attributes.
• RHEL-07-040600 - For systems using DNS resolution, at least two name servers must be configured.

Newly added CAT 3 rules in V2R1

• RHEL-07-021022 - tmpfs nodev
• RHEL-07-021023 - tmpfs nosuid
• RHEL-07-021024 - tmpfs noexec

RHEL-07-040580
RHEL-07-010010

PR #131 will address.

Some of these will use the multiple mount points code from #64. Will make a proper branch and PR once this looks feasible.

020730

Finding world-writable files

find / -xdev -type f -perm -002

021030

Finding world-writable directories with high GIDs

find / -xdev -type d -perm -002 -gid +999

040410

Test cases for ssh public keys with permissions higher than 644:

for n in 400 600 700 640 650 740 750 755 660 770 666 777 2644; do touch ssh_host_${n}_key.pub; chmod ${n} ssh_host_${n}_key.pub; done

Finding ssh public keys with permissions higher than 644:

find . -type f -name 'ssh_host_*key.pub' -a \( -perm /u=x -o -perm /g=wx -o -perm /o=wx \)

040420

Test cases for ssh private keys with permissions higher than 600:

for n in 400 600 700 640 650 740 750 755 660 770 666 777 2644; do touch ssh_host_${n}_key.pub; chmod ${n} ssh_host_${n}_key; done

Finding ssh private keys with permissions higher than 600:

find . -type f -name 'ssh_host_*key' -a \( -perm /u=x -o -perm /g=rwx -o -perm /o=rwx \)

If openssh-server is not installed, none of the SSH remediations need to be performed. Currently, the role fails out in this case.

I am attempting to use Ansible 2.4 with the RHEL7-STIG role to harden a CentOS 7 test VM. I understand that this role will not fix all vulnerabilities listed in the STIG but if I'm understanding the code correctly rule rhel_07_010320 is set to true, so my assumption is that fix will be applied. When I audited my system and manually checked by looking at the contents of the PAM file I verified that the fix was not applied. I then went an viewed the corresponding task in the fix-cat2 playbook and it just returns true (command: "true"). Has this fix not been implemented yet or am I misunderstanding how all of this works? I viewed the code for the RHEL6 STIG and there are actual steps to add pam_faillock.

Hello,
Thank you for your group's efforts in pushing forward security through these ansible roles. They are incredibly helpful.

What is the current status/state of this project and is this still under active development?
Is this safe to use in it's current state?
Should this be used in conjunction with or instead of the RHEL7-CIS?

Thank you again!

While using the Azure CentOS 7 image provided by Rogue Wave (formerly OpenLogic) we hit:

"HIGH | RHEL-07-010490 | PATCH | Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."] ***
fatal: [XXX.XXX.XXX.XXX]: FAILED! => {"msg": "[{u'regexp': u'^set superusers', u'line': u'set superusers=\"{{rhel7stig_boot_superuser}}\"'}, {u'regexp': u'^password_pbkdf2 {{rhel7stig_boot_superuser}}', u'line': u\"password_pbkdf2 {{rhel7stig_boot_superuser}} {{ rhel7stig_bootloader_password | grub2_hash(salt='KeokpkECTJeoDhEA5XtiLQ') }}\"}]: grub2_hash requires the passlib python module to generate password hashes"}

DISA published v1R3: https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R3_STIG.zip

Running the latest and greatest version of RHEL7-STIG against a freshly installed CentOS7 when the play executed the step

HIGH | RHEL-07-010490 | PATCH | Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes

it resulted in the following error message:

FAILED! => {"failed": true, "msg": "[{u'regexp': u'^set superusers', u'line': u'set superusers=\"root\"'}, {u'regexp': u'^password_pbkdf2 root', u'line': u\"password_pbkdf2 root {{ rhel7stig_bootloader_password | grub2_hash(salt='KeokpkECTJeoDhEA5XtiLQ') }}\"}]: Unexpected templating type error occurred on (password_pbkdf2 root {{ rhel7stig_bootloader_password | grub2_hash(salt='KeokpkECTJeoDhEA5XtiLQ') }}): crypt() takes no keyword arguments"}

The cryptography module on the target system has version 2.0.3.

Workaround: modify filter_plugins/filters.py
Turn encrypted = crypt.crypt(password, salt=salt) into encrypted = crypt.crypt(password, salt)

I didn't check the signature of crypt though, so I'm not sure that workaround makes sense, but at least you avoid the error and the system still works after a reboot.

RUNNING HANDLER [RHEL7-STIG : restart ntpd] ************************************
fatal: [sectest]: FAILED! => {"changed": false, "failed": true, "msg": "Could not find the requested service ntpd: cannot check nor set state"}
to retry, use: --limit @/home/user/hardening/roles/stig.retry

PLAY RECAP *********************************************************************
sectest: ok=248 changed=41 unreachable=0 failed=1

anything i can do to fix this?

Hi,

So trying to apply RHEL-7 STIGs, execution stops @ RHEL-07-010490 with following error. Any thoughts?

The full traceback is:
Traceback (most recent call last):
  File "/Library/Python/2.7/site-packages/ansible/executor/task_executor.py", line 89, in run
    items = self._get_loop_items()
  File "/Library/Python/2.7/site-packages/ansible/executor/task_executor.py", line 202, in _get_loop_items
    loop_terms = listify_lookup_plugin_terms(terms=self._task.loop_args, templar=templar, loader=self._loader, fail_on_undefined=True, convert_bare=False)
  File "/Library/Python/2.7/site-packages/ansible/utils/listify.py", line 34, in listify_lookup_plugin_terms
    terms = templar.template(terms.strip(), convert_bare=convert_bare, fail_on_undefined=fail_on_undefined)
  File "/Library/Python/2.7/site-packages/ansible/template/__init__.py", line 437, in template
    disable_lookups=disable_lookups,
  File "/Library/Python/2.7/site-packages/ansible/template/__init__.py", line 659, in do_template
    res = j2_concat(rf)
  File "<template>", line 9, in root
  File "/Library/Python/2.7/site-packages/ansible/template/__init__.py", line 202, in resolve_or_missing
    val = super(AnsibleContext, self).resolve_or_missing(key)
  File "/Library/Python/2.7/site-packages/jinja2/runtime.py", line 216, in resolve_or_missing
    return resolve_or_missing(self, key)
  File "/Library/Python/2.7/site-packages/jinja2/runtime.py", line 128, in resolve_or_missing
    return context.parent[key]
  File "/Library/Python/2.7/site-packages/ansible/template/vars.py", line 95, in __getitem__
    raise type(e)(to_native(variable) + ': ' + e.message)
NameError: [{u'regexp': u'^set superusers', u'line': u'set superusers="root"'}, {u'regexp': u'^password_pbkdf2 root', u'line': u"password_pbkdf2 root {{ rhel7stig_bootloader_password | grub2_hash(salt='KeokpkECTJeoDhEA5XtiLQ') }}"}]: global name 'errors' is not defined

fatal: [34.229.162.171]: FAILED! => {
    "failed": true, 
    "msg": "Unexpected failure during module execution.", 
    "stdout": ""
}

Below are ansible / python versions on the controller m/c.

ansible 2.3.1.0
python version = 2.7.10 (default, Oct 23 2015, 19:19:21) [GCC 4.2.1 Compatible Apple LLVM 7.0.0 (clang-700.0.59.5)]

Thx,

Ritesh

Task logic was implemented but notimplemented tag was not removed.
https://github.com/MindPointGroup/RHEL7-STIG/blob/d6d78c0622d7f6211cb03fda29752cfe62c31a97/tasks/fix-cat2.yml#L2233-L2252

Hello,

I don't know if this is a common problem and it's hard to understand this for me because I do not have in-depth knowledge of RedHat / CentOS / general rpm-based distros but on a fresh install of CentOS 7 from CentOS-7-x86_64-Minimal-1804.iso there are lots of missing package files that result in rpm --setperms exiting with an error return code.

Example:

[root@localhost ~]# rpm --setperms $(rpm -qf /usr/sbin/netreport)
chmod: cannot access ‘/etc/sysconfig/kvm’: No such file or directory

This causes RHEL-07-010010 to fail a lot.

Is there something wrong with my CentOS installation or is missing package files normal?

The regex doesn't anchor to the line start, so it catches admin_space_left_action when it should only match space_left_action. PR incoming.