Describe the Issue

The regex for RHEL-08-020040 is incomplete, causing other lines in the configuration to get overwritten (as they match the regex first) -- even if the intended line already existed in the configuration!

Expected Behavior

Only apply line if needed.

Actual Behavior

Can overwrite a completely different line in the config, and in some cases DUPLICATES the intended line.

Control(s) Affected

RHEL-08-020040

Possible Solution

See #132

Describe the Issue
Scap scans report the modeprobe modifications as non compliant.
SRG-OS-000095-GPOS-00049 - RHEL 8 must disable the asynchronous transfer mode (ATM) protocol. - Fail
SRG-OS-000095-GPOS-00049 - RHEL 8 must disable the controller area network (CAN) protocol. - Fail
SRG-OS-000095-GPOS-00049 - RHEL 8 must disable the stream control transmission protocol (SCTP). - Fail
SRG-OS-000095-GPOS-00049 - RHEL 8 must disable the transparent inter-process communication (TIPC) protocol. - Fail

The issue is that the RHEL-08-040021, RHEL-08-040022, RHEL-08-040023 and RHEL-08-040024 controls in the RHEL8-STIG add uppercase entries into the blacklist.conf. (Note: It is strange that it is listed in upper case in the DOD Stig Viewer resolution instructions.)

Expected Behavior
Modprobe entries should be added in lower case. (I have never seen uppercase module names in linux.

Actual Behavior
Modprobe blacklist entries are beein added in uppercase, thus the check fails when running our scap scans.

Control(s) Affected
RHEL-08-040021, RHEL-08-040022, RHEL-08-040023 and RHEL-08-040024

Environment (please complete the following information):
ansible 2.10.7
ansible-base 2.10.12
ansible-lint 5.1.3

Possible Solution
change the modeprob.d blackist modifications from upper to lowercase. (I manually made the change and now the scap scans pass those checks.)

This check in prelim.yml is doing a find / -name sssd.conf and where this file does exist, the syntax for each file doesn't necessarily apply for that location.

i.e.:

cat /usr/share/logwatch/default.conf/services/sssd.conf
# You can put comments anywhere you want to.  They are effective for the
# rest of the line.

# this is in the format of <name> = <value>.  Whitespace at the beginning
# and end of the lines is removed.  Whitespace before and after the = sign
# is removed.  Everything is case *insensitive*.

# Yes = True  = On  = 1
# No  = False = Off = 0

Title = "SSSD"

# Which logfile group...
LogFile = messages

# Only give lines pertaining to the sssd service...
*OnlyService = sssd
*RemoveHeaders

# vi: shiftwidth=3 tabstop=3 et

and this one below isn't the sssd.conf referenced in the service.

cat /usr/lib64/sssd/conf/sssd.conf
[sssd]
services = nss, pam
domains = shadowutils

[nss]

[pam]

[domain/shadowutils]
id_provider = files

auth_provider = proxy
proxy_pam_target = sssd-shadowutils

proxy_fast_alias = True

I'm wondering if the playbook is trying to put lines in the file where in some locations, wont work correctly.

tmux is not fully implemented after "MEDIUM | RHEL-08-020041 | PATCH | RHEL 8 must ensure session control is automatically started at shell initialization" has been applied. So, tmux does not get launched on remote sessions.

Expected Behavior
tmux should be running for session control.

Actual Behavior
tmux is not running.

Control(s) Affected
What controls are being affected by the issue: RHEL-08-020041

Possible Solution
Append the line: [ -n "$PS1" -a -z "$TMUX" ] && exec tmux at the end of the /etc/bashrc file to enable session contol for remote sessions.

Describe the Issue
The task to set "SSH_USE_STRONG_RNG" is failing to do the job properly.

Expected Behavior
In the /etc/sysconfig/sshd file:

SSH_USE_STRONG_RNG=32
# SSH_USE_STRONG_RNG=1

Actual Behavior

SSH_USE_STRONG_RNG=0
SSH_USE_STRONG_RNG=32

Control(s) Affected
RHEL-08-010292

Environment (please complete the following information):

• Ansible Version: 2.11.4
• Host Python Version: 3.9.7
• Ansible Server Python Version: 3.9.7
• Additional Details: Tennable Nessus 8.15.2

Additional Notes
Tested with my change successully

Possible Solution
Replace the regexp line:
regexp: '^SSH_USE_STRONG_RNG=|^.*SSH_USE_STRONG_RNG='
with:
regexp: '^(#)?SSH_USE_STRONG_RNG='

Now that Centos has removed the repos for centos 8 (mirror.centos.org) and only the stream versions are available. Are there any plans for rocky Linux support? We prefer to run centos in our dev and uat environments and like to keep are versions in-line with RHEL. If we go to Streams, this is not possible, because Streams is more of an Alpha version than following the RHEL like CentOS did.

Could have made another pull request but since you seem to rework the complete playbook anyways it seems to be better to create a bug report.

sssd.conf must have 0600 permission, otherwise the daemon does not start
See:
vitecde@bb0f215

Another thing we are not sure how to handle.
Currently the playbook checks if sssd.conf exists in a pre task and skips several of the tasks if the file does not exist, but the sssd rpm does not provide a sssd.conf file, so the tasks are skipped when running the playbook on a fresh installed system. We currently workaround the issue by creating an empty sssd.conf. Wondering if the check for existence makes sense or if this playbook should just create the file when it does not exist

Describe the Issue
The README.md file lists python dependencies, however a requirements.txt file is not present.

Expected Behavior
A requirements.txt file with this content to report dependencies in a machine-readable format:

passlib
lxml
xmltodict
jmespath

Actual Behavior
File is absent

Control(s) Affected
NA

Environment (please complete the following information):

• Ansible Version: all
• Host Python Version: all
• Ansible Server Python Version: all
• Additional Details:

Additional Notes
requirements.txt is used in pip install, or in creating execution environments.

Possible Solution
Wait for the PR

Describe the Issue

When applying RHEL-08-010295, RHEL8-STIG looks for +VERS-ALL: and then applies the contents of the rhel8stig_gnutls_encryption after it using backrefs. However, this causes +VERS-ALL: to be added again every time the STIG playbook is run.

This causes Ansible to report it as "changed" every time even when it shouldn't, as a compliant file still gets edited.

Expected Behavior

Only add the +VERS-ALL: and rhel8stig_gnutls_encryption if required.

Actual Behavior

Duplicate +VERS-ALL added each time, i.e. after two runs:

+VERS-ALL:+VERS-ALL:+VERS-ALL:-VERS-DTLS0.9...etc.

Reports changed every time, as the file is being changed.

Control(s) Affected

RHEL-08-010295

Describe the Issue
In the default/main.yml approximately like 553, the variable rhel8stig_local_int_home_file_perms: is set to 750. The system interprets this as decimal number and converts it to 1356 octal. Directories inside user home directories then have '1356' permissions and you are unable to read the contents of any directory inside your home.

Expected Behavior
The variable should be set as '0750' to ensure the octal notation of permissions are used, and users can access directories inside their home.

Actual Behavior
Directories inside user home directories have '1356' permissions and you are unable to read the contents of any directory inside your home.

Possible Solution
change variable default to '0750'

Describe the Issue

Currently this control is applied via a templated 99-sysctl.conf in a handler and is missing the latest configuration required by the STIG.

Expected Behavior

Template should include the following for RHEL-08-040259:

net.ipv4.conf.all.forwarding = 0

Actual Behavior

Currently, only the net.ipv4.ip_forward = 0 is applied.

Control(s) Affected

RHEL-08-040259

Additional Notes

Source: https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2022-06-15/finding/V-250317

Possible Solution

Adjust 99-sysctl.conf.j2 to include the key in the section for RHEL-08-040259.

Edit 1: Revised based on newest baseline and comment from below.

RHEL-08-010400 - fix-cat2.yml line 897
Task as defined:

- name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication."
  lineinfile:
      path: '{{ rhel8stig_sssd_conf }}'
      regexp: '^certificate_verification = {{ item.regexp }}'
      state: "{{ item.state }}"
  with_items:
      - { regexp: 'no_ocsp, no_verification', state: absent }
      - { regexp: 'no_ocsp', state: absent }
      - { regexp: 'no_verification', state: absent }
      - { regexp: 'ocsp_dgst=sha1', state: present }
  notify: restart sssd
  when:
      - rhel8stig_sssd_conf_present.stat.exists
      - rhel_08_010400
  tags:
      - RHEL-08-010400
      - CAT2
      - CCI-001948
      - SRG-OS-000375-GPOS-00160
      - SV-230274r627750_rule
      - V-230274
      - multifactor

Expected Behavior
Task should complete successfully

Actual Behavior
Task fails with error:
"msg": "line is required with state=present"

Control(s) Affected
fix-cat2.yml

Environment:

• Ansible Version: 2.9
• Host Python Version: 3.6.8
• Ansible Server Python Version: 3.6.8
• Additional Details:

Additional Notes
This role was ran from Ansible Tower - version: 3.8.2

Possible Solution:
Corrected task:

- name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication."
  lineinfile:
      path: '{{ rhel8stig_sssd_conf }}'
      regexp: '^certificate_verification = {{ item.regexp }}'
      state: "{{ item.state }}"
      line: "{{ item.line | default(omit) }}"
  with_items:
      - { regexp: 'no_ocsp, no_verification', state: absent }
      - { regexp: 'no_ocsp', state: absent }
      - { regexp: 'no_verification', state: absent }
      - { regexp: 'ocsp_dgst=sha1', state: present, line: 'certificate_verification = ocsp_dgst=sha1' }
  notify: restart sssd
  when:
      - rhel8stig_sssd_conf_present.stat.exists
      - rhel_08_010400
  tags:
      - RHEL-08-010400
      - CAT2
      - CCI-001948
      - SRG-OS-000375-GPOS-00160
      - SV-230274r627750_rule
      - V-230274
      - multifactor

Describe the Issue

The control for RHEL-08-010740 looks at all UIDs greater than rhel8stig_interactive_uid_start but fails to account for rhel8stig_interactive_uid_stop. This causes the nobody user, UID 65534, to incorrectly be accounted for as an interactive user. This causes its home directory, /, to get its group ownership changed to nobody.

Expected Behavior

rhel8stig_interactive_uid_stop should be utilized for UID range.

Actual Behavior

rhel8stig_interactive_uid_stop not used, causing UID 65534 to be used in the STIG.

Control(s) Affected

RHEL-08-010740

Possible Solution

#135

Describe the Issue
The task RHEL-08-020024 does not use the variable rhel8stig_maxlogins it is currently using a hard coded value of '10'.

Expected Behavior
The task to use the variable to define the value for max logins.

Actual Behavior
The task does not use the variable since the value is hard coded.

Control(s) Affected
https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2021-06-14/finding/V-230346

Environment (please complete the following information):

• RHEL 8

Additional Notes

Possible Solution

Reference: RHEL-08-040210, RHEL-08-040230, RHEL-08-040240, RHEL-08-040250, RHEL-08-040260, RHEL-08-040261, RHEL-08-040262, RHEL-08-040280 all fail when trying to apply when ipv6 is disabled. I've added ignore_errors to each of these blocks. Perhaps I missed a variable where ipv6 is disabled in the playbook where it would exclude these checks.

RHEL-08-040137 - The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs

Describe the Issue
When running RHEL-8 STIG, error occurs on step RHEL-08-040137:

TASK [/RHEL8-STIG : MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist] ***
failed: [] (item=allow exe=/usr/libexec/platform-python : ftype=text/x-python) => {"ansible_loop_var": "item", "changed": false, "item": "allow exe=/usr/libexec/platform-python : ftype=text/x-python", "msg": "Destination /etc/fapolicyd/fapolicyd.rules does not exist !", "rc": 257}
failed: [] (item=allow exe=/usr/libexec/platform-python : ftype=text/x-python) => {"ansible_loop_var": "item", "changed": false, "item": "allow exe=/usr/libexec/platform-python : ftype=text/x-python", "msg": "Destination /etc/fapolicyd/fapolicyd.rules does not exist !", "rc": 257}
failed: [] (item=deny_audit perm=any pattern=ld_so : all) => {"ansible_loop_var": "item", "changed": false, "item": "deny_audit perm=any pattern=ld_so : all", "msg": "Destination /etc/fapolicyd/fapolicyd.rules does not exist !", "rc": 257}
failed: [] (item=allow exe=/usr/libexec/platform-python : ftype=text/x-python) => {"ansible_loop_var": "item", "changed": false, "item": "allow exe=/usr/libexec/platform-python : ftype=text/x-python", "msg": "Destination /etc/fapolicyd/fapolicyd.rules does not exist !", "rc": 257}
failed: [] (item=deny_audit perm=any pattern=ld_so : all) => {"ansible_loop_var": "item", "changed": false, "item": "deny_audit perm=any pattern=ld_so : all", "msg": "Destination /etc/fapolicyd/fapolicyd.rules does not exist !", "rc": 257}
failed: [] (item=deny all all) => {"ansible_loop_var": "item", "changed": false, "item": "deny all all", "msg": "Destination /etc/fapolicyd/fapolicyd.rules does not exist !", "rc": 257}
failed: [] (item=deny_audit perm=any pattern=ld_so : all) => {"ansible_loop_var": "item", "changed": false, "item": "deny_audit perm=any pattern=ld_so : all", "msg": "Destination /etc/fapolicyd/fapolicyd.rules does not exist !", "rc": 257}
failed: [] (item=deny all all) => {"ansible_loop_var": "item", "changed": false, "item": "deny all all", "msg": "Destination /etc/fapolicyd/fapolicyd.rules does not exist !", "rc": 257}
failed: [] (item=deny all all) => {"ansible_loop_var": "item", "changed": false, "item": "deny all all", "msg": "Destination /etc/fapolicyd/fapolicyd.rules does not exist !", "rc": 257}

When looking at the /etc/fapolicyd directory, I see this:

[root@ip-192-168-0-10 ~]# ls /etc/fapolicyd/
compiled.rules  fapolicyd.conf  fapolicyd.trust  rules.d  trust.d

It looks like fapolicyd.rules no longer exists?

Expected Behavior
No error when running RHEL8-STIG

Actual Behavior
Error message displayed above

Control(s) Affected
RHEL-08-040137

Environment (please complete the following information):

$ ansible --version
ansible [core 2.12.2]
  config file = ansible.cfg
  configured module search path = ['/Users/ccravens/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
  ansible collection location = /Users/ccravens/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.9.7 (default, Sep  3 2021, 12:37:55) [Clang 12.0.5 (clang-1205.0.22.9)]
  jinja version = 3.0.1
  libyaml = True

Additional Notes
Anything additional goes here

Possible Solution
It looks like the scripts may need to be updated to use the rules.d/ folder:

[root@ip-192-168-0-10 ~]# ls /etc/fapolicyd/rules.d/
10-languages.rules  30-dracut.rules    40-bad-elf.rules     42-trusted-elf.rules   72-shell.rules         95-allow-open.rules
20-patterns.rules   30-updaters.rules  41-shared-obj.rules  70-trusted-lang.rules  90-deny-execute.rules

Feature Request or Enhancement

• Feature [x]
• Enhancement []

Summary of Request

Rather than users having to provide a pre-hashed password in a variable (via rhel8stig_bootloader_password_hash), can instead support just providing the password as a variable. This could be done as rhel8stig_bootloader_password and adds to ease-of-use.

For command-line Ansible users, this allows for passing in via an Ansible Vault variable or can use something such as a prompt for the variable on launch.

For AWX / Ansible Automation Platform users, a Survey can be used as a "Password" type, so that it can be set as needed and encrypted while in use.

It may not be useful for everyone, and so it may be worth retaining the password_hash methodology alongside. Even if this is not accepted as a feature request, others may find it useful in their environment.

Describe alternatives you've considered

I have already implemented these changes in my own local copy of RHEL8-STIG.

Suggested Code

Approximate changes needed:

# README.md #####################################################
- rhel8stig_bootloader_password_hash: 'grub.pbkdf.sha512.blah'
+ rhel8stig_bootloader_password: changethispassword # Can also be made a Password Survey to hide contents

# defaults/main.yml #####################################################
# RHEL-08-010140 and RHEL-08-020280
- rhel8stig_bootloader_password_hash: 'grub.pbkdf.sha512.changethispassword'
+ rhel8stig_bootloader_password: changethispassword

# tasks/fix-cat1.yml #####################################################
"HIGH | RHEL-08-010140 | PATCH ... etc ..."
- lineinfile:
-   path: blah
-   create: true
-   etc....
### new methodology uses the included grub2-setpassword to hash the password and set it in the file for you
### only downside: currently always reports changed
+ expect:
+   command: "grub2-setpassword"
+   responses:
+     "Enter password": "{{ rhel8stig_bootloader_password }}"
+     "Confirm password": "{{ rhel8stig_bootloader_password }}"
+   timeout: 20
+ no_log: true
+ notify: confirm grub2 user cfg

# tasks/main.yml #####################################################
- replace occurrences of rhel8stig_bootloader_password_hash
+ replace with rhel8stig_bootloader_password

# templates/ansible_vars_goss.yml.j2 #####################################################
### (doesn't seem like this is used anywhere but not sure)
- rhel8stig_password_hash: {{ rhel8stig_bootloader_password_hash }}
+ rhel8stig_password: {{ rhel8stig_bootloader_password }}

Describe the Issue
The ATM, CAN, SCTP, and TIPC kernel module blacklist entries are entered into /etc/modprobe.d/blacklist.conf in uppercase, causing SCAP scan to fail on RHEL-08-040021, RHEL-08-040022, RHEL-08-040023, RHEL-08-040024.

Expected Behavior
Module names in /etc/modprobe.d/blacklist.conf should be in lowercase.

Actual Behavior
SCAP scan fails on these four controls because it's looking for the module names atm, can, sctp, and tipc in lowercase.

Control(s) Affected
RHEL-08-040021
RHEL-08-040022
RHEL-08-040023
RHEL-08-040024

Environment (please complete the following information):

• Ansible Version: 2.9.27
• Host Python Version: 3.6.8
• Role version: 2.3.0

Possible Solution
Will submit a PR

Describe the Issue
A clear and consistent coding style is great for development, and it is supported by tools such as yamllint.
A .yamllint file can codify the chosen style, and can be used in QA.

Expected Behavior

• The role should pass git ls-files "*.yml"|xargs yamllint in the absence of .yamllint.
• A .yamllint file is present as a workaround.

Actual Behavior
This has been neglected.

Control(s) Affected
NA

Environment (please complete the following information):

• Ansible Version: all
• Host Python Version: all
• Ansible Server Python Version: all
• Additional Details:

Additional Notes
yamllint is a python library called by ansible-lint.

Possible Solution
Refactor code to comply to yamllint rules, in phases.

Describe the Issue
ansible-lint is a code quality tool that can help spot bad practices and technical debt in Ansible content. It is often used in delevery pipelines. This role fails its scrutany.

Expected Behavior
ansible-lint passes with exit code 0 and no worrying output.

Actual Behavior
Finished with 648 failure(s), 0 warning(s) on 18 files.

Control(s) Affected
NA

Environment (please complete the following information):

• Ansible Version: all
• Host Python Version: all
• Ansible Server Python Version: all
• Additional Details:

Additional Notes

Possible Solution
Fix the code to comply with modern standards.

As a temporary workaround we can skip specific rules or tags by adding them to your configuration file:
.config/ansible-lint.yml

skip_list:  # silences the warnings and errors completely
  - command-instead-of-module  # Using command rather than module.
  - command-instead-of-shell  # Use shell only when shell functionality is required.
  - fqcn-builtins  # Use FQCN for builtin actions.
  - no-changed-when  # Commands should not change things if nothing needs doing.
  - package-latest  # Package installs should not use latest.
  - risky-shell-pipe  # Shells that use pipes should set the pipefail option.
  - var-spacing  # Jinja2 variables and filters should have spaces before and after.
  - yaml[line-length]  # Violations reported by yamllint.

Describe the Issue
RHEL-08-010421 always executes grubby without checking if page_poison=1 is already set

Expected Behavior
RHEL-08-010421 should check if page_poison=1 is already set
Task should implement similar 'when' conditions as for example RHEL-08-010422 and others before running grubby

Actual Behavior
RHEL-08-010421 does not check if page_poison=1 is already set and always runs grubby which may cause for example unexpected config changes to /etc/default/grub (moving page_poison to the end of the line)

Control(s) Affected
RHEL-08-010421

Environment (please complete the following information):
does not matter

Additional Notes
Maybe there is a reason unknown to me, this is the only rule with grubby that does not do a check ?

Possible Solution
vitecde@cfe8e3d
If you prefer a pull request please let me know

Describe the Issue
/etc/grub.d/01_users need 755 permission, otherwise the grub.cfg file will miss the superuser settings

Expected Behavior
Change permission in playbook from 644 to 755

Actual Behavior
Currently permission for the file is 644 and the superuser/grub password is not set in grub.cfg because the script can't execute

Control(s) Affected
RHEL-08-010141
RHEL-08-010149

Possible Solution

• name: |
  "MEDIUM | RHEL-08-010141 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance."
  "MEDIUM | RHEL-08-010149 | PATCH | RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes."
  template:
  src: 01_users.j2
  dest: /etc/grub.d/01_users
  owner: root
  group: root
  mode: 0755
  notify: confirm grub2 user cfg
  when:
  - rhel_08_010141 or
  rhel_08_010149
  tags:
  - RHEL-08-010141
  - RHEL-08-010149
  - CAT2
  - CCI-000213
  - SRG-OS-000080-GPOS-00048
  - SV-244521r792982_rule
  - SV-244522r792984_rule
  - V-244521
  - V-244522
  - grub

Describe the Issue

Changes to the Superuser section of the grub.cfg file are done via /etc/grub.d/01_users. The RHEL8-STIG role currently applies these changes directly to the /boot/efi/EFI/redhat/grub.cfg which causes them to get overwritten when the grub.cfg is regenerated in later steps. If these changes were applied to the /etc/grub.d/01_users file instead, they would apply correctly.

Expected Behavior

Set rhel8stig_boot_superuser and have it apply, overwriting the default root configuration found in the 01_users file.

Actual Behavior

Changes are written to grub.cfg but are overwritten when the grub.cfg is recompiled, since the 01_users file takes precedence.

Control(s) Affected

RHEL-08-010141

Possible Solution

For just this control, the changes should instead be written to /etc/grub.d/01_users instead of the standard grub.cfg path.

OR

The default 01_users file should be deleted as part of the application of the STIG, to ensure the manual changes to the grub.cfg file are applied.

Describe the Issue

The current implementation of RHEL-08-040090 does not implement the drop target for the firewall zone when created, meaning after running this control, the finding is still present.

Expected Behavior

RHEL-08-040090 should set the newly created firewall zone's target to drop instead of leaving it as default.

Actual Behavior

RHEL-08-040090 implementation does not provide a target argument, meaning it gets left as default.

Control(s) Affected

RHEL-08-040090

Possible Solution

It seems that Ansible 2.9 does not have the latest version of the ansible.posix collection, meaning this is not possible to do by just adding the target: DROP line. A manual command would be required, such as sudo firewall-cmd --permanent --zone=ZONE_NAME --set-target=DROP.

This is a relevant update, please tag/release it:

#108

Describe the Issue

RHEL8-STIG, for RHEL-08-020027 and RHEL-08-020028, sets the /var/log/faillock (or custom faillock directory) to the faillog_t SELinux type.

However, the playbook then calls restorecon -irv /var/log/faillock, which causes all of the files within /var/log/faillock to be reset to the var_log_t type. This means that services such as SSHD lose access to these users' faillock files with this type of error:

setroubleshoot: SELinux is preventing /usr/sbin/sshd from 'read, write' accesses on the file /var/log/faillock/example-user.

However, new files that get created will inherit the faillog_t type... leaving old files failing but new files working.

Expected Behavior

Custom faillock directory works as expected

Actual Behavior

SELinux permissions are reset in a way that causes discrepancy between previously existing and new faillock files and prevents some services from using the faillock files

Control(s) Affected

020027, 020028

Possible Solution

Would the correct method to apply the STIG instead be to actually just change all of the files within the /var/log/faillock folder to the correct SELinux type via sudo chcon --type faillog_t -Rv /var/log/faillock -- especially because new files in that folder would inherit the parent folder's faillog_t type anyways -- rather than using restorecon?

Check Text

Verify RHEL 8 restricts usage of ptrace to descendant processes with the following commands:

$ sudo sysctl kernel.yama.ptrace_scope

kernel.yama.ptrace_scope = 1

If the returned line does not have a value of "1", or a line is not returned, this is a finding.

Check that the configuration files are present to enable this network parameter.

$ sudo grep -r kernel.yama.ptrace_scope /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf

/etc/sysctl.d/99-sysctl.conf: kernel.yama.ptrace_scope = 1

If "kernel.yama.ptrace_scope" is not set to "1", is missing or commented out, this is a finding.

If conflicting results are returned, this is a finding.

Fix Text

Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file, in the "/etc/sysctl.d" directory:

kernel.yama.ptrace_scope = 1

The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:

$ sudo sysctl --system

DISA updated the check text for STIG ID RHEL-08-040282 with release from February 17, 2022.

Currently the fix only adds kernel.yama.ptrace_scope = 1 in the 99-sysctl.conf.j2 template:

{% if rhel_08_040282 %}
# RHEL-08-040282
kernel.yama.ptrace_scope = 1
{% endif %}

After running latest OpenSCAP benchmark, the check text failed

Following the guidance of the check text the results are as followed:

Possible Solution
Update/create jinja2 template for 10-default-yama-scope.conf (or any conf file with kernel.yama.ptrace_scope variable) and update pattern or remove pattern altogether from 10-default-yama-scope.conf file.

Describe the Issue
RHEL-08-020027 failed with no changed to defaults/main.yml

FAILED! => {"changed": true, "cmd": "semanage fcontext -m -t faillog_t -s system_u /var/log/faillock", "delta": "0:00:02.776896", "end": "2022-02-23 09:42:41.815114", "msg": "non-zero return code", "rc": 1, "start": "2022-02-23 09:42:39.038218", "stderr": "ValueError: File context for /var/log/faillock is not defined", "stderr_lines": ["ValueError: File context for /var/log/faillock is not defined"], "stdout": "", "stdout_lines": []}

Expected Behavior
I expect the task to pass without errors

Actual Behavior
tasks fail

Control(s) Affected
RHEL-08-020027

Environment (please complete the following information):

• Ansible Version: 2.12.2
• Host Python Version: Python 3.6.8
• Ansible Server Python Version: Python 3.8.10
• Additional Details:

Additional Notes
Anything additional goes here

Possible Solution
The tasks for this STIG seem a bit complicated I have tested the following and it worked
The directory gets created with the correct context and then the fcontext gets added so the change is permanent when running restorecon

      - name: Part 1
        file:
            path: "{{ rhel8stig_pam_faillock.dir }}"
            owner: root
            group: root
            mode: '0700'
            state: directory
            recurse: yes
            setype: faillog_t

      - name: Part 2
        sefcontext:
            target: "{{ rhel8stig_pam_faillock.dir }}"
            ftype: d
            setype: faillog_t
            state: present

Check out fix-cat2.yml on line 1412 in v2.0.1:

      - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf if dns is set in nsswitch.conf"
        lineinfile:
            dest: /etc/resolv.conf
            regexp: '^nameserver'
            line: namserver "{{ item }}"
            insertafter: '^search'
        with_items:
            - "{{ rhel8stig_dns_servers }}"
        when:
            - rhel_08_010680_networkmanager_check != '# Generated by NetworkManager'
            - rhel_08_010680_nameserver_count.stdout|int < 2

This outputs namserver "8.8.4.4" etc., which has both nameserver misspelled and also the address cannot be in quotes, I assume line: "nameserver {{item }}" is the correct line. Incidentally, the README.md lists the default servers as 9.9.9.9 and 149.112.112.112 when they are actually the google 8.8.8.8 and 8.8.4.4. Also, the ansible loop statement in the lineinfile module results in the DNS servers being inserted in reverse order (the secondary server ends up first)

Ansible 2.10.9

Describe the Issue
RHEL-08-04017 not applying on RHEL8 Workstation by not creating the /etc/dconf/db/local.d/00-disable-CAD file

Expected Behavior
The Role should create the following path/file: /etc/dconf/db/local.d/00-disable-CAD and populate with the following:

[org/gnome/settings-daemon/plugins/media-keys]
logout=''

Actual Behavior
tasks skips

Control(s) Affected
RHEL-08-04017

Environment (please complete the following information):

• Ansible Version: 2.9.27
• Host Python Version: 3.6.8
• Ansible Server Python Version: N/A
• Additional Details:

Additional Notes
The file this is configured in is fix-cat1.yml block line 384-422

- name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed."
  block:
      - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Check for setting existing"
        command: grep -s logout /etc/dconf/db/local.d/*
        changed_when: false
        failed_when: false
        register: rhel_08_040171_logout_settings_status

      - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Add if missing"
        lineinfile:
            path: /etc/dconf/db/local.d/00-disable-CAD
            regexp: "{{ item.regexp }}"
            line: "{{ item.line }}"
            insertafter: "{{ item.insertafter }}"
            create: yes
            owner: root
            group: root
            mode: 0644
        with_items:
            - { regexp: '^\[org/gnome/settings-daemon/plugins/media-keys\]', line: '[org/gnome/settings-daemon/plugins/media-keys]', insertafter: 'EOF' }
            - { regexp: 'logout=', line: "logout=''", insertafter: '\[org/gnome/settings-daemon/plugins/media-keys\]' }
        when: rhel_08_040171_logout_settings_status.stdout | length == 0

      - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Edit if exists"
        replace:
            path: "{{ rhel_08_040171_logout_settings_status.stdout }}"
            regexp: '^[L|l]ogout=.*'
            replace: "logout=''"
        when: rhel_08_040171_logout_settings_status.stdout | length > 0
  when:
      - rhel_08_040171
      - "'gnome-desktop' in ansible_facts.packages"
  tags:
      - RHEL-08-040171
      - CAT1
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230530r646883_rule
      - V-230530

Possible Solution
RHEL8 does not seem to use gnome-desktop. In all my test cases it seems like gnome-desktop3 is the successor and installed when selecting RHEL8 Software selection: Workstation

Modification needed to: fix-cat1.yml on Line 415:

Currently:
- "'gnome-desktop' in ansible_facts.packages"
Change to:
- "'gnome-desktop3' in ansible_facts.packages"

Once I changed this locally the 00-disable-CAD file was created as to be expected.

Hello,
I wanted to give an update on a tagging change that will take place on the next release, scheduled at some point in May. Without realizing that Ansible Galaxy needs version numbers in the Semantic format that excludes the preceding “v”, for example 1.2.1 vs v1.2., we have been using tags with the preceding v. This has caused our galaxy space to not update with our latest releases.

The plan going forward we plan to adjust the version number formatting on the first release for each repo in May. Please make note that if you are relying on release tags to keep up with latest versions, the numbering format will change. The cadence of the version numbers will continue and progress through as they have been, however the preceding “v” will be dropped from the tag.

George

Describe the Issue

In the created 01-banner-message file in /etc/dconf/db/local.d/, the banner-message-text is configured but the enable variable is missing. This causes the banner to not show on the login screen, causing a finding.

Expected Behavior

Banner message shows on GUI login page.

Actual Behavior

Banner message does not show on GUI login page, as the enable variable is missing.

Control(s) Affected

RHEL-08-010050

Possible Solution

01-banner-message needs an additional line:

banner-message-enable=true

Check Text

Verify RHEL 8 disables storing core dumps with the following commands:

$ sudo sysctl kernel.core_pattern

kernel.core_pattern = |/bin/false

If the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

Check that the configuration files are present to enable this kernel parameter.

$ sudo grep -r kernel.core_pattern /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf

/etc/sysctl.d/99-sysctl.conf:kernel.core_pattern = |/bin/false

If "kernel.core_pattern" is not set to "|/bin/false", is missing or commented out, this is a finding.

If results are returned from more than one file location, this is a finding.

Fix Text

Configure RHEL 8 to disable storing core dumps.

Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory:

kernel.core_pattern = |/bin/false

The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:

$ sudo sysctl --system

DISA updated the check text for STIG ID RHEL-08-010671 with release from February 17, 2022.

Currently the fix only adds kernel.core_pattern = |/bin/false in the 99-sysctl.conf.j2 template:

{% if rhel_08_010671 %}
# RHEL-08-010671
kernel.core_pattern = |/bin/false
{% endif %}

After running latest OpenSCAP benchmark, the check text failed

Following the guidance of the check text the results are as followed:

$ sudo grep -r kernel.core_pattern /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf
[sudo] password for user:
grep: /run/sysctl.d/*.conf: No such file or directory
grep: /usr/local/lib/sysctl.d/*.conf: No such file or directory
/usr/lib/sysctl.d/50-coredump.conf:kernel.core_pattern=|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h %e
/lib/sysctl.d/50-coredump.conf:kernel.core_pattern=|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h %e
/etc/sysctl.d/99-sysctl.conf:kernel.core_pattern = |/bin/false

Manually updated /usr/lib/sysctl.d/50-coredump.conf file with kernel.core_pattern = |/bin/false then rescanned, check text passed.

Possible Solution
Update/create jinja2 template for 50-coredump.conf (or any conf file with kernel.core_pattern variable) and update pattern or remove pattern altogether from 50-coredump.conf file.

Question

In fix-cat2.yml, RHEL-08-010290 and RHEL-08-010291 are in a block together and enable FIPS mode before applying the Fix Text.

The latest revisions of the STIG don't call for FIPS mode to be enabled for this STIG (yes, I know they are "FIPS compliant algorithms" but still.)

Sources: See https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2022-06-15/finding/V-230251 and https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2022-06-15/finding/V-230252

Is there a reason for this behavior in the RHEL8-STIG role? If FIPS mode isn't desired but still trying to get close to compliance, would there be a reason why this control couldn't be run without FIPS enabled? Is it not functioning as intended without FIPS enabled, and the fix text just isn't accounting for this or something?

It seems that applying it without FIPS mode doesn't break SSH (just commenting out the block that enables FIPS mode) -- but I may just be missing something. If FIPS mode is indeed not required, then consider this an Issue regarding removing the fips-mode-setup statements from the rhel_08_010290/rhel_08_010291 block. :)

Thanks in advance!

The fix-cat2.yml task RHEL-08-010295 is creating a new line in /etc/crypto-policies/back-ends/gnutls.config instead of updating the "SYSTEM=" line.

Expected contents of /etc/crypto-policies/back-ends/gnutls.config:

SYSTEM=NONE:+MAC-ALL:-MD5:+GROUP-ALL:-GROUP-X25519:-GROUP-X448:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-RSA-SHA1:-SIGN-DSA-SHA1:-SIGN-ECDSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:-SIGN-EDDSA-ED25519:-SIGN-EDDSA-ED448:+CIPHER-ALL:-CHACHA20-POLY1305:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM

Actual contents of /etc/crypto-policies/back-ends/gnutls.config:

SYSTEM=NONE:+MAC-ALL:-MD5:+GROUP-ALL:-GROUP-X25519:-GROUP-X448:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-RSA-SHA1:-SIGN-DSA-SHA1:-SIGN-ECDSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:-SIGN-EDDSA-ED25519:-SIGN-EDDSA-ED448:+CIPHER-ALL:-CHACHA20-POLY1305:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM
+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0

Describe the Issue
In tasks/prelim.yml the block that determines if the sssd.conf file is located where expected, when statements are used in the first task of the block to run that task if any of the 4 STIG items are enabled. If all four STIG IDs are disabled (as you would on a system without sssd installed), the first task of the block does not run, but the second task of the block still runs and errors out. The error is due to the second block relying on a variable getting registered in the first task.

Expected Behavior
Entire block should be skipped if all 4 SSSD related checks are disabled.

Actual Behavior
First task of block is not run as expected and second task fails due to undefined dictionary.

Control(s) Affected
What controls are being affected by the issue

Possible Solution
Move the When statement on line 317 to control entire block rather than the first task of the block.

Describe the Issue
Recently support for CentOS was explicitly removed. Been running these scripts against our CentOS 8 Stream OS for months without issue, why has this been enforced like this?

aa8714a

Expected Behavior
I would like to use these scripts against our CentOS 8 Stream OS

Actual Behavior
I get an error when running latest scripts against our CentOS 8 Stream OS:

TASK [RHEL8-STIG : Check OS version and family] ****************************************************************************************************
fatal: [example.com]: FAILED! => {
    "assertion": "(ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == \"Rocky\") and ansible_distribution_major_version is version_compare('8', '==')",
    "changed": false,
    "evaluated_to": false,
    "msg": "This role can only be run against RHEL/Rocky 8. CentOS 8 is not supported."
}

Control(s) Affected
All

Environment (please complete the following information):
N/A

Additional Notes
Anything additional goes here

Possible Solution
It would be important to not exclude CentOS 8 Stream support as it is the upstream for RHEL 8 and can help identify issues that may come up in RHEL 8.

Describe the Issue / Expected vs Actual Behaviors

In prelim.yml, the RHEL-08-010690 task calls to gather local interactive home directories with this line:

 shell: "getent passwd {'{{ rhel8stig_int_gid }}'..24339} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'"

However, when this is actually run, the single quotes are INTERPRETED, causing the actual run command to come out as:

getent passwd {'1000'..24339} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'

instead of:

getent passwd {1000..24339} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'

This causes RHEL-08-010770 to not perform work, as no local interactive home directories are found.

However, even after this is remedied, the next step in line pulls "INI files" in the found directory. For example, let's say the above getent returned /home/testuser.

The followup, "RHEL-08-010660 | RHEL-08-010770 | AUDIT | FInd ini files for interactive users", finds results and saves them in list form -- without the corresponding home folder they were pulled from. This would be fine if the full paths were being fetched -- but they aren't.

This leaves the stdout for the above command to look something like this:

.bash_logout
.bash_profile
.bashrc

Which is not usable by Ansible, as it doesn't give enough information. These incomplete paths get written to rhel_08_stig_interactive_homedir_results which then get set as a fact to rhel_08_stig_interactive_homedir_inifiles as a list of lists:

rhel_08_stig_interactive_homedir_inifiles: [[".bash_logout", ".bash_profile", ".bashrc"]]

The final flaw is the way the with_items is called in the actual remediation for RHEL-08-010770, as it is passed in a way that preserves the sub-lists instead of flattening them into items... it ends up trying to pass THE ENTIRE list of incomplete filepaths to be remedied at once (the entire list per home directory discovered.)

Control(s) Affected

RHEL-08-010690, RHEL-08-010770

Possible Solution

First -- in the PRELIM | RHEL-08010690 | Gather local interactive user directories in prelim.yml, the shell command must be revised to use formatting that does not leave remnant single quotes, such as utilizing the Raw template marker in Jinja2 to wrap the curly braces i the getent command itself:

shell: "getent passwd {% raw %}{{% endraw %}{{ rhel8stig_int_gid }}..24339{% raw %}}{% endraw %} | # rest of string is correct after this

From there, I would then alter the Find ini files for interactive users step of the prelim.yml to include whole paths, instead of just the filename, by replacing the logic to just filter out for files that start with a .:

find "{{ item }}" -maxdepth 1 -type f | grep '/\.[^/]*'

This output gets written to a variable (as a list) which then gets added into another variable (making it a list of lists.) This is then called by the RHEL-08-010770 patch in fix-cat2.yml. However, the rhel_08_stig_interactive_homedir_inifiles is being incorrectly passed. It is passed to the with_items as a single entry in a list, causing a THREE LEVEL deep list. This means when with_items flattens, it only flattens one level, causing the lists of files to be passed in all at once. This is an easy fix, by simply moving the variable to the same line as with_items (removing the extra listing level):

file:
    path: "{{ item }}"
    mode: "{{ rhel8stig_local_int_perm }}"
with_items: "{{ rhel_08_stig_interactive_homedir_inifiles }}" 
# Note how this is now on the same line, meaning its entries will get flattened and processed correctly

I have tested this fix and can confirm it to be functional, however this was only in a minimal scenario.

The README's link for the Main Variables Wiki Page seems to be broken.

Trying to click that link in the README just redirects to the main wiki page, with a banner message that says "You do not have permission to update this wiki."

Describe the Issue
RHEL-08-040137

service is unable to start due to error in the configuration file

Expected Behavior
fapolicyd.service starts successfully

Actual Behavior
fails to start with error
Invalid decision ({'allow) in line 46

Control(s) Affected
What controls are being affected by the issue

Environment (please complete the following information):

• Ansible Version: 2.9
• Host Python Version: 3.8

Possible Solution
resolve issue with inherited whitelist variables

Greetings,

Firstly, I wanted to thank you for the hard work committed to this project and the results that come from it. I noticed that the role for RHEL8-STIG is still based on the draft and wondered if work was already under way for the latest release for the benchmark STIG?

Thanks in advance.

Describe the Issue
RHEL-08-030650 does not check/add a line for rsyslogd

Expected Behavior
From Stig Guide:

Check Text: Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools.

If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.

Check the selection lines to ensure AIDE is configured to add/check with the following command:

$ sudo egrep '(/usr/sbin/(audit|au))' /etc/aide.conf

/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512

If any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.

Actual Behavior
/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512
is missing

instead
usr/sbin/audisp-remote p+i+n+u+g+s+b+acl+xattrs+sha512
and
usr/sbin/audisp-syslog p+i+n+u+g+s+b+acl+xattrs+sha512
are added but not required by the STIG guide

Control(s) Affected
RHEL-08-030650

Environment (please complete the following information):
does not matter

Additional Notes
Not sure if it makes sense to keep these, since there is no reference in the STIG Guide about these items:
/usr/sbin/audisp-remote
and
/usr/sbin/audisp-syslog

Possible Solution
vitecde@be21bff

If you prefer a pull request, please let me know, since you are in progress working on a new V1R3 branch i'm not sure

Numerous mount option tasks are overwriting changes made by previous tasks because they are getting mount options from 'ansible_mounts' which is only collected at the beginning of the playbook run.

For example, RHEL-08-010570 in fix-cat2 adds 'nosuid' to the mount options which is derived from ansible_mounts:

- name: "MEDIUM | RHEL-08-010570 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories."
  mount:
      path: /home
      state: mounted
      src: "{{ home_mount.device }}"
      fstype: "{{ home_mount.fstype }}"
      opts: "{{ home_mount.options }},nosuid"
  when:
      - rhel_08_010570
      - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0
      - "'nosuid' not in home_mount.options"
  vars:
      home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}"
  tags:
      - RHEL-08-010570
      - mounts
      - home

At this point, the ansible_mount information is effectively stale as it relates to /etc/fstab. Then RHEL-08-010590 comes along and wipes out all of RHEL-08-010570's hard work:

- name: "MEDIUM | RHEL-08-010590 | PATCH | RHEL 8 must prevent code from being executed on file systems that contain user home directories."
  mount:
      path: /home
      state: mounted
      src: "{{ home_mount.device }}"
      fstype: "{{ home_mount.fstype }}"
      opts: "{{ home_mount.options }},noexec"
  when:
      - rhel_08_010590
      - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0
      - "'noexec' not in home_mount.options"
  vars:
      home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}"
  tags:
      - RHEL-08-010590
      - mounts
      - home

Doing a remount won't help b/c the ansible facts are already collected.

Is this an ansible bug?
Can you recollect the ansible_mounts facts after a changed task?

Preface / Problem

Due to the logic for RHEL-08-010330 through RHEL-08-010350, the DBUS Daemon launch helper permissions get altered, breaking tools that call on this executable to run (such as SETroubleshootD.)

This shows up on a machine as these error logs when an SELinux permission denial occurs, such as this:

Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.27'
Activated service 'org.fedoraproject.Setroubleshootd' failed: The permission of the setuid helper is not correct
# Repeat like 3 more times

The /usr/libexec/dbus-1/dbus-daemon-launch-helper is altered via symlink from permissions of:

• Before: root:dbus rwsr-x---
• After: root:root rwxr-xr-x

This is due to the way the files around found and altered:

• The find command finds links within /usr/lib/.build-id
• The Ansible file module then follows symlinks by default, so the DESTINATION files for all of these links within .build-id are changed

Question

Is this an intended behavior? The STIG language itself seems to say the FILES in these directories need to be altered, but symlinks (I feel) shouldn't be followed as this could lead to unexpected behavior, especially in the case of the .build-id files.

The "fix" for this would just be to add follow: no for the file module call if this is unintended behavior.

Another fix could be to simply exclude the .build-id directory as it seems problematic:

find -L /lib /lib64 /usr/lib /usr/lib64 -not \( -path /lib/.build-id -prune \) -not \( -path /usr/lib/.build-id \) -perm /0022 -type f -o ! -user root -o ! -group root

Feature Request or Enhancement

• Enhancement []

Summary of Request
Improve documentation regarding known issues with bugs

cloud-init scripts fail as based in /var will have issues in noexec is adopted on the filesystem

Due to changes cloud init will stop to work if adopting noexec to /var bug listed
https://bugs.launchpad.net/cloud-init/+bug/1839899

When rhel_08_010471 is true, the task checks to ensure that the rngd service is started. However, this task does not ensure that the rngd service is even installed. Therefore, if the rng-tools package is not installed, the script fails.

When I run the STIG, I get:

 ____________________________________________________________
/ TASK [/home/jbicknell3/GTRI/site/RHEL8-STIG : "HIGH |      \ 
| RHEL-08-010140 | PATCH | RHEL 8 operating systems booted   | 
| with United Extensible Firmware Interface (UEFI)           | 
| implemented must require authentication upon booting into  | 
| single-user mode and maintenance. | Create user.cfg" "HIGH | 
| | RHEL-08-010150 | PATCH | RHEL 8 operating systems booted | 
| with a BIOS must require authentication upon booting into  |                                                               
\ single-user and maintenance modes. | Create user.cfg"]     / 
 ------------------------------------------------------------
        \   ^__^                                                                                                             
         \  (oo)\_______            
            (__)\       )\/\
                ||----w |           
                ||     ||                           
                                                              
fatal: [mutter]: FAILED! => 
  msg: 'the field ''check_mode'' has an invalid value (ansible_check_mode is not defined|bool), and could not be converted to an bool.The error was: The value ''ansible_check_mode is not defined|bool'' is not a valid boolean.  Valid booleans include:
 0, 1, ''on'', ''t'', ''1'', ''f'', ''n'', ''y'', ''true'', ''false'', ''yes'', ''0'', ''off'', ''no'''

I found that the following helps, but I don't know if this is the correct solution:

diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml
index f4aaddf..3b12e47 100644
--- a/tasks/fix-cat1.yml
+++ b/tasks/fix-cat1.yml
@@ -134,7 +134,7 @@
               "HIGH | RHEL-08-010140 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Create user.cfg"
               "HIGH | RHEL-08-010150 | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Create user.cfg"
         shell: test -f {{ file_q }} && echo exists || {{ create_cmd }}
-        check_mode: ansible_check_mode is not defined
+        check_mode: "{{ ansible_check_mode is not defined|bool }}"
         register: rhel8stig_create_grub_user_cfg
         changed_when:
             - rhel8stig_create_grub_user_cfg.stdout == "created"

Describe the Issue
RHEL-08-010201 task is replacing ClientAliveInterval value with ClientaliveCountMax, which eliminates the ClientAliveInterval value in the /etc/ssh/sshd_config file.

Expected Behavior
RHEL-08-010201 task should find the ClientAliveInterval line in /etc/ssh/sshd_config and update the configured value with the variable rhel8stig_ssh_session_timeout

Actual Behavior
The ClientAliveInterval line in /etc/ssh/sshd_config is being replaced by ClientAliveCountMax 0.

Control(s) Affected
What controls are being affected by the issue

Environment (please complete the following information):

Additional Notes

Possible Solution
`

• name: "MEDIUM | RHEL-08-010201 | PATCH | The RHEL 8 SSH daemon must be configured with a timeout interval"
  lineinfile:
  path: /etc/ssh/sshd_config
  regexp: '(?i)^#?ClientAliveInterval.*'
  line: "ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}"
  notify: restart sshd
  when:
  - rhel_08_010201
  - rhel8stig_ssh_required
  tags:
  - RHEL-08-010201
  - CAT2
  - CCI-001133
  - SRG-OS-000163-GPOS-00072
  - SV-244525r743824_rule
  - V-244525
  - ssh
  `

New to ansible so apologies if this is user error:

ansible-galaxy install mindpointgroup.rhel8_stig

• downloading role 'rhel8_stig', owned by mindpointgroup
  [WARNING]: - mindpointgroup.rhel8_stig was NOT installed successfully: Unable to compare role versions (v2.0.0, 2.2.1, 2.1.0, v2.0.1,
  2.2.0, v1.0.0) to determine the most recent version due to incompatible version formats. Please contact the role author to resolve
  versioning conflicts, or specify an explicit role version to install.
  ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.

Describe the Issue
Notify line in tasks RHEL-08-040259 and RHEL-08-040260 incorrectly specifies "update sys" instead of "update sysctl"

Expected Behavior
Tasks should notify "update sysctl" handler.

Actual Behavior
Tasks attempt to notify non-existent handler.

Control(s) Affected
RHEL-08-040259, RHEL-08-040260

Possible Solution

Replace with:

    notify: update sysctl