diff --git a/shared/templates/static/ansible/accounts_logon_fail_delay.yml b/shared/templates/static/ansible/accounts_logon_fail_delay.yml
index e61f368b6de..b1fde53e343 100644
--- a/shared/templates/static/ansible/accounts_logon_fail_delay.yml
+++ b/shared/templates/static/ansible/accounts_logon_fail_delay.yml
@@ -1,9 +1,9 @@
# platform = multi_platform_rhel
-- name: "Set accounts logon fail delay to (ansible-populate var_accounts_fail_delay)"
+- name: Set accounts logon fail delay to (ansible-populate var_accounts_fail_delay)
lineinfile:
- dest="/etc/login.defs"
- regexp="^FAIL_DELAY"
- line="FAIL_DELAY (ansible-populate var_accounts_fail_delay)"
+ dest: /etc/login.defs
+ regexp: ^FAIL_DELAY
+ line: FAIL_DELAY (ansible-populate var_accounts_fail_delay)
tags:
@ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_max_concurrent_login_sessions.yml b/shared/templates/static/ansible/accounts_max_concurrent_login_sessions.yml
new file mode 100644
index 00000000000..8f9cf0384dd
--- /dev/null
+++ b/shared/templates/static/ansible/accounts_max_concurrent_login_sessions.yml
@@ -0,0 +1,14 @@
+# platform = multi_platform_fedora, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 6
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Limit the Number of Concurrent Login Sessions Allowed Per User"
+ lineinfile:
+ state: present
+ dest: /etc/security/limits.conf
+ insertbefore: '^# End of file'
+ regexp: '^#?\\*.*maxlogins'
+ line: '* hard maxlogins (ansible-populate var_accounts_max_concurrent_login_sessions)'
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_maximum_age_login_defs.yml b/shared/templates/static/ansible/accounts_maximum_age_login_defs.yml
new file mode 100644
index 00000000000..78ebc15f6a4
--- /dev/null
+++ b/shared/templates/static/ansible/accounts_maximum_age_login_defs.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Maximum Age
+ lineinfile:
+ create: yes
+ dest: /etc/login.defs
+ regexp: ^#?PASS_MAX_DAYS
+ line: PASS_MAX_DAYS (ansible-populate var_accounts_maximum_age_login_defs)
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_minimum_age_login_defs.yml b/shared/templates/static/ansible/accounts_minimum_age_login_defs.yml
new file mode 100644
index 00000000000..6d9d2f53e60
--- /dev/null
+++ b/shared/templates/static/ansible/accounts_minimum_age_login_defs.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Minimum Age
+ lineinfile:
+ create: yes
+ dest: /etc/login.defs
+ regexp: ^#?PASS_MIN_DAYS
+ line: PASS_MIN_DAYS (ansible-populate var_accounts_minimum_age_login_defs)
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_password_minlen_login_defs.yml b/shared/templates/static/ansible/accounts_password_minlen_login_defs.yml
new file mode 100644
index 00000000000..6db4ec434db
--- /dev/null
+++ b/shared/templates/static/ansible/accounts_password_minlen_login_defs.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Set Password Minimum Length in login.defs"
+ lineinfile:
+ dest: /etc/login.defs
+ regexp: "^PASS_MIN_LEN *[0-9]*"
+ state: present
+ line: "PASS_MIN_LEN (ansible-populate var_accounts_password_minlen_login_defs)"
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_password_pam_maxclassrepeat.yml b/shared/templates/static/ansible/accounts_password_pam_maxclassrepeat.yml
new file mode 100644
index 00000000000..65cddd16a6f
--- /dev/null
+++ b/shared/templates/static/ansible/accounts_password_pam_maxclassrepeat.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name:
+ lineinfile:
+ create: yes
+ dest: /etc/security/pwquality.conf
+ regexp: '^#?\s*maxclassrepeat'
+ line: maxclassrepeat = (ansible-populate var_password_pam_maxclassrepeat)
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_password_pam_maxrepeat.yml b/shared/templates/static/ansible/accounts_password_pam_maxrepeat.yml
new file mode 100644
index 00000000000..2bf2de8be03
--- /dev/null
+++ b/shared/templates/static/ansible/accounts_password_pam_maxrepeat.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Maximum Consecutive Repeating Characters
+ lineinfile:
+ create: yes
+ dest: /etc/security/pwquality.conf
+ regexp: '^#?\s*maxrepeat'
+ line: maxrepeat = (ansible-populate var_password_pam_maxrepeat)
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_password_pam_minlen.yml b/shared/templates/static/ansible/accounts_password_pam_minlen.yml
new file mode 100644
index 00000000000..78041b118e4
--- /dev/null
+++ b/shared/templates/static/ansible/accounts_password_pam_minlen.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Minimum Length - /etc/security/pwquality.conf
+ lineinfile:
+ dest: /etc/security/pwquality.conf
+ regexp: ^minlen =
+ state: present
+ line: minlen = (ansible-populate var_password_pam_minlen)
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_password_warn_age_login_defs.yml b/shared/templates/static/ansible/accounts_password_warn_age_login_defs.yml
new file mode 100644
index 00000000000..a9c3f858860
--- /dev/null
+++ b/shared/templates/static/ansible/accounts_password_warn_age_login_defs.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Set Password Warning Age"
+ lineinfile:
+ dest: /etc/login.defs
+ regexp: "^PASS_WARN_AGE *[0-9]*"
+ state: present
+ line: "PASS_WARN_AGE (ansible-populate var_accounts_password_warn_age_login_defs)"
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_tmout.yml b/shared/templates/static/ansible/accounts_tmout.yml
new file mode 100644
index 00000000000..752937959c0
--- /dev/null
+++ b/shared/templates/static/ansible/accounts_tmout.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Interactive Session Timeout
+ lineinfile:
+ create: yes
+ dest: /etc/profile
+ regexp: ^#?TMOUT
+ line: TMOUT=(ansible-populate var_accounts_tmout)
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/auditd_data_retention_action_mail_acct.yml b/shared/templates/static/ansible/auditd_data_retention_action_mail_acct.yml
new file mode 100644
index 00000000000..358180bb60e
--- /dev/null
+++ b/shared/templates/static/ansible/auditd_data_retention_action_mail_acct.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd mail_acct Action on Low Disk Space
+ lineinfile:
+ dest: /etc/audit/auditd.conf
+ line: "action_mail_acct = (ansible-populate var_auditd_action_mail_acct)"
+ state: present
+ #notify: reload auditd
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/auditd_data_retention_admin_space_left_action.yml b/shared/templates/static/ansible/auditd_data_retention_admin_space_left_action.yml
new file mode 100644
index 00000000000..6727746b65e
--- /dev/null
+++ b/shared/templates/static/ansible/auditd_data_retention_admin_space_left_action.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd admin_space_left Action on Low Disk Space
+ lineinfile:
+ dest: /etc/audit/auditd.conf
+ line: "admin_space_left_action = (ansible-populate var_auditd_admin_space_left_action)"
+ regexp: "^admin_space_left_action*"
+ #notify: reload auditd
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/auditd_data_retention_flush.yml b/shared/templates/static/ansible/auditd_data_retention_flush.yml
new file mode 100644
index 00000000000..3f01650e563
--- /dev/null
+++ b/shared/templates/static/ansible/auditd_data_retention_flush.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd Flush Priority
+ lineinfile:
+ dest: /etc/audit/auditd.conf
+ regexp: '.*flush.*'
+ line: flush = data
+ #notify: reload auditd
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/auditd_data_retention_max_log_file.yml b/shared/templates/static/ansible/auditd_data_retention_max_log_file.yml
new file mode 100644
index 00000000000..ce828443a2c
--- /dev/null
+++ b/shared/templates/static/ansible/auditd_data_retention_max_log_file.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd Max Log File Size
+ lineinfile:
+ dest: /etc/audit/auditd.conf
+ line: "max_log_file (ansible-populate var_auditd_max_log_file)"
+ state: present
+ #notify: reload auditd
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/auditd_data_retention_max_log_file_action.yml b/shared/templates/static/ansible/auditd_data_retention_max_log_file_action.yml
new file mode 100644
index 00000000000..87393069f00
--- /dev/null
+++ b/shared/templates/static/ansible/auditd_data_retention_max_log_file_action.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
+ lineinfile:
+ dest: /etc/audit/auditd.conf
+ line: "max_log_file_action (ansible-populate var_auditd_max_log_file_action)"
+ state: present
+ #notify: reload auditd
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/auditd_data_retention_space_left_action.yml b/shared/templates/static/ansible/auditd_data_retention_space_left_action.yml
new file mode 100644
index 00000000000..0d88ab6d78e
--- /dev/null
+++ b/shared/templates/static/ansible/auditd_data_retention_space_left_action.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd space_left Action on Low Disk Space
+ lineinfile:
+ dest: /etc/audit/auditd.conf
+ line: space_left_action = (ansible-populate var_auditd_space_left_action)
+ regexp: ^space_left_action*
+ #notify: reload auditd
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/bootloader_audit_argument.yml b/shared/templates/static/ansible/bootloader_audit_argument.yml
new file mode 100644
index 00000000000..5f409fe6876
--- /dev/null
+++ b/shared/templates/static/ansible/bootloader_audit_argument.yml
@@ -0,0 +1,9 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Enable Auditing for Processes Which Start Prior to the Audit Daemon"
+ shell: /sbin/grubby --update-kernel=ALL --args="audit=1"
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/clean_components_post_updating.yml b/shared/templates/static/ansible/clean_components_post_updating.yml
new file mode 100644
index 00000000000..60d16942788
--- /dev/null
+++ b/shared/templates/static/ansible/clean_components_post_updating.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Ensure YUM Removes Previous Package Versions"
+ lineinfile:
+ dest: /etc/yum.conf
+ regexp: ^#?clean_requirements_on_remove
+ line: clean_requirements_on_remove=1
+ insertafter: '\[main\]'
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/disable_host_auth.yml b/shared/templates/static/ansible/disable_host_auth.yml
index f81320b4f8c..31706fe7172 100644
--- a/shared/templates/static/ansible/disable_host_auth.yml
+++ b/shared/templates/static/ansible/disable_host_auth.yml
@@ -3,11 +3,11 @@
# strategy = restrict
# complexity = low
# disruption = low
-- name: "Disable Host-Based Authentication"
+- name: Disable Host-Based Authentication
lineinfile:
- create=yes
- dest="/etc/ssh/sshd_config"
- regexp="^HostbasedAuthentication"
- line="HostbasedAuthentication no"
+ create: yes
+ dest: /etc/ssh/sshd_config
+ regexp: ^HostbasedAuthentication
+ line: HostbasedAuthentication no
tags:
@ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/enable_selinux_bootloader.yml b/shared/templates/static/ansible/enable_selinux_bootloader.yml
index dce2b86a081..757e2f0a10a 100644
--- a/shared/templates/static/ansible/enable_selinux_bootloader.yml
+++ b/shared/templates/static/ansible/enable_selinux_bootloader.yml
@@ -3,9 +3,9 @@
# strategy = restrict
# complexity = low
# disruption = low
-- name: "Ensure SELinux Not Disabled in /etc/default/grub"
+- name: Ensure SELinux Not Disabled in /etc/default/grub
replace:
dest: /etc/default/grub
- regexp: "selinux=0"
+ regexp: selinux=0
tags:
@ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/ensure_gpgcheck_never_disabled.yml b/shared/templates/static/ansible/ensure_gpgcheck_never_disabled.yml
new file mode 100644
index 00000000000..8bf542e1cec
--- /dev/null
+++ b/shared/templates/static/ansible/ensure_gpgcheck_never_disabled.yml
@@ -0,0 +1,21 @@
+# platform = multi_platform_rhel
+# reboot = false
+# strategy = unknown
+# complexity = low
+# disruption = medium
+#
+- name: Find All Yum Repositories
+ find:
+ paths: "/etc/yum.repos.d/"
+ patterns: "*.repo"
+ register: yum_find
+
+- name: Ensure gpgcheck Enabled For All Yum Package Repositories
+ with_items: "{{ yum_find.files }}"
+ lineinfile:
+ create: yes
+ dest: "{{ item.path }}"
+ regexp: '^gpgcheck'
+ line: 'gpgcheck=1'
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/ensure_redhat_gpgkey_installed.yml b/shared/templates/static/ansible/ensure_redhat_gpgkey_installed.yml
index b1cf2fe1146..277e946521a 100644
--- a/shared/templates/static/ansible/ensure_redhat_gpgkey_installed.yml
+++ b/shared/templates/static/ansible/ensure_redhat_gpgkey_installed.yml
@@ -13,21 +13,21 @@
# It should fail if it doesn't find any fingerprints in file - maybe file was not parsed well.
-- name: "Read signatures in GPG key"
- shell: "gpg --with-fingerprint '/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release' | grep 'Key fingerprint =' | tr -s ' ' | sed 's;.*= ;;g'"
+- name: Read signatures in GPG key
+ shell: gpg --with-fingerprint '/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release' | grep 'Key fingerprint =' | tr -s ' ' | sed 's;.*= ;;g'
changed_when: False
register: gpg_fingerprints
check_mode: no
tags:
@ANSIBLE_TAGS@
-- name: "Set Fact: Valid fingerprints"
+- name: Set Fact - Valid fingerprints
set_fact:
gpg_valid_fingerprints: ("567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51" "43A6 E49C 4A38 F4BE 9ABF 2A53 4568 9C88 2FA6 58E0")
tags:
@ANSIBLE_TAGS@
-- name: "Import RedHat GPG key"
+- name: Import RedHat GPG key
rpm_key:
state: present
key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
@@ -38,4 +38,3 @@
and (ansible_distribution == "RedHat")
tags:
@ANSIBLE_TAGS@
-
diff --git a/shared/templates/static/ansible/firewalld_sshd_port_enabled.yml b/shared/templates/static/ansible/firewalld_sshd_port_enabled.yml
index 17633005069..eb338bc9ca1 100644
--- a/shared/templates/static/ansible/firewalld_sshd_port_enabled.yml
+++ b/shared/templates/static/ansible/firewalld_sshd_port_enabled.yml
@@ -4,21 +4,21 @@
# strategy = configure
# disruption = low
-- name: "Enable SSHD in firewalld (custom port)"
+- name: Enable SSHD in firewalld (custom port)
firewalld:
- port="(ansible-populate sshd_listening_port)/tcp"
- permanent="yes"
- state="enabled"
- when: "(ansible-populate sshd_listening_port)" != "22"
+ port: (ansible-populate sshd_listening_port)/tcp
+ permanent: yes
+ state: enabled
+ when: (ansible-populate sshd_listening_port) != 22
tags:
@ANSIBLE_TAGS@
-- name: "Enable SSHD in firewalld (default port)"
+- name: Enable SSHD in firewalld (default port)
firewalld:
- service="ssh"
- permanent="yes"
- state="enabled"
- when: "(ansible-populate sshd_listening_port)" == "22"
+ service: ssh
+ permanent: yes
+ state: enabled
+ when: (ansible-populate sshd_listening_port) == 22
tags:
@ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/no_direct_root_logins.yml b/shared/templates/static/ansible/no_direct_root_logins.yml
new file mode 100644
index 00000000000..56e4d0e3c6e
--- /dev/null
+++ b/shared/templates/static/ansible/no_direct_root_logins.yml
@@ -0,0 +1,9 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Direct root Logins Not Allowed"
+ shell: echo > /etc/securetty
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/no_rsh_trust_files.yml b/shared/templates/static/ansible/no_rsh_trust_files.yml
new file mode 100644
index 00000000000..ef8e82f96eb
--- /dev/null
+++ b/shared/templates/static/ansible/no_rsh_trust_files.yml
@@ -0,0 +1,22 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- block:
+ - name: "Detect shosts.equiv Files on the System"
+ find:
+ paths: /
+ recurse: yes
+ patterns: shosts.equiv
+ check_mode: no
+ register: shosts_equiv_locations
+
+ - name: "Remove Rsh Trust Files"
+ file:
+ path: "{{ item.path }}"
+ state: absent
+ with_items: "{{ shosts_equiv_locations }}"
+ when: shosts_equiv_locations
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/require_smb_client_signing.yml b/shared/templates/static/ansible/require_smb_client_signing.yml
new file mode 100644
index 00000000000..770c6ea2269
--- /dev/null
+++ b/shared/templates/static/ansible/require_smb_client_signing.yml
@@ -0,0 +1,22 @@
+# platform = multi_platform_rhel, multi_platform_fedora
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = medium
+- name: Check if /etc/samba/smb.conf exists
+ stat:
+ path: /etc/samba/smb.conf
+ register: st_smb
+ tags:
+ @ANSIBLE_TAGS@
+
+- name: Require Client SMB Packet Signing, if using smbclient
+ lineinfile:
+ dest: /etc/samba/smb.conf
+ line: client signing = mandatory
+ state: present
+ insertafter: [global]
+ when: st_smb.stat.exists
+ tags:
+ @ANSIBLE_TAGS@
+
diff --git a/shared/templates/static/ansible/account_disable_post_pw_expiration.yml b/shared/templates/static/ansible/restrict_serial_port_logins.yml
similarity index 55%
rename from shared/templates/static/ansible/account_disable_post_pw_expiration.yml
rename to shared/templates/static/ansible/restrict_serial_port_logins.yml
index 0d9d68b0fa8..1729e32e732 100644
--- a/shared/templates/static/ansible/account_disable_post_pw_expiration.yml
+++ b/shared/templates/static/ansible/restrict_serial_port_logins.yml
@@ -3,12 +3,10 @@
# strategy = restrict
# complexity = low
# disruption = low
-- name: "Disable POST password expiration"
+- name: "Restrict Serial Port Root Logins"
lineinfile:
- create=yes
- dest="/etc/default/useradd"
- regexp="^INACTIVE"
- line="INACTIVE=-1"
+ dest: /etc/securetty
+ regexp: 'ttyS[0-9]'
+ state: absent
tags:
@ANSIBLE_TAGS@
-
diff --git a/shared/templates/static/ansible/securetty_root_login_console_only.yml b/shared/templates/static/ansible/securetty_root_login_console_only.yml
new file mode 100644
index 00000000000..8cc3507cac7
--- /dev/null
+++ b/shared/templates/static/ansible/securetty_root_login_console_only.yml
@@ -0,0 +1,12 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Restrict Virtual Console Root Logins"
+ lineinfile:
+ dest: /etc/securetty
+ regexp: '^vc'
+ state: absent
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/security_patches_up_to_date.yml b/shared/templates/static/ansible/security_patches_up_to_date.yml
index b46caa7aa05..5b7ab01bdcf 100644
--- a/shared/templates/static/ansible/security_patches_up_to_date.yml
+++ b/shared/templates/static/ansible/security_patches_up_to_date.yml
@@ -5,8 +5,8 @@
# disruption = high
- name: "Security patches are up to date"
package:
- name="*"
- state="latest"
+ name: "*"
+ state: "latest"
tags:
@ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/set_password_hashing_algorithm_libuserconf.yml b/shared/templates/static/ansible/set_password_hashing_algorithm_libuserconf.yml
new file mode 100644
index 00000000000..d632ef74938
--- /dev/null
+++ b/shared/templates/static/ansible/set_password_hashing_algorithm_libuserconf.yml
@@ -0,0 +1,14 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Hashing Algorithm in /etc/libuser.conf
+ lineinfile:
+ dest: /etc/libuser.conf
+ insertafter: "^.default]"
+ regexp: ^#?crypt_style
+ line: crypt_style = sha512
+ state: present
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/set_password_hashing_algorithm_logindefs.yml b/shared/templates/static/ansible/set_password_hashing_algorithm_logindefs.yml
new file mode 100644
index 00000000000..3569246f15c
--- /dev/null
+++ b/shared/templates/static/ansible/set_password_hashing_algorithm_logindefs.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Hashing Algorithm in /etc/login.defs
+ lineinfile:
+ dest: /etc/login.defs
+ regexp: ^#?ENCRYPT_METHOD
+ line: ENCRYPT_METHOD SHA512
+ state: present
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_allow_only_protocol2.yml b/shared/templates/static/ansible/sshd_allow_only_protocol2.yml
index 2d81527c352..83d43303564 100644
--- a/shared/templates/static/ansible/sshd_allow_only_protocol2.yml
+++ b/shared/templates/static/ansible/sshd_allow_only_protocol2.yml
@@ -9,7 +9,7 @@
dest: /etc/ssh/sshd_config
regexp: "^Protocol [0-9]"
line: "Protocol 2"
- notify:
- - reload ssh
+ validate: sshd -t -f %s
+ #notify: :reload ssh
tags:
@ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_disable_compression.yml b/shared/templates/static/ansible/sshd_disable_compression.yml
index e7c27e91755..4ab4abb3ee0 100644
--- a/shared/templates/static/ansible/sshd_disable_compression.yml
+++ b/shared/templates/static/ansible/sshd_disable_compression.yml
@@ -5,9 +5,11 @@
# disruption = low
- name: "Disable Compression or Set Compression to delayed"
lineinfile:
- create=yes
- dest="/etc/ssh/sshd_config"
- regexp="^Compression"
- line="Compression delayed"
+ create: yes
+ dest: /etc/ssh/sshd_config
+ regexp: (?i)^#?compression
+ line: Compression delayed
+ validate: sshd -t -f %s
+ #notify: restart sshd
tags:
@ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_disable_empty_passwords.yml b/shared/templates/static/ansible/sshd_disable_empty_passwords.yml
index 8b37fdd1d71..04ac923c102 100644
--- a/shared/templates/static/ansible/sshd_disable_empty_passwords.yml
+++ b/shared/templates/static/ansible/sshd_disable_empty_passwords.yml
@@ -3,11 +3,12 @@
# strategy = restrict
# complexity = low
# disruption = low
-- name: "Diable SSH Access via Empty Passwords"
+- name: Diable SSH Access via Empty Passwords
lineinfile:
- create=yes
- dest="/etc/ssh/sshd_config"
- regexp="^PermitEmptyPasswords"
- line="PermitEmptyPasswords no"
+ create: yes
+ dest: /etc/ssh/sshd_config
+ regexp: ^PermitEmptyPasswords
+ line: PermitEmptyPasswords no
+ validate: sshd -t -f %s
tags:
- @ANSIBLE_TAGS@
\ No newline at end of file
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_disable_gssapi_auth.yml b/shared/templates/static/ansible/sshd_disable_gssapi_auth.yml
index 4036bc13f7a..346634d3285 100644
--- a/shared/templates/static/ansible/sshd_disable_gssapi_auth.yml
+++ b/shared/templates/static/ansible/sshd_disable_gssapi_auth.yml
@@ -5,9 +5,11 @@
# disruption = low
- name: "Disable GSSAPI Authentication"
lineinfile:
- create=yes
- dest="/etc/ssh/sshd_config"
- regexp="^GSSAPIAuthentication"
- line="GSSAPIAuthentication no"
+ create: yes
+ dest: /etc/ssh/sshd_config
+ regexp: (?i)^#?gssapiauthentication
+ line: GSSAPIAuthentication no
+ validate: sshd -t -f %s
+ #notify: sshd -t -f %s
tags:
@ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_disable_kerb_auth.yml b/shared/templates/static/ansible/sshd_disable_kerb_auth.yml
index 054c43cbb04..4c1e359cc2e 100644
--- a/shared/templates/static/ansible/sshd_disable_kerb_auth.yml
+++ b/shared/templates/static/ansible/sshd_disable_kerb_auth.yml
@@ -5,9 +5,11 @@
# disruption = low
- name: "Disable Kerberos Authentication"
lineinfile:
- create=yes
- dest="/etc/ssh/sshd_config"
- regexp="^KerberosAuthentication"
- line="KerberosAuthentication no"
+ create: yes
+ dest: /etc/ssh/sshd_config
+ regexp: (?i)^#?kerberosauthentication
+ line: KerberosAuthentication no
+ validate: sshd -t -f %s
+ #notify: restart sshd
tags:
@ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_disable_rhosts.yml b/shared/templates/static/ansible/sshd_disable_rhosts.yml
index 91d01270a31..1ca41449f9a 100644
--- a/shared/templates/static/ansible/sshd_disable_rhosts.yml
+++ b/shared/templates/static/ansible/sshd_disable_rhosts.yml
@@ -3,11 +3,12 @@
# strategy = restrict
# complexity = low
# disruption = low
-- name: "Disable SSH Support for .rhosts Files"
+- name: Disable SSH Support for .rhosts Files
lineinfile:
- create=yes
- dest="/etc/ssh/sshd_config"
- regexp="^IgnoreRhosts"
- line="IgnoreRhosts yes"
+ create: yes
+ dest: /etc/ssh/sshd_config
+ regexp: ^IgnoreRhosts
+ line: IgnoreRhosts yes
+ validate: sshd -t -f %s
tags:
@ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_disable_rhosts_rsa.yml b/shared/templates/static/ansible/sshd_disable_rhosts_rsa.yml
index ccacf9365d6..812f7fb4c3c 100644
--- a/shared/templates/static/ansible/sshd_disable_rhosts_rsa.yml
+++ b/shared/templates/static/ansible/sshd_disable_rhosts_rsa.yml
@@ -3,11 +3,12 @@
# strategy = restrict
# complexity = low
# disruption = low
-- name: "Disable SSH Support for Rhosts RSA Authentication"
+- name: Disable SSH Support for Rhosts RSA Authentication
lineinfile:
- create=yes
- dest="/etc/ssh/sshd_config"
- regexp="^RhostsRSAAuthentication"
- line="RhostsRSAAuthentication no"
+ create: yes
+ dest: /etc/ssh/sshd_config
+ regexp: ^RhostsRSAAuthentication
+ line: RhostsRSAAuthentication no
+ validate: sshd -t -f %s
tags:
@ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_disable_root_login.yml b/shared/templates/static/ansible/sshd_disable_root_login.yml
index cc1b0717836..ddbca31d81e 100644
--- a/shared/templates/static/ansible/sshd_disable_root_login.yml
+++ b/shared/templates/static/ansible/sshd_disable_root_login.yml
@@ -5,9 +5,12 @@
# disruption = low
- name: "Disable SSH Root Login"
lineinfile:
- create=yes
- dest="/etc/ssh/sshd_config"
- regexp="^PermitRootLogin"
- line="PermitRootLogin no"
+ create: yes
+ dest: "/etc/ssh/sshd_config"
+ regexp: "^PermitRootLogin"
+ line: "PermitRootLogin no"
+ insertafter: '(?i)^#?authentication'
+ validate: sshd -t -f %s
+ #notify: restart sshd
tags:
@ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_disable_user_known_hosts.yml b/shared/templates/static/ansible/sshd_disable_user_known_hosts.yml
index e01e520a47f..ea75fb4fd0b 100644
--- a/shared/templates/static/ansible/sshd_disable_user_known_hosts.yml
+++ b/shared/templates/static/ansible/sshd_disable_user_known_hosts.yml
@@ -5,9 +5,11 @@
# disruption = low
- name: "Disable SSH Support for User Known Hosts"
lineinfile:
- create=yes
- dest="/etc/ssh/sshd_config"
- regexp="^IgnoreUserKnownHosts"
- line="IgnoreUserKnownHosts yes"
+ create: yes
+ dest: /etc/ssh/sshd_config
+ regexp: ^IgnoreUserKnownHosts
+ line: IgnoreUserKnownHosts yes
+ validate: sshd -t -f %s
+ #notify: restart sshd
tags:
@ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_do_not_permit_user_env.yml b/shared/templates/static/ansible/sshd_do_not_permit_user_env.yml
index b59526e353c..62018440adc 100644
--- a/shared/templates/static/ansible/sshd_do_not_permit_user_env.yml
+++ b/shared/templates/static/ansible/sshd_do_not_permit_user_env.yml
@@ -3,11 +3,12 @@
# strategy = restrict
# complexity = low
# disruption = low
-- name: "Do Not Allow SSH Environment Options"
+- name: Do Not Allow SSH Environment Options
lineinfile:
- create=yes
- dest="/etc/ssh/sshd_config"
- regexp="^PermitUserEnvironment"
- line="PermitUserEnvironment no"
+ create: yes
+ dest: /etc/ssh/sshd_config
+ regexp: ^PermitUserEnvironment
+ line: PermitUserEnvironment no
+ validate: sshd -t -f %s
tags:
- @ANSIBLE_TAGS@
\ No newline at end of file
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_enable_strictmodes.yml b/shared/templates/static/ansible/sshd_enable_strictmodes.yml
index da8f9cdd360..b93089d81ba 100644
--- a/shared/templates/static/ansible/sshd_enable_strictmodes.yml
+++ b/shared/templates/static/ansible/sshd_enable_strictmodes.yml
@@ -5,9 +5,11 @@
# disruption = low
- name: "Enable Use of Strict Mode Checking"
lineinfile:
- create=yes
- dest="/etc/ssh/sshd_config"
- regexp="^StrictModes"
- line="StrictModes yes"
+ create: yes
+ dest: /etc/ssh/sshd_config
+ regexp: (?i)^#?strictmodes
+ line: StrictModes yes
+ validate: sshd -t -f %s
+ #notify: restart sshd
tags:
@ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_enable_warning_banner.yml b/shared/templates/static/ansible/sshd_enable_warning_banner.yml
index 1ae5c033359..5c2aadc0979 100644
--- a/shared/templates/static/ansible/sshd_enable_warning_banner.yml
+++ b/shared/templates/static/ansible/sshd_enable_warning_banner.yml
@@ -3,11 +3,12 @@
# strategy = restrict
# complexity = low
# disruption = low
-- name: "Enable SSH Warning Banner"
+- name: Enable SSH Warning Banner
lineinfile:
- create=yes
- dest="/etc/ssh/sshd_config"
- regexp="^Banner"
- line="Banner /etc/issue"
+ create: yes
+ dest: /etc/ssh/sshd_config
+ regexp: ^Banner
+ line: Banner /etc/issue
+ validate: sshd -t -f %s
tags:
- @ANSIBLE_TAGS@
\ No newline at end of file
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_enable_x11_forwarding.yml b/shared/templates/static/ansible/sshd_enable_x11_forwarding.yml
new file mode 100644
index 00000000000..a443b66ee4c
--- /dev/null
+++ b/shared/templates/static/ansible/sshd_enable_x11_forwarding.yml
@@ -0,0 +1,14 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Enable Encrypted X11 Forwarding
+ lineinfile:
+ create: yes
+ dest: /etc/ssh/sshd_config
+ regexp: ^X11Forwarding
+ line: X11Forwarding yes
+ validate: sshd -t -f %s
+ tags:
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_print_last_log.yml b/shared/templates/static/ansible/sshd_print_last_log.yml
index 2f9ce399acb..1fba2f1e914 100644
--- a/shared/templates/static/ansible/sshd_print_last_log.yml
+++ b/shared/templates/static/ansible/sshd_print_last_log.yml
@@ -1,9 +1,11 @@
# platform = multi_platform_rhel
-- name: "Print last log"
+- name: Print last log
lineinfile:
- create=yes
- dest="/etc/ssh/sshd_config"
- regexp="^PrintLastLog"
- line="PrintLastLog yes"
+ create: yes
+ dest: /etc/ssh/sshd_config
+ regexp: ^PrintLastLog
+ line: PrintLastLog yes
+ validate: sshd -t -f %s
+ #notify: restart sshd
tags:
@ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_set_idle_timeout.yml b/shared/templates/static/ansible/sshd_set_idle_timeout.yml
index dac189e44e2..99f023a27b5 100644
--- a/shared/templates/static/ansible/sshd_set_idle_timeout.yml
+++ b/shared/templates/static/ansible/sshd_set_idle_timeout.yml
@@ -3,11 +3,13 @@
# strategy = restrict
# complexity = low
# disruption = low
-- name: "Set SSH Idle Timeout Interval"
+- name: Set SSH Idle Timeout Interval
lineinfile:
- create=yes
- dest="/etc/ssh/sshd_config"
- regexp="^ClientAliveInterval"
- line="ClientAliveInterval (ansible-populate sshd_idle_timeout_value)"
+ create: yes
+ dest: /etc/ssh/sshd_config
+ regexp: ^ClientAliveInterval
+ line: ClientAliveInterval (ansible-populate sshd_idle_timeout_value)
+ validate: sshd -t -f %s
+ #notify: restart sshd
tags:
- @ANSIBLE_TAGS@
\ No newline at end of file
+ @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_set_keepalive.yml b/shared/templates/static/ansible/sshd_set_keepalive.yml
index 0045ea19beb..caee774b682 100644
--- a/shared/templates/static/ansible/sshd_set_keepalive.yml
+++ b/shared/templates/static/ansible/sshd_set_keepalive.yml
@@ -3,11 +3,13 @@
# strategy = restrict
# complexity = low
# disruption = low
-- name: "Set SSH Client Alive Count"
+- name: Set SSH Client Alive Count
lineinfile:
- create=yes
- dest="/etc/ssh/sshd_config"
- regexp="^ClientAliveCountMax"
- line="ClientAliveCountMax 0"
+ create: yes
+ dest: /etc/ssh/sshd_config
+ regexp: ^ClientAliveCountMax
+ line: tClientAliveCountMax 0
+ validate: sshd -t -f %s
+ #notify: restart sshd
tags:
@ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_use_approved_ciphers.yml b/shared/templates/static/ansible/sshd_use_approved_ciphers.yml
index 6ba8eb59b3f..9e2dfed99fb 100644
--- a/shared/templates/static/ansible/sshd_use_approved_ciphers.yml
+++ b/shared/templates/static/ansible/sshd_use_approved_ciphers.yml
@@ -3,11 +3,13 @@
# strategy = restrict
# complexity = low
# disruption = low
-- name: "Use Only Approved Ciphers"
+- name: Use Only Approved Ciphers
lineinfile:
- create=yes
- dest="/etc/ssh/sshd_config"
- regexp="^Ciphers"
- line="Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc"
+ create: yes
+ dest: /etc/ssh/sshd_config
+ regexp: ^Ciphers
+ line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
+ validate: sshd -t -f %s
+ #notify: restart sshd
tags:
@ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_use_approved_macs.yml b/shared/templates/static/ansible/sshd_use_approved_macs.yml
index 17fa3c38867..4ac5d5f5899 100644
--- a/shared/templates/static/ansible/sshd_use_approved_macs.yml
+++ b/shared/templates/static/ansible/sshd_use_approved_macs.yml
@@ -5,10 +5,12 @@
# disruption = low
- name: "Use Only Approved MACs"
lineinfile:
- create=yes
- dest="/etc/ssh/sshd_config"
- regexp="^MACs"
- line="MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1"
+ create: yes
+ dest: /etc/ssh/sshd_config
+ regexp: ^MACs
+ line: MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1
+ validate: sshd -t -f %s
+ #notify: restart sshd
tags:
@ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_use_priv_separation.yml b/shared/templates/static/ansible/sshd_use_priv_separation.yml
index 4e69abecbe2..85b1eab33d6 100644
--- a/shared/templates/static/ansible/sshd_use_priv_separation.yml
+++ b/shared/templates/static/ansible/sshd_use_priv_separation.yml
@@ -5,9 +5,11 @@
# disruption = low
- name: "Enable use of Privilege Separation"
lineinfile:
- create=yes
- dest="/etc/ssh/sshd_config"
- regexp="^UsePrivilegeSeparation"
- line="UsePrivilegeSeparation sandbox"
+ create: yes
+ dest: /etc/ssh/sshd_config
+ regexp: (?i)^#?useprivilegeseparation
+ line: UsePrivilegeSeparation yes
+ validate: sshd -t -f %s
+ #notify: restart sshd
tags:
@ANSIBLE_TAGS@
diff --git a/shared/xccdf/system/auditing.xml b/shared/xccdf/system/auditing.xml
index 2c7ca4cbc25..699f764a909 100644
--- a/shared/xccdf/system/auditing.xml
+++ b/shared/xccdf/system/auditing.xml
@@ -136,6 +136,12 @@ GRUB 2 command line for the Linux operating system in
Inspect the form of default GRUB 2 command line for the Linux operating system
in /etc/default/grub. If they include audit=1, then auditing
is enabled at boot time.
+
+To ensure audit=1 is configured on all installed kernels, the
+following command may be used:
+
+
$ sudo /sbin/grubby --update-kernel=ALL --args="audit=1"+