search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.22k stars 698 forks source link

Change rule platforms - Part 4: Individual rules in the "system" group #12515

Closed jan-cerny closed 1 month ago

jan-cerny commented 1 month ago

Many rules currently marked with the machine platform should be applicable also to bootable containers. The reason is that often these rules check configuration that should be applied if the bootable container is deployed and booted on a real system. The applicability of these rules needs to be extended by marking them with the system_with_kernel platform instead.

We change the platforms carefully, we don't perform a blind mass platform replacement because not every rule that is currently marked as machine should be applicable to bootable containers, for example partition rules should be evaluated as "not applicable" when scanning a bootable container.

For more details, please read commit messages of all commits.

Review hints

For normal (non-bootable) containers, run a scan and verify that the rules affected by this change are still evaluated as notapplicable as they were before this change. For example: sudo oscap-podman centos:stream9 xccdf eval --profile stig --report /tmp/report.html build/ssg-cs9-ds.xml

github-actions[bot] commented 1 month ago

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment) Open in Gitpod

Fedora Testing Environment Open in Gitpod

Oracle Linux 8 Environment Open in Gitpod

github-actions[bot] commented 1 month ago

This datastream diff is auto generated by the check Compare DS/Generate Diff. Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit.

Click here to see the trimmed diff ```diff Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_install_antivirus' --- xccdf_org.ssgproject.content_rule_install_antivirus +++ xccdf_org.ssgproject.content_rule_install_antivirus @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_install_hids' --- xccdf_org.ssgproject.content_rule_install_hids +++ xccdf_org.ssgproject.content_rule_install_hids @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_nails_enabled' differs. --- xccdf_org.ssgproject.content_rule_service_nails_enabled +++ xccdf_org.ssgproject.content_rule_service_nails_enabled @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" unmask 'nails.service' ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_nails_enabled' differs. --- xccdf_org.ssgproject.content_rule_service_nails_enabled +++ xccdf_org.ssgproject.content_rule_service_nails_enabled @@ -1,3 +1,17 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-28 + - NIST-800-53-SI-3(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_nails_enabled + - name: Enable nails Service - Enable service nails block: @@ -13,7 +27,7 @@ masked: false when: - '"nails" in ansible_facts.packages' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - NIST-800-53-CM-6(a) - NIST-800-53-SC-28 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_service_nails_enabled' --- xccdf_org.ssgproject.content_rule_service_nails_enabled +++ xccdf_org.ssgproject.content_rule_service_nails_enabled @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_install_mcafee_antivirus' --- xccdf_org.ssgproject.content_rule_install_mcafee_antivirus +++ xccdf_org.ssgproject.content_rule_install_mcafee_antivirus @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated' --- xccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated +++ xccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_sudo_installed' differs. --- xccdf_org.ssgproject.content_rule_package_sudo_installed +++ xccdf_org.ssgproject.content_rule_package_sudo_installed @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then if ! rpm -q --quiet "sudo" ; then yum install -y "sudo" ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_sudo_installed' differs. --- xccdf_org.ssgproject.content_rule_package_sudo_installed +++ xccdf_org.ssgproject.content_rule_package_sudo_installed @@ -1,8 +1,6 @@ -- name: Ensure sudo is installed - package: - name: sudo - state: present - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-82214-8 - NIST-800-53-CM-6(a) @@ -14,3 +12,20 @@ - medium_severity - no_reboot_needed - package_sudo_installed + +- name: Ensure sudo is installed + package: + name: sudo + state: present + when: '"kernel" in ansible_facts.packages' + tags: + - CCE-82214-8 + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_sudo_installed Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_package_sudo_installed' --- xccdf_org.ssgproject.content_rule_package_sudo_installed +++ xccdf_org.ssgproject.content_rule_package_sudo_installed @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_rng-tools_installed' differs. --- xccdf_org.ssgproject.content_rule_package_rng-tools_installed +++ xccdf_org.ssgproject.content_rule_package_rng-tools_installed @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then if ! rpm -q --quiet "rng-tools" ; then yum install -y "rng-tools" ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_rng-tools_installed' differs. --- xccdf_org.ssgproject.content_rule_package_rng-tools_installed +++ xccdf_org.ssgproject.content_rule_package_rng-tools_installed @@ -1,8 +1,6 @@ -- name: Ensure rng-tools is installed - package: - name: rng-tools - state: present - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-82968-9 - DISA-STIG-RHEL-08-010472 @@ -12,3 +10,18 @@ - low_severity - no_reboot_needed - package_rng-tools_installed + +- name: Ensure rng-tools is installed + package: + name: rng-tools + state: present + when: '"kernel" in ansible_facts.packages' + tags: + - CCE-82968-9 + - DISA-STIG-RHEL-08-010472 + - enable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_rng-tools_installed Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_package_rng-tools_installed' --- xccdf_org.ssgproject.content_rule_package_rng-tools_installed +++ xccdf_org.ssgproject.content_rule_package_rng-tools_installed @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue' differs. --- xccdf_org.ssgproject.content_rule_banner_etc_issue +++ xccdf_org.ssgproject.content_rule_banner_etc_issue @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then login_banner_text='' ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue' differs. --- xccdf_org.ssgproject.content_rule_banner_etc_issue +++ xccdf_org.ssgproject.content_rule_banner_etc_issue @@ -1,3 +1,18 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80763-6 + - DISA-STIG-RHEL-08-010060 + - NIST-800-171-3.1.9 + - NIST-800-53-AC-8(a) + - NIST-800-53-AC-8(c) + - banner_etc_issue + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy - name: XCCDF Value login_banner_text # promote to variable set_fact: login_banner_text: !!str @@ -10,7 +25,7 @@ content: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "\n") | regex_replace("\\", "") | wordwrap() }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-80763-6 - DISA-STIG-RHEL-08-010060 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue' --- xccdf_org.ssgproject.content_rule_banner_etc_issue +++ xccdf_org.ssgproject.content_rule_banner_etc_issue @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_cis' differs. --- xccdf_org.ssgproject.content_rule_banner_etc_issue_cis +++ xccdf_org.ssgproject.content_rule_banner_etc_issue_cis @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then cis_banner_text='' ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_cis' differs. --- xccdf_org.ssgproject.content_rule_banner_etc_issue_cis +++ xccdf_org.ssgproject.content_rule_banner_etc_issue_cis @@ -1,3 +1,14 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86160-9 + - banner_etc_issue_cis + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy - name: XCCDF Value cis_banner_text # promote to variable set_fact: cis_banner_text: !!str @@ -9,7 +20,7 @@ ansible.builtin.copy: content: '{{ cis_banner_text }}' dest: /etc/issue - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-86160-9 - banner_etc_issue_cis Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_cis' --- xccdf_org.ssgproject.content_rule_banner_etc_issue_cis +++ xccdf_org.ssgproject.content_rule_banner_etc_issue_cis @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net' differs. --- xccdf_org.ssgproject.content_rule_banner_etc_issue_net +++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then remote_login_banner_text='' ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net' differs. --- xccdf_org.ssgproject.content_rule_banner_etc_issue_net +++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net @@ -1,3 +1,14 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86147-6 + - banner_etc_issue_net + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy - name: XCCDF Value remote_login_banner_text # promote to variable set_fact: remote_login_banner_text: !!str @@ -10,7 +21,7 @@ content: '{{ remote_login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "\n") | regex_replace("\\", "") | wordwrap() }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-86147-6 - banner_etc_issue_net Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net' --- xccdf_org.ssgproject.content_rule_banner_etc_issue_net +++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis' differs. --- xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis +++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then cis_banner_text='' ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis' differs. --- xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis +++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis @@ -1,3 +1,14 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86167-4 + - banner_etc_issue_net_cis + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy - name: XCCDF Value cis_banner_text # promote to variable set_fact: cis_banner_text: !!str @@ -9,7 +20,7 @@ ansible.builtin.copy: content: '{{ cis_banner_text }}' dest: /etc/issue.net - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-86167-4 - banner_etc_issue_net_cis Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis' --- xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis +++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd' differs. --- xccdf_org.ssgproject.content_rule_banner_etc_motd +++ xccdf_org.ssgproject.content_rule_banner_etc_motd @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then motd_banner_text='' ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd' differs. --- xccdf_org.ssgproject.content_rule_banner_etc_motd +++ xccdf_org.ssgproject.content_rule_banner_etc_motd @@ -1,3 +1,14 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-83496-0 + - banner_etc_motd + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy - name: XCCDF Value motd_banner_text # promote to variable set_fact: motd_banner_text: !!str @@ -10,7 +21,7 @@ content: '{{ motd_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "\n") | regex_replace("\\", "") | wordwrap() }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-83496-0 - banner_etc_motd Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd' --- xccdf_org.ssgproject.content_rule_banner_etc_motd +++ xccdf_org.ssgproject.content_rule_banner_etc_motd @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd_cis' differs. --- xccdf_org.ssgproject.content_rule_banner_etc_motd_cis +++ xccdf_org.ssgproject.content_rule_banner_etc_motd_cis @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then cis_banner_text='' ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd_cis' differs. --- xccdf_org.ssgproject.content_rule_banner_etc_motd_cis +++ xccdf_org.ssgproject.content_rule_banner_etc_motd_cis @@ -1,3 +1,14 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86145-0 + - banner_etc_motd_cis + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy - name: XCCDF Value cis_banner_text # promote to variable set_fact: cis_banner_text: !!str @@ -8,7 +19,7 @@ ansible.builtin.copy: content: '{{ cis_banner_text }}' dest: /etc/motd - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-86145-0 - banner_etc_motd_cis Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd_cis' --- xccdf_org.ssgproject.content_rule_banner_etc_motd_cis +++ xccdf_org.ssgproject.content_rule_banner_etc_motd_cis @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir' differs. --- xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir +++ xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir @@ -1,7 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then - -#!/bin/bash +if rpm --quiet -q kernel; then FAILLOCK_CONF_FILES="/etc/security/faillock.conf /etc/pam.d/system-auth /etc/pam.d/password-auth" faillock_dirs=$(grep -oP "^\s*(?:auth.*pam_faillock.so.*)?dir\s*=\s*(\S+)" $FAILLOCK_CONF_FILES \ ansible remediation for rule 'xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir' differs. --- xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir +++ xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir @@ -1,3 +1,18 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86248-2 + - DISA-STIG-RHEL-08-020027 + - DISA-STIG-RHEL-08-020028 + - NIST-800-53-AC-7 (a) + - account_password_selinux_faillock_dir + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - name: An SELinux Context must be configured for the pam_faillock.so records directory - Get directories from faillock ansible.builtin.shell: grep -oP '^\s*(?:auth.*pam_faillock.so.*)?dir\s*=\s*(\S+)' @@ -7,7 +22,7 @@ - /etc/security/faillock.conf - /etc/pam.d/system-auth - /etc/pam.d/password-auth - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-86248-2 - DISA-STIG-RHEL-08-020027 @@ -25,7 +40,7 @@ ansible.builtin.set_fact: list_faillock_dir: '{{ faillock_output.results | map(attribute=''stdout_lines'') | flatten }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-86248-2 - DISA-STIG-RHEL-08-020027 @@ -45,7 +60,7 @@ state: directory with_items: '{{ list_faillock_dir }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - item != "" tags: - CCE-86248-2 @@ -67,7 +82,7 @@ fi with_items: '{{ list_faillock_dir }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - item != "" tags: - CCE-86248-2 @@ -86,7 +101,7 @@ ansible.builtin.command: restorecon -R -v "{{ item }}" with_items: '{{ list_faillock_dir }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - item != "" tags: - CCE-86248-2 @@ -107,7 +122,7 @@ "The pam_faillock.so dir option is not set in the system. If this is not expected, make sure pam_faillock.so is properly configured." when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - list_faillock_dir | length == 0 tags: - CCE-86248-2 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir' --- xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir +++ xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_account_unique_id' --- xccdf_org.ssgproject.content_rule_account_unique_id +++ xccdf_org.ssgproject.content_rule_account_unique_id @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed' --- xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed +++ xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_accounts_password_last_change_is_in_past' --- xccdf_org.ssgproject.content_rule_accounts_password_last_change_is_in_past +++ xccdf_org.ssgproject.content_rule_accounts_password_last_change_is_in_past @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow' differs. --- xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow +++ xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then readarray -t users_with_empty_pass < <(sudo awk -F: '!$2 {print $1}' /etc/shadow) ansible remediation for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow' differs. --- xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow +++ xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow @@ -1,9 +1,26 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-85953-8 + - DISA-STIG-RHEL-08-010121 + - NIST-800-53-CM-6(b) + - NIST-800-53-CM-6.1(iv) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.2 + - high_severity + - low_complexity + - low_disruption + - no_empty_passwords_etc_shadow + - no_reboot_needed + - restrict_strategy + - name: Collect users with no password command: | awk -F: '!$2 {print $1}' /etc/shadow register: users_nopasswd changed_when: false - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-85953-8 - DISA-STIG-RHEL-08-010121 @@ -23,7 +40,7 @@ passwd -l {{ item }} with_items: '{{ users_nopasswd.stdout_lines }}' when: - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"kernel" in ansible_facts.packages' - users_nopasswd is not skipped and users_nopasswd.stdout_lines | length > 0 tags: - CCE-85953-8 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow' --- xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow +++ xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_ensure_root_password_configured' --- xccdf_org.ssgproject.content_rule_ensure_root_password_configured +++ xccdf_org.ssgproject.content_rule_ensure_root_password_configured @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_no_direct_root_logins' differs. --- xccdf_org.ssgproject.content_rule_no_direct_root_logins +++ xccdf_org.ssgproject.content_rule_no_direct_root_logins @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then echo > /etc/securetty ansible remediation for rule 'xccdf_org.ssgproject.content_rule_no_direct_root_logins' differs. --- xccdf_org.ssgproject.content_rule_no_direct_root_logins +++ xccdf_org.ssgproject.content_rule_no_direct_root_logins @@ -1,8 +1,6 @@ -- name: Direct root Logins Not Allowed - copy: - dest: /etc/securetty - content: '' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-80840-2 - NIST-800-171-3.1.1 @@ -17,3 +15,23 @@ - no_direct_root_logins - no_reboot_needed - restrict_strategy + +- name: Direct root Logins Not Allowed + copy: + dest: /etc/securetty + content: '' + when: '"kernel" in ansible_facts.packages' + tags: + - CCE-80840-2 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-2 + - PCI-DSSv4-8.6 + - PCI-DSSv4-8.6.1 + - low_complexity + - low_disruption + - medium_severity + - no_direct_root_logins + - no_reboot_needed + - restrict_strategy Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_no_direct_root_logins' --- xccdf_org.ssgproject.content_rule_no_direct_root_logins +++ xccdf_org.ssgproject.content_rule_no_direct_root_logins @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_tmout' differs. --- xccdf_org.ssgproject.content_rule_accounts_tmout +++ xccdf_org.ssgproject.content_rule_accounts_tmout @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then var_accounts_tmout='' ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_tmout' differs. --- xccdf_org.ssgproject.content_rule_accounts_tmout +++ xccdf_org.ssgproject.content_rule_accounts_tmout @@ -1,3 +1,21 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80673-7 + - NIST-800-171-3.1.11 + - NIST-800-53-AC-12 + - NIST-800-53-AC-2(5) + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-10 + - PCI-DSSv4-8.6 + - PCI-DSSv4-8.6.1 + - accounts_tmout + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy - name: XCCDF Value var_accounts_tmout # promote to variable set_fact: var_accounts_tmout: !!str @@ -10,7 +28,7 @@ regexp: ^[^#].*TMOUT=.* replace: typeset -xr TMOUT={{ var_accounts_tmout }} register: profile_replaced - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-80673-7 - NIST-800-171-3.1.11 @@ -34,7 +52,7 @@ regexp: TMOUT= line: typeset -xr TMOUT={{ var_accounts_tmout }} state: present - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-80673-7 - NIST-800-171-3.1.11 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_accounts_tmout' --- xccdf_org.ssgproject.content_rule_accounts_tmout +++ xccdf_org.ssgproject.content_rule_accounts_tmout @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_iptables_installed' differs. --- xccdf_org.ssgproject.content_rule_package_iptables_installed +++ xccdf_org.ssgproject.content_rule_package_iptables_installed @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] ); then +if ( rpm --quiet -q kernel ); then if ! rpm -q --quiet "iptables" ; then yum install -y "iptables" ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_iptables_installed' differs. --- xccdf_org.ssgproject.content_rule_package_iptables_installed +++ xccdf_org.ssgproject.content_rule_package_iptables_installed @@ -1,9 +1,6 @@ -- name: Ensure iptables is installed - package: - name: iptables - state: present - when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", - "container"] ) +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-82982-0 - NIST-800-53-CM-6(a) @@ -14,3 +11,19 @@ - medium_severity - no_reboot_needed - package_iptables_installed + +- name: Ensure iptables is installed + package: + name: iptables + state: present + when: ( "kernel" in ansible_facts.packages ) + tags: + - CCE-82982-0 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-1.4.1 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_iptables_installed Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_package_iptables_installed' --- xccdf_org.ssgproject.content_rule_package_iptables_installed +++ xccdf_org.ssgproject.content_rule_package_iptables_installed @@ -1,4 +1,4 @@ oval:ssg-installed_OS_is_rhcos4_rhel9:def:1 -oval:ssg-installed_env_is_a_machine:def:1 oval:ssg-service_disabled_nftables:def:1 oval:ssg-service_disabled_ufw:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_ip6tables_enabled' differs. --- xccdf_org.ssgproject.content_rule_service_ip6tables_enabled +++ xccdf_org.ssgproject.content_rule_service_ip6tables_enabled @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" unmask 'ip6tables.service' ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_ip6tables_enabled' differs. --- xccdf_org.ssgproject.content_rule_service_ip6tables_enabled +++ xccdf_org.ssgproject.content_rule_service_ip6tables_enabled @@ -1,3 +1,20 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-85955-3 + - NIST-800-53-AC-4 + - NIST-800-53-CA-3(5) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(21) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_ip6tables_enabled + - name: Verify ip6tables Enabled if Using IPv6 - Enable service ip6tables block: @@ -13,7 +30,7 @@ masked: false when: - '"iptables-ipv6" in ansible_facts.packages' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-85955-3 - NIST-800-53-AC-4 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_service_ip6tables_enabled' --- xccdf_org.ssgproject.content_rule_service_ip6tables_enabled +++ xccdf_org.ssgproject.content_rule_service_ip6tables_enabled @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_iptables_enabled' differs. --- xccdf_org.ssgproject.content_rule_service_iptables_enabled +++ xccdf_org.ssgproject.content_rule_service_iptables_enabled @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q iptables ); then +if ( rpm --quiet -q iptables && rpm --quiet -q kernel ); then SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" unmask 'iptables.service' ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_iptables_enabled' differs. --- xccdf_org.ssgproject.content_rule_service_iptables_enabled +++ xccdf_org.ssgproject.content_rule_service_iptables_enabled @@ -30,8 +30,8 @@ masked: false when: - '"iptables" in ansible_facts.packages' - when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", - "container"] and "iptables" in ansible_facts.packages ) + when: ( "iptables" in ansible_facts.packages and "kernel" in ansible_facts.packages + ) tags: - CCE-85961-1 - NIST-800-53-AC-4 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_service_iptables_enabled' --- xccdf_org.ssgproject.content_rule_service_iptables_enabled +++ xccdf_org.ssgproject.content_rule_service_iptables_enabled @@ -1,3 +1,3 @@ -oval:ssg-installed_env_is_a_machine:def:1 oval:ssg-package_iptables:def:1 oval:ssg-service_disabled_firewalld:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled' differs. --- xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled +++ xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then # Prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack echo "options ipv6 disable=1" > /etc/modprobe.d/ipv6.conf ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled' differs. --- xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled +++ xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled @@ -1,10 +1,25 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-82872-3 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - kernel_module_ipv6_option_disabled + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - name: Disable IPv6 Networking kernel module lineinfile: create: true dest: /etc/modprobe.d/ipv6.conf regexp: ^options\s+ipv6\s+disable=\d line: options ipv6 disable=1 - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82872-3 - NIST-800-53-CM-6(a) @@ -26,7 +41,7 @@ with_items: - net.ipv6.conf.all.disable_ipv6 - net.ipv6.conf.default.disable_ipv6 - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82872-3 - NIST-800-53-CM-6(a) Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled' --- xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled +++ xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6 +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6 @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then # Comment out any occurrences of net.ipv6.conf.all.disable_ipv6 from /etc/sysctl.d/*.conf files ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6 +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6 @@ -1,3 +1,19 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-85904-1 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_all_disable_ipv6 + - name: List /etc/sysctl.d/*.conf files find: paths: @@ -8,7 +24,7 @@ patterns: '*.conf' file_type: any register: find_sysctl_d - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-85904-1 - NIST-800-171-3.1.20 @@ -29,7 +45,7 @@ regexp: ^[\s]*net.ipv6.conf.all.disable_ipv6 replace: '#net.ipv6.conf.all.disable_ipv6' loop: '{{ find_sysctl_d.files }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-85904-1 - NIST-800-171-3.1.20 @@ -50,7 +66,7 @@ sysctl_file: /etc/sysctl.conf state: present reload: true - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-85904-1 - NIST-800-171-3.1.20 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6' --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6 +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6 @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6 +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6 @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then # Comment out any occurrences of net.ipv6.conf.default.disable_ipv6 from /etc/sysctl.d/*.conf files ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6 +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6 @@ -1,3 +1,19 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86004-9 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_default_disable_ipv6 + - name: List /etc/sysctl.d/*.conf files find: paths: @@ -8,7 +24,7 @@ patterns: '*.conf' file_type: any register: find_sysctl_d - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-86004-9 - NIST-800-171-3.1.20 @@ -29,7 +45,7 @@ regexp: ^[\s]*net.ipv6.conf.default.disable_ipv6 replace: '#net.ipv6.conf.default.disable_ipv6' loop: '{{ find_sysctl_d.files }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-86004-9 - NIST-800-171-3.1.20 @@ -50,7 +66,7 @@ sysctl_file: /etc/sysctl.conf state: present reload: true - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-86004-9 - NIST-800-171-3.1.20 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6' --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6 +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6 @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then # Comment out any occurrences of net.ipv6.conf.all.accept_ra from /etc/sysctl.d/*.conf files ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra @@ -1,3 +1,20 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-81006-9 + - DISA-STIG-RHEL-08-040261 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_all_accept_ra + - name: List /etc/sysctl.d/*.conf files find: paths: @@ -8,7 +25,7 @@ patterns: '*.conf' file_type: any register: find_sysctl_d - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-81006-9 - DISA-STIG-RHEL-08-040261 @@ -29,7 +46,7 @@ regexp: ^[\s]*net.ipv6.conf.all.accept_ra replace: '#net.ipv6.conf.all.accept_ra' loop: '{{ find_sysctl_d.files }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-81006-9 - DISA-STIG-RHEL-08-040261 @@ -56,7 +73,7 @@ sysctl_file: /etc/sysctl.conf state: present reload: true - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-81006-9 - DISA-STIG-RHEL-08-040261 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra' --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then # Comment out any occurrences of net.ipv6.conf.all.accept_ra_defrtr from /etc/sysctl.d/*.conf files ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr @@ -1,3 +1,15 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-84272-4 + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv6_conf_all_accept_ra_defrtr + - unknown_severity + - name: List /etc/sysctl.d/*.conf files find: paths: @@ -8,7 +20,7 @@ patterns: '*.conf' file_type: any register: find_sysctl_d - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-84272-4 - disable_strategy @@ -25,7 +37,7 @@ regexp: ^[\s]*net.ipv6.conf.all.accept_ra_defrtr replace: '#net.ipv6.conf.all.accept_ra_defrtr' loop: '{{ find_sysctl_d.files }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-84272-4 - disable_strategy @@ -47,7 +59,7 @@ sysctl_file: /etc/sysctl.conf state: present reload: true - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-84272-4 - disable_strategy Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr' --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then # Comment out any occurrences of net.ipv6.conf.all.accept_ra_pinfo from /etc/sysctl.d/*.conf files ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo @@ -1,3 +1,15 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-84280-7 + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv6_conf_all_accept_ra_pinfo + - unknown_severity + - name: List /etc/sysctl.d/*.conf files find: paths: @@ -8,7 +20,7 @@ patterns: '*.conf' file_type: any register: find_sysctl_d - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-84280-7 - disable_strategy @@ -25,7 +37,7 @@ regexp: ^[\s]*net.ipv6.conf.all.accept_ra_pinfo replace: '#net.ipv6.conf.all.accept_ra_pinfo' loop: '{{ find_sysctl_d.files }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-84280-7 - disable_strategy @@ -47,7 +59,7 @@ sysctl_file: /etc/sysctl.conf state: present reload: true - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-84280-7 - disable_strategy Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo' --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then # Comment out any occurrences of net.ipv6.conf.all.accept_ra_rtr_pref from /etc/sysctl.d/*.conf files ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref @@ -1,3 +1,15 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-84288-0 + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv6_conf_all_accept_ra_rtr_pref + - unknown_severity + - name: List /etc/sysctl.d/*.conf files find: paths: @@ -8,7 +20,7 @@ patterns: '*.conf' file_type: any register: find_sysctl_d - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-84288-0 - disable_strategy @@ -25,7 +37,7 @@ regexp: ^[\s]*net.ipv6.conf.all.accept_ra_rtr_pref replace: '#net.ipv6.conf.all.accept_ra_rtr_pref' loop: '{{ find_sysctl_d.files }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-84288-0 - disable_strategy @@ -47,7 +59,7 @@ sysctl_file: /etc/sysctl.conf state: present reload: true - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-84288-0 - disable_strategy Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref' --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then # Comment out any occurrences of net.ipv6.conf.all.accept_redirects from /etc/sysctl.d/*.conf files ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects @@ -1,3 +1,22 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-81009-3 + - DISA-STIG-RHEL-08-040280 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(b) + - NIST-800-53-CM-6.1(iv) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_all_accept_redirects + - name: List /etc/sysctl.d/*.conf files find: paths: @@ -8,7 +27,7 @@ patterns: '*.conf' file_type: any register: find_sysctl_d - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-81009-3 - DISA-STIG-RHEL-08-040280 @@ -32,7 +51,7 @@ regexp: ^[\s]*net.ipv6.conf.all.accept_redirects replace: '#net.ipv6.conf.all.accept_redirects' loop: '{{ find_sysctl_d.files }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-81009-3 - DISA-STIG-RHEL-08-040280 @@ -61,7 +80,7 @@ sysctl_file: /etc/sysctl.conf state: present reload: true - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-81009-3 - DISA-STIG-RHEL-08-040280 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects' --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then # Comment out any occurrences of net.ipv6.conf.all.accept_source_route from /etc/sysctl.d/*.conf files ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route @@ -1,3 +1,20 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-81013-5 + - DISA-STIG-RHEL-08-040240 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_all_accept_source_route + - name: List /etc/sysctl.d/*.conf files find: paths: @@ -8,7 +25,7 @@ patterns: '*.conf' file_type: any register: find_sysctl_d - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-81013-5 - DISA-STIG-RHEL-08-040240 @@ -30,7 +47,7 @@ regexp: ^[\s]*net.ipv6.conf.all.accept_source_route replace: '#net.ipv6.conf.all.accept_source_route' loop: '{{ find_sysctl_d.files }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-81013-5 - DISA-STIG-RHEL-08-040240 @@ -57,7 +74,7 @@ sysctl_file: /etc/sysctl.conf state: present reload: true - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-81013-5 - DISA-STIG-RHEL-08-040240 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route' --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then # Comment out any occurrences of net.ipv6.conf.all.autoconf from /etc/sysctl.d/*.conf files ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf @@ -1,3 +1,15 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-84266-6 + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv6_conf_all_autoconf + - unknown_severity + - name: List /etc/sysctl.d/*.conf files find: paths: @@ -8,7 +20,7 @@ patterns: '*.conf' file_type: any register: find_sysctl_d - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-84266-6 - disable_strategy @@ -24,7 +36,7 @@ regexp: ^[\s]*net.ipv6.conf.all.autoconf replace: '#net.ipv6.conf.all.autoconf' loop: '{{ find_sysctl_d.files }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-84266-6 - disable_strategy @@ -46,7 +58,7 @@ sysctl_file: /etc/sysctl.conf state: present reload: true - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-84266-6 - disable_strategy Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf' --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then # Comment out any occurrences of net.ipv6.conf.all.forwarding from /etc/sysctl.d/*.conf files ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding @@ -1,3 +1,21 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-82863-2 + - DISA-STIG-RHEL-08-040260 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(b) + - NIST-800-53-CM-6.1(iv) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_all_forwarding + - name: List /etc/sysctl.d/*.conf files find: paths: @@ -8,7 +26,7 @@ patterns: '*.conf' file_type: any register: find_sysctl_d - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82863-2 - DISA-STIG-RHEL-08-040260 @@ -30,7 +48,7 @@ regexp: ^[\s]*net.ipv6.conf.all.forwarding replace: '#net.ipv6.conf.all.forwarding' loop: '{{ find_sysctl_d.files }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82863-2 - DISA-STIG-RHEL-08-040260 @@ -58,7 +76,7 @@ sysctl_file: /etc/sysctl.conf state: present reload: true - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-82863-2 - DISA-STIG-RHEL-08-040260 Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding' --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then # Comment out any occurrences of net.ipv6.conf.all.max_addresses from /etc/sysctl.d/*.conf files ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses @@ -1,3 +1,15 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-84259-1 + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv6_conf_all_max_addresses + - unknown_severity + - name: List /etc/sysctl.d/*.conf files find: paths: @@ -8,7 +20,7 @@ patterns: '*.conf' file_type: any register: find_sysctl_d - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-84259-1 - disable_strategy @@ -25,7 +37,7 @@ regexp: ^[\s]*net.ipv6.conf.all.max_addresses replace: '#net.ipv6.conf.all.max_addresses' loop: '{{ find_sysctl_d.files }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-84259-1 - disable_strategy @@ -47,7 +59,7 @@ sysctl_file: /etc/sysctl.conf state: present reload: true - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-84259-1 - disable_strategy Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses' --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then # Comment out any occurrences of net.ipv6.conf.all.router_solicitations from /etc/sysctl.d/*.conf files ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations @@ -1,3 +1,15 @@ +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-84109-8 + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv6_conf_all_router_solicitations + - unknown_severity + - name: List /etc/sysctl.d/*.conf files find: paths: @@ -8,7 +20,7 @@ patterns: '*.conf' file_type: any register: find_sysctl_d - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-84109-8 - disable_strategy @@ -25,7 +37,7 @@ regexp: ^[\s]*net.ipv6.conf.all.router_solicitations replace: '#net.ipv6.conf.all.router_solicitations' loop: '{{ find_sysctl_d.files }}' - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-84109-8 - disable_strategy @@ -47,7 +59,7 @@ sysctl_file: /etc/sysctl.conf state: present reload: true - when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + when: '"kernel" in ansible_facts.packages' tags: - CCE-84109-8 - disable_strategy Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations' --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations @@ -1 +1 @@ -oval:ssg-installed_env_is_a_machine:def:1 +oval:ssg-system_with_kernel:def:1 bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra' differs. --- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra +++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra @@ -1,5 +1,5 @@ # Remediation is applicable only in certain platforms -if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then +if rpm --quiet -q kernel; then # Comment out any occurrences of net.ipv6.conf.default.accept_ra from /etc/sysctl.d/*.conf files ansible remediation for rule 'xccdf_org.ssgproj ... The diff is trimmed here ... ```
codeclimate[bot] commented 1 month ago

Code Climate has analyzed commit 2307963b and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.0% (0.0% change).

View more on Code Climate.

Mab879 commented 1 month ago

/packit build

Mab879 commented 1 month ago

Waving Automatus tests as they are not related to this PR.