From 51324f59126e71fa8a8a0217a63dc5fd491181eb Mon Sep 17 00:00:00 2001 From: Cat de Frates Date: Thu, 11 Jan 2024 11:26:43 -0800 Subject: [PATCH 01/13] Rewrote TOSS-04-020230 so that instead of failing when users don't have a home directory, the user is assumed to be disabled and recomended to be set to uninteractive --- ansible/roles/stig/tasks/TOSS_04_020230.yml | 40 ++++++++++++--------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/ansible/roles/stig/tasks/TOSS_04_020230.yml b/ansible/roles/stig/tasks/TOSS_04_020230.yml index 4f846d5..4d399e4 100644 --- a/ansible/roles/stig/tasks/TOSS_04_020230.yml +++ b/ansible/roles/stig/tasks/TOSS_04_020230.yml @@ -14,23 +14,29 @@ - name: TOSS-04-020230 - All TOSS local interactive users must have a home directory assigned in the /etc/passwd file. block: - - name: Verify the integrity of the /etc/passwd file - ansible.builtin.command: "pwck -r" - failed_when: false - changed_when: false - check_mode: false - register: passwd_check - - name: Check if the users are local interactive users - ansible.builtin.command: "awk -F: '($3>=1000)&&($7 !~ /nologin/)&&($7 !~ /false/){print $1}' /etc/passwd" - changed_when: false - check_mode: false - register: local_interactive_users - - name: Display any local interactive users without home directories - ansible.builtin.debug: - var: item - when: item.split().0 == "user" and item.split().1[1:-2] in local_interactive_users.stdout - # Only check output lines that are flagging a user without a directory, and parse out the '' surrounding the username" - loop: '{{ passwd_check.stdout_lines }}' + - name: Get all /etc/passwd file entries + ansible.builtin.getent: + database: passwd + split: ':' + - name: Create local_users variable from the getent output + ansible.builtin.set_fact: + local_users: '{{ ansible_facts.getent_passwd | dict2items }}' + - name: Gather the home directories of local, interactive users + ansible.builtin.stat: + path: '{{ item.value.4 }}' + register: home_dirs + loop: '{{ local_users }}' + when: + - item.value.1 | int >= 1000 and '/nologin' not in item.value.5 and '/false' not in item.value.5 + - name: Verify that all interactive users have a home directory. Users without a home directory might not be enabled and can be set as noninteractive (login shell set to /bin/false) + ansible.builtin.user: + name: '{{ item.item.key }}' + shell: /bin/false + check_mode: true + loop: '{{ home_dirs.results }}' + when: + - "item.stat is defined" + - "not item.stat.exists" when: - toss_04_020230 | bool tags: From 24454cb72b80928ea7277d8fd9215346c4da728e Mon Sep 17 00:00:00 2001 From: Cat de Frates Date: Thu, 11 Jan 2024 11:43:49 -0800 Subject: [PATCH 02/13] Added option to create /etc/aide/aide.conf if it doesn't exist --- ansible/roles/stig/tasks/TOSS_04_040630.yml | 2 ++ ansible/roles/stig/tasks/TOSS_04_040640.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/ansible/roles/stig/tasks/TOSS_04_040630.yml b/ansible/roles/stig/tasks/TOSS_04_040630.yml index 9f9e840..dd136e5 100644 --- a/ansible/roles/stig/tasks/TOSS_04_040630.yml +++ b/ansible/roles/stig/tasks/TOSS_04_040630.yml @@ -23,6 +23,7 @@ line: DIR = p+i+n+u+g+acl+selinux+xattrs state: present mode: '600' + create: true - name: TOSS-04-040630 - The TOSS file integrity tool must be configured to verify Access Control Lists (ACLs). Check NORMAL. ansible.builtin.lineinfile: path: /etc/aide/aide.conf @@ -30,6 +31,7 @@ line: NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512 state: present mode: '600' + create: true when: - toss_04_040630 | bool tags: diff --git a/ansible/roles/stig/tasks/TOSS_04_040640.yml b/ansible/roles/stig/tasks/TOSS_04_040640.yml index 3cc126a..eab83f7 100644 --- a/ansible/roles/stig/tasks/TOSS_04_040640.yml +++ b/ansible/roles/stig/tasks/TOSS_04_040640.yml @@ -24,6 +24,7 @@ line: DIR = p+i+n+u+g+acl+selinux+xattrs state: present mode: '600' + create: true - name: TOSS-04-040640 - The TOSS file integrity tool must be configured to verify extended attributes. Check NORMAL. ansible.builtin.lineinfile: path: /etc/aide/aide.conf @@ -31,6 +32,7 @@ line: NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512 state: present mode: '600' + create: true when: - toss_04_040640 | bool tags: From a5f4b5bc9a17144a513eb2d5cb0911607564e438 Mon Sep 17 00:00:00 2001 From: Cat de Frates Date: Thu, 11 Jan 2024 13:58:23 -0800 Subject: [PATCH 03/13] Simplified TOSS-04-020320 (and 020210) to avoid opening too many file descriptors on systems with large a /etc/passwd file --- ansible/roles/stig/tasks/TOSS_04_020210.yml | 9 ++++----- ansible/roles/stig/tasks/TOSS_04_020320.yml | 9 ++++----- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/ansible/roles/stig/tasks/TOSS_04_020210.yml b/ansible/roles/stig/tasks/TOSS_04_020210.yml index 6855ee8..0295a67 100644 --- a/ansible/roles/stig/tasks/TOSS_04_020210.yml +++ b/ansible/roles/stig/tasks/TOSS_04_020210.yml @@ -15,20 +15,19 @@ - name: TOSS-04-020210 - All TOSS local interactive user home directories must be group-owned by the home directory owner's primary group. block: - - name: Get the list of home directories not owned by the user's primary group, ignoring any errors from directories that don't exist on this system + - name: Get the list of home directories owned by interactive users ansible.builtin.shell: - cmd: | - set -o pipefail - awk -F: '($3>=1000)&&($7 !~ /nologin/)&&($7 !~ /false/)&&("stat -c '%g' " $6 | getline dir_group)&&(dir_group!=$4){print $1,$6,$4}' /etc/passwd 2>/dev/null + cmd: "awk -F: '($3>=1000)&&($7 !~ /nologin/)&&($7 !~ /false/){print $1,$6,$4}' /etc/passwd" register: home_dirs changed_when: false failed_when: home_dirs.rc not in [0,1] check_mode: false - - name: Change the owner of the local interactive user's home directory + - name: Set the owner of the local interactive user's home directory ansible.builtin.file: path: '{{ item.split().1 }}' group: '{{ item.split().2 }}' loop: '{{ home_dirs.stdout_lines }}' + failed_when: false when: - not toss_04_020320 | bool - toss_04_020210 | bool diff --git a/ansible/roles/stig/tasks/TOSS_04_020320.yml b/ansible/roles/stig/tasks/TOSS_04_020320.yml index 8b419f7..32280e7 100644 --- a/ansible/roles/stig/tasks/TOSS_04_020320.yml +++ b/ansible/roles/stig/tasks/TOSS_04_020320.yml @@ -12,20 +12,19 @@ - name: TOSS-04-020320 - All TOSS local interactive user home directories must be owned by the user's primary group. block: - - name: Get the list of home directories not owned by the user's primary group, ignoring any errors from directories that don't exist on this system + - name: Get the list of home directories owned by interactive users ansible.builtin.shell: - cmd: | - set -o pipefail - awk -F: '($3>=1000)&&($7 !~ /nologin/)&&($7 !~ /false/)&&("stat -c '%g' " $6 | getline dir_group)&&(dir_group!=$4){print $1,$6,$4}' /etc/passwd 2>/dev/null + cmd: "awk -F: '($3>=1000)&&($7 !~ /nologin/)&&($7 !~ /false/){print $1,$6,$4}' /etc/passwd" register: home_dirs changed_when: false failed_when: home_dirs.rc not in [0,1] check_mode: false - - name: Change the owner of the local interactive user's home directory + - name: Set the owner of the local interactive user's home directory ansible.builtin.file: path: '{{ item.split().1 }}' group: '{{ item.split().2 }}' loop: '{{ home_dirs.stdout_lines }}' + failed_when: false when: - toss_04_020320 | bool tags: From 435973407c889ce61fe483b45344e4ded9ee96cb Mon Sep 17 00:00:00 2001 From: Cat de Frates Date: Fri, 12 Jan 2024 10:43:30 -0800 Subject: [PATCH 04/13] Changed shell command in TOSS_04_020300 to allow for directories with 770 or less permissive --- ansible/roles/stig/tasks/TOSS_04_020300.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/stig/tasks/TOSS_04_020300.yml b/ansible/roles/stig/tasks/TOSS_04_020300.yml index 7370995..6b9bfad 100644 --- a/ansible/roles/stig/tasks/TOSS_04_020300.yml +++ b/ansible/roles/stig/tasks/TOSS_04_020300.yml @@ -12,7 +12,7 @@ block: - name: Get all local users from /etc/passwd, ignoring any errors from directories that don't exist on this system ansible.builtin.shell: - cmd: "find $(awk -F: '($3>=1000)&&($7 !~ /nologin/)&&($7 !~ /false/){print $6}' /etc/passwd) -xdev -maxdepth 0 -not -perm 770 2> /dev/null" + cmd: "find $(awk -F: '($3>=1000)&&($7 !~ /nologin/)&&($7 !~ /false/){print $6}' /etc/passwd) -xdev -maxdepth 0 -perm /007 2> /dev/null" register: local_users changed_when: false failed_when: local_users.rc not in [0,1] From 2d1a38aba6195f4879bb095b79cf84eba1635dfe Mon Sep 17 00:00:00 2001 From: Cat <44553826+cdefrates@users.noreply.github.com> Date: Tue, 16 Jan 2024 10:08:42 -0800 Subject: [PATCH 05/13] Update TOSS_04_020210.yml --- ansible/roles/stig/tasks/TOSS_04_020210.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/stig/tasks/TOSS_04_020210.yml b/ansible/roles/stig/tasks/TOSS_04_020210.yml index 0295a67..dc7c658 100644 --- a/ansible/roles/stig/tasks/TOSS_04_020210.yml +++ b/ansible/roles/stig/tasks/TOSS_04_020210.yml @@ -22,7 +22,7 @@ changed_when: false failed_when: home_dirs.rc not in [0,1] check_mode: false - - name: Set the owner of the local interactive user's home directory + - name: Set the group of the local interactive user's home directory ansible.builtin.file: path: '{{ item.split().1 }}' group: '{{ item.split().2 }}' From 271017acdee66292654111a6b36c75b45c80b74f Mon Sep 17 00:00:00 2001 From: Cat <44553826+cdefrates@users.noreply.github.com> Date: Tue, 16 Jan 2024 10:16:59 -0800 Subject: [PATCH 06/13] Update TOSS_04_020320.yml --- ansible/roles/stig/tasks/TOSS_04_020320.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/stig/tasks/TOSS_04_020320.yml b/ansible/roles/stig/tasks/TOSS_04_020320.yml index 32280e7..bc2a85e 100644 --- a/ansible/roles/stig/tasks/TOSS_04_020320.yml +++ b/ansible/roles/stig/tasks/TOSS_04_020320.yml @@ -19,7 +19,7 @@ changed_when: false failed_when: home_dirs.rc not in [0,1] check_mode: false - - name: Set the owner of the local interactive user's home directory + - name: Set the group of the local interactive user's home directory ansible.builtin.file: path: '{{ item.split().1 }}' group: '{{ item.split().2 }}' From 34196f9bfd47cba8293e2e601b546dfb87295623 Mon Sep 17 00:00:00 2001 From: Cat de Frates Date: Tue, 16 Jan 2024 13:27:57 -0800 Subject: [PATCH 07/13] Added comments --- ansible/roles/stig/tasks/TOSS_04_020210.yml | 3 ++- ansible/roles/stig/tasks/TOSS_04_020230.yml | 3 ++- ansible/roles/stig/tasks/TOSS_04_020320.yml | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ansible/roles/stig/tasks/TOSS_04_020210.yml b/ansible/roles/stig/tasks/TOSS_04_020210.yml index dc7c658..7395772 100644 --- a/ansible/roles/stig/tasks/TOSS_04_020210.yml +++ b/ansible/roles/stig/tasks/TOSS_04_020210.yml @@ -27,7 +27,8 @@ path: '{{ item.split().1 }}' group: '{{ item.split().2 }}' loop: '{{ home_dirs.stdout_lines }}' - failed_when: false + failed_when: false # This was include to ignore home directories that aren't mounted, but are in /etc/passwd + # Functionally the same as "ignore_errors: true", but will mark the missing home dirs as ok instead of failed, which seemed clearer to me since that is expected behavior when: - not toss_04_020320 | bool - toss_04_020210 | bool diff --git a/ansible/roles/stig/tasks/TOSS_04_020230.yml b/ansible/roles/stig/tasks/TOSS_04_020230.yml index 4d399e4..652419b 100644 --- a/ansible/roles/stig/tasks/TOSS_04_020230.yml +++ b/ansible/roles/stig/tasks/TOSS_04_020230.yml @@ -23,11 +23,12 @@ local_users: '{{ ansible_facts.getent_passwd | dict2items }}' - name: Gather the home directories of local, interactive users ansible.builtin.stat: - path: '{{ item.value.4 }}' + path: '{{ item.value.4 }}' # The path to the interactive user's home directory, ex: /g/g0/defrates register: home_dirs loop: '{{ local_users }}' when: - item.value.1 | int >= 1000 and '/nologin' not in item.value.5 and '/false' not in item.value.5 + # item.value.1 is the UID and item.value.5 is the user's login script - name: Verify that all interactive users have a home directory. Users without a home directory might not be enabled and can be set as noninteractive (login shell set to /bin/false) ansible.builtin.user: name: '{{ item.item.key }}' diff --git a/ansible/roles/stig/tasks/TOSS_04_020320.yml b/ansible/roles/stig/tasks/TOSS_04_020320.yml index bc2a85e..6f456b9 100644 --- a/ansible/roles/stig/tasks/TOSS_04_020320.yml +++ b/ansible/roles/stig/tasks/TOSS_04_020320.yml @@ -24,7 +24,8 @@ path: '{{ item.split().1 }}' group: '{{ item.split().2 }}' loop: '{{ home_dirs.stdout_lines }}' - failed_when: false + failed_when: false # This was include to ignore home directories that aren't mounted, but are in /etc/passwd + # Functionally the same as "ignore_errors: true", but will mark the missing home dirs as ok instead of failed, which seemed clearer to me since that is expected behavior when: - toss_04_020320 | bool tags: From 8e8868babf4321772f8d5987a60d7411c9ebb334 Mon Sep 17 00:00:00 2001 From: Cat de Frates Date: Tue, 16 Jan 2024 15:01:33 -0800 Subject: [PATCH 08/13] Included /dev/null as a login shell that defines noninteractive users --- ansible/roles/stig/tasks/TOSS_04_020210.yml | 2 +- ansible/roles/stig/tasks/TOSS_04_020230.yml | 2 +- ansible/roles/stig/tasks/TOSS_04_020300.yml | 2 +- ansible/roles/stig/tasks/TOSS_04_020310.yml | 2 +- ansible/roles/stig/tasks/TOSS_04_020320.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ansible/roles/stig/tasks/TOSS_04_020210.yml b/ansible/roles/stig/tasks/TOSS_04_020210.yml index 7395772..7aeb991 100644 --- a/ansible/roles/stig/tasks/TOSS_04_020210.yml +++ b/ansible/roles/stig/tasks/TOSS_04_020210.yml @@ -17,7 +17,7 @@ block: - name: Get the list of home directories owned by interactive users ansible.builtin.shell: - cmd: "awk -F: '($3>=1000)&&($7 !~ /nologin/)&&($7 !~ /false/){print $1,$6,$4}' /etc/passwd" + cmd: "awk -F: '($3>=1000)&&($7 !~ /nologin/)&&($7 !~ /false/)&&($7 !~ /null/){print $1,$6,$4}' /etc/passwd" register: home_dirs changed_when: false failed_when: home_dirs.rc not in [0,1] diff --git a/ansible/roles/stig/tasks/TOSS_04_020230.yml b/ansible/roles/stig/tasks/TOSS_04_020230.yml index 652419b..6bcd6eb 100644 --- a/ansible/roles/stig/tasks/TOSS_04_020230.yml +++ b/ansible/roles/stig/tasks/TOSS_04_020230.yml @@ -27,7 +27,7 @@ register: home_dirs loop: '{{ local_users }}' when: - - item.value.1 | int >= 1000 and '/nologin' not in item.value.5 and '/false' not in item.value.5 + - item.value.1 | int >= 1000 and '/nologin' not in item.value.5 and '/false' not in item.value.5 and '/dev/null' not in item.value.5 # item.value.1 is the UID and item.value.5 is the user's login script - name: Verify that all interactive users have a home directory. Users without a home directory might not be enabled and can be set as noninteractive (login shell set to /bin/false) ansible.builtin.user: diff --git a/ansible/roles/stig/tasks/TOSS_04_020300.yml b/ansible/roles/stig/tasks/TOSS_04_020300.yml index 6b9bfad..e5542c4 100644 --- a/ansible/roles/stig/tasks/TOSS_04_020300.yml +++ b/ansible/roles/stig/tasks/TOSS_04_020300.yml @@ -12,7 +12,7 @@ block: - name: Get all local users from /etc/passwd, ignoring any errors from directories that don't exist on this system ansible.builtin.shell: - cmd: "find $(awk -F: '($3>=1000)&&($7 !~ /nologin/)&&($7 !~ /false/){print $6}' /etc/passwd) -xdev -maxdepth 0 -perm /007 2> /dev/null" + cmd: "find $(awk -F: '($3>=1000)&&($7 !~ /nologin/)&&($7 !~ /false/)&&($7 !~ /dev\/null){print $6}' /etc/passwd) -xdev -maxdepth 0 -perm /007 2> /dev/null" register: local_users changed_when: false failed_when: local_users.rc not in [0,1] diff --git a/ansible/roles/stig/tasks/TOSS_04_020310.yml b/ansible/roles/stig/tasks/TOSS_04_020310.yml index ec7a3b3..8651895 100644 --- a/ansible/roles/stig/tasks/TOSS_04_020310.yml +++ b/ansible/roles/stig/tasks/TOSS_04_020310.yml @@ -10,7 +10,7 @@ block: - name: Get the list of home directories not owned by root, ignoring any errors from directories that don't exist on this system ansible.builtin.shell: - cmd: "find $(awk -F: '($3>=1000)&&($7 !~ /nologin/)&&($7 !~ /false/){print $6}' /etc/passwd) -xdev -maxdepth 0 -not -user root 2> /dev/null" + cmd: "find $(awk -F: '($3>=1000)&&($7 !~ /nologin/)&&($7 !~ /false/)&&($7 !~ /null/){print $6}' /etc/passwd) -xdev -maxdepth 0 -not -user root 2> /dev/null" register: home_dirs changed_when: false failed_when: local_users.rc not in [0,1] diff --git a/ansible/roles/stig/tasks/TOSS_04_020320.yml b/ansible/roles/stig/tasks/TOSS_04_020320.yml index 6f456b9..6874dfc 100644 --- a/ansible/roles/stig/tasks/TOSS_04_020320.yml +++ b/ansible/roles/stig/tasks/TOSS_04_020320.yml @@ -14,7 +14,7 @@ block: - name: Get the list of home directories owned by interactive users ansible.builtin.shell: - cmd: "awk -F: '($3>=1000)&&($7 !~ /nologin/)&&($7 !~ /false/){print $1,$6,$4}' /etc/passwd" + cmd: "awk -F: '($3>=1000)&&($7 !~ /nologin/)&&($7 !~ /false/)&&($7 !~ /null/){print $1,$6,$4}' /etc/passwd" register: home_dirs changed_when: false failed_when: home_dirs.rc not in [0,1] From 5b1fe91bde65ed58274685f5bd4021745c8458fc Mon Sep 17 00:00:00 2001 From: Cat de Frates Date: Tue, 16 Jan 2024 15:08:49 -0800 Subject: [PATCH 09/13] Removed extra '\' --- ansible/roles/stig/tasks/TOSS_04_020300.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/stig/tasks/TOSS_04_020300.yml b/ansible/roles/stig/tasks/TOSS_04_020300.yml index e5542c4..964b26e 100644 --- a/ansible/roles/stig/tasks/TOSS_04_020300.yml +++ b/ansible/roles/stig/tasks/TOSS_04_020300.yml @@ -12,7 +12,7 @@ block: - name: Get all local users from /etc/passwd, ignoring any errors from directories that don't exist on this system ansible.builtin.shell: - cmd: "find $(awk -F: '($3>=1000)&&($7 !~ /nologin/)&&($7 !~ /false/)&&($7 !~ /dev\/null){print $6}' /etc/passwd) -xdev -maxdepth 0 -perm /007 2> /dev/null" + cmd: "find $(awk -F: '($3>=1000)&&($7 !~ /nologin/)&&($7 !~ /false/)&&($7 !~ /null){print $6}' /etc/passwd) -xdev -maxdepth 0 -perm /007 2> /dev/null" register: local_users changed_when: false failed_when: local_users.rc not in [0,1] From d9f900fcbe70352b434551916488494b6d5f047a Mon Sep 17 00:00:00 2001 From: Cat de Frates Date: Tue, 16 Jan 2024 15:13:30 -0800 Subject: [PATCH 10/13] Replaced an old variable name --- ansible/roles/stig/tasks/TOSS_04_020310.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/stig/tasks/TOSS_04_020310.yml b/ansible/roles/stig/tasks/TOSS_04_020310.yml index 8651895..ae098af 100644 --- a/ansible/roles/stig/tasks/TOSS_04_020310.yml +++ b/ansible/roles/stig/tasks/TOSS_04_020310.yml @@ -13,7 +13,7 @@ cmd: "find $(awk -F: '($3>=1000)&&($7 !~ /nologin/)&&($7 !~ /false/)&&($7 !~ /null/){print $6}' /etc/passwd) -xdev -maxdepth 0 -not -user root 2> /dev/null" register: home_dirs changed_when: false - failed_when: local_users.rc not in [0,1] + failed_when: home_dirs.rc not in [0,1] check_mode: false - name: Change the owner of the local interactive user's home directory ansible.builtin.file: From dca9aaec932c5421a7791701e467396a9d60443c Mon Sep 17 00:00:00 2001 From: Cat de Frates Date: Tue, 16 Jan 2024 15:52:50 -0800 Subject: [PATCH 11/13] Added in a missing check_mode option --- ansible/roles/stig/tasks/TOSS_04_010020.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/stig/tasks/TOSS_04_010020.yml b/ansible/roles/stig/tasks/TOSS_04_010020.yml index 6730bce..0d0f565 100644 --- a/ansible/roles/stig/tasks/TOSS_04_010020.yml +++ b/ansible/roles/stig/tasks/TOSS_04_010020.yml @@ -22,6 +22,7 @@ command: 'ssh-keygen -y -f {{ item }}' responses: 'Enter Passphrase:': '*.' + check_mode: false register: passphrase_prompts changed_when: false failed_when: false From 4fa40ce1da910865fd4d5d087453b05a5a490200 Mon Sep 17 00:00:00 2001 From: Cat de Frates Date: Tue, 16 Jan 2024 18:02:56 -0800 Subject: [PATCH 12/13] Fixed some typos that wrote incorrect data or just duplicated a line instead of overwriting --- ansible/roles/stig/tasks/TOSS_04_010180.yml | 2 +- ansible/roles/stig/tasks/TOSS_04_010230.yml | 2 +- ansible/roles/stig/tasks/TOSS_04_020050.yml | 6 +++--- ansible/roles/stig/tasks/TOSS_04_040010.yml | 1 + 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/ansible/roles/stig/tasks/TOSS_04_010180.yml b/ansible/roles/stig/tasks/TOSS_04_010180.yml index c3b073c..e1afb4c 100644 --- a/ansible/roles/stig/tasks/TOSS_04_010180.yml +++ b/ansible/roles/stig/tasks/TOSS_04_010180.yml @@ -20,7 +20,7 @@ ansible.builtin.lineinfile: path: /etc/chrony/chrony.conf create: true - regexp: maxpoll 16 + regexp: server ntp2.usno.navy.mil iburst maxpoll 16 line: server tick.usno.navy.mil iburst maxpoll 16 state: present mode: '600' diff --git a/ansible/roles/stig/tasks/TOSS_04_010230.yml b/ansible/roles/stig/tasks/TOSS_04_010230.yml index 01551a8..2b31187 100644 --- a/ansible/roles/stig/tasks/TOSS_04_010230.yml +++ b/ansible/roles/stig/tasks/TOSS_04_010230.yml @@ -25,7 +25,7 @@ ansible.builtin.lineinfile: path: /etc/sudoers regexp: ^[\s]*Defaults\s(.*)\btimestamp_timeout[\s]*=[\s]*[-]?\w+\b(.*)$ - line: Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2 + line: Defaults \1timestamp_timeout = {{ var_sudo_timestamp_timeout }}\2 validate: /usr/sbin/visudo -cf %s backrefs: true register: edit_sudoers_timestamp_timeout_option diff --git a/ansible/roles/stig/tasks/TOSS_04_020050.yml b/ansible/roles/stig/tasks/TOSS_04_020050.yml index 290a4df..8518989 100644 --- a/ansible/roles/stig/tasks/TOSS_04_020050.yml +++ b/ansible/roles/stig/tasks/TOSS_04_020050.yml @@ -22,9 +22,9 @@ value: "{{ item.value }}" mode: '0600' loop: # TODO: need to find how SysAdmins want ccertificates mapped - - { option: '^matchrule', value: ''} - - { option: '^maprule', value: ''} - - { option: '^domains', value: ''} + - { option: 'matchrule', value: ''} + - { option: 'maprule', value: ''} + - { option: 'domains', value: ''} register: result when: - toss_04_020050 | bool diff --git a/ansible/roles/stig/tasks/TOSS_04_040010.yml b/ansible/roles/stig/tasks/TOSS_04_040010.yml index fb118e8..449cb35 100644 --- a/ansible/roles/stig/tasks/TOSS_04_040010.yml +++ b/ansible/roles/stig/tasks/TOSS_04_040010.yml @@ -48,6 +48,7 @@ - name: 'Configure' ansible.builtin.lineinfile: path: /etc/rsyslog.conf + regexp: '{{ item.item.0.selector }} .*\/var\/log\/secure.*$' line: '{{ item.item.0.selector }} /var/log/secure' insertafter: ^.*\/var\/log\/secure.*$ create: true From c62829b6c98919100cb848285e9b1bcd84117ce3 Mon Sep 17 00:00:00 2001 From: Cat de Frates Date: Wed, 17 Jan 2024 10:32:40 -0800 Subject: [PATCH 13/13] Revert TOSS_04_010180 --- ansible/roles/stig/tasks/TOSS_04_010180.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/stig/tasks/TOSS_04_010180.yml b/ansible/roles/stig/tasks/TOSS_04_010180.yml index e1afb4c..c3b073c 100644 --- a/ansible/roles/stig/tasks/TOSS_04_010180.yml +++ b/ansible/roles/stig/tasks/TOSS_04_010180.yml @@ -20,7 +20,7 @@ ansible.builtin.lineinfile: path: /etc/chrony/chrony.conf create: true - regexp: server ntp2.usno.navy.mil iburst maxpoll 16 + regexp: maxpoll 16 line: server tick.usno.navy.mil iburst maxpoll 16 state: present mode: '600'