Update for v2r1

[jamescassell]

Here's a fairly comprehensive list:

Global Changes

• [x] Every rule title was changed to include "Red Hat Enterprise Linux" in some form
• [x] Throughout, a required, but commented-out configuration setting fails (this is obvious; will handle compliance on a rule-by-rule basis; some rule are okay w/ unconfigured setting)

Modified Rules

• [ ] RHEL-07-010010: if non-RPM-verified (user/group ownership, permissions) files are not documented, it is a finding (should subtract a list of documented bad files and/or packages from the list of found bad files and/or packages)

• [ ] RHEL-07-010250: "If passwords are not being used for authentication, this is Not Applicable."

• [ ] RHEL-07-010310: "If passwords are not being used for authentication, this is Not Applicable."

• [ ] RHEL-07-010500: "--smartcardaction=1" -> "--smartcardaction=0"

• [ ] RHEL-07-020020: "If an HBSS or HIPS is active on the system, this is Not Applicable."

• [ ] RHEL-07-020210: "If an HBSS or HIPS is active on the system, this is Not Applicable."

• [ ] RHEL-07-020220: "If an HBSS or HIPS is active on the system, this is Not Applicable."

• [ ] RHEL-07-020230: "ctrl.alt.del.target is masked and not active" -- "not active" is new

• [ ] RHEL-07-020730: use '-xdev' when finding world-writable files (rule not yet implemented)

• [ ] RHEL-07-021020: nosuid on "file systems that are being imported via Network File System (NFS)." - mostly a wording change

• [ ] RHEL-07-031000: "/etc/rsyslog.conf" -> '"/etc/rsyslog.conf" or an "/etc/rsyslog.d/*.conf"' (should move to config snippet, add tombstone for content in rsyslog.conf main)

• [ ] RHEL-07-032000: install anti-virus -- removed reference to McAfee

• [ ] RHEL-07-040180: "If LDAP is not being utilized, this requirement is Not Applicable.", "ssl = start_tls" -> "ldap_id_use_start_tls = true", /etc/pam_ldap.conf -> /etc/sssd/sssd.conf (should create implicit_files domain explicitly to enable sssd generically and configure)

• [ ] RHEL-07-040190: "If LDAP is not being utilized, this requirement is Not Applicable.", /etc/pam_ldap.conf -> /etc/sssd/sssd.conf, "ldap_tls_reqcert = demand" (should create implicit_files domain explicitly to enable sssd generically and configure)

• [ ] RHEL-07-040200: "If LDAP is not being utilized, this requirement is Not Applicable.", /etc/pam_ldap.conf -> /etc/sssd/sssd.conf, "ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt" (should create implicit_files domain explicitly to enable sssd generically and configure)

• [ ] RHEL-07-040500: "maxpoll 17" -> "maxpoll 10", "ntpdate"->"ntpd -q"

• [ ] RHEL-07-040510: use "net.ipv4.tcp_invalid_ratelimit = 500" with sysctl instead of firewalld direct rules

• [ ] RHEL-07-040610: allow /etc/sysctl.d/ in addition to /etc/sysctl.conf, use "sysctl -system" to make effective

• [ ] RHEL-07-040620: allow /etc/sysctl.d/ in addition to /etc/sysctl.conf, use "sysctl --system" to make effective, ALSO unconfigured value is OKAY

• [ ] RHEL-07-040630: allow /etc/sysctl.d/ in addition to /etc/sysctl.conf, use "sysctl --system" to make effective, ALSO unconfigured value is OKAY

• [ ] RHEL-07-040640: allow /etc/sysctl.d/ in addition to /etc/sysctl.conf, use "sysctl --system" to make effective, ALSO unconfigured value is OKAY

• [ ] RHEL-07-040650: allow /etc/sysctl.d/ in addition to /etc/sysctl.conf, use "sysctl --system" to make effective, ALSO unconfigured value is OKAY

• [ ] RHEL-07-040660: allow /etc/sysctl.d/ in addition to /etc/sysctl.conf, use "sysctl --system" to make effective, ALSO unconfigured value is OKAY

• [ ] RHEL-07-040740: allow /etc/sysctl.d/ in addition to /etc/sysctl.conf, use "sysctl --system" to make effective

• [ ] "RHEL-07-040830: If IPv6 is not enabled, the key will not exist, and this is Not Applicable", ALSO unconfigured value is OKAY

• [ ] RHEL-07-041002: If the "pam" service is not present,present on all "services" lines, (should create implicit_files domain explicitly to enable sssd generically and configure)

• [ ] RHEL-07-021021: allow NFS binaries if documented -- "use of NFS imported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding"

• [ ] RHEL-07-030874: look in /etc/audit/audit.rules for the check content

• [ ] RHEL-07-040641: allow /etc/sysctl.d/ in addition to /etc/sysctl.conf, use "sysctl -system" to make effective

• [ ] RHEL-07-040201: allow /etc/sysctl.d/ in addition to /etc/sysctl.conf, use "sysctl -system" to make effective

• [x] RHEL-07-010020: no longer limited to just binaries, now also includes "system files": "If there is any output from the command for system files or binaries, this is a finding." (#279)

• [x] RHEL-07-010150: "dcredit" -> "ocredit" in the fix text

• [x] RHEL-07-010200: reference both password-auth and system-auth instead of system-auth-ac

• [x] RHEL-07-010270: references both password-auth and system-auth instead of system-auth-ac, "pam_unix.so"->"pam_pwhistory.so"

  • old: "password sufficient pam_unix.so use_authtok sha512 shadow remember=5"
  • new: "password requisite pam_pwhistory.so use_authtok remember=5 retry=3"

• [x] RHEL-07-010290: references both password-auth and system-auth instead of system-auth-ac

• [x] RHEL-07-010320: references both password-auth and system-auth instead of system-auth-ac

  • "unlock_time=604800" -> "fail_interval=900 unlock_time=900" (A huge improvement to the requirement; will reduce sysadmin load.)

• [x] RHEL-07-010330: references both password-auth and system-auth instead of password-auth-ac and system-auth-ac

  • "unlock_time=604800" -> "unlock_time=900"

• [x] RHEL-07-010350: non-compliant configs allowed in commented-out lines

• [x] RHEL-07-010430: if the required config is commented, it is a finding

• [x] RHEL-07-010480: "For systems that are running RHEL 7.2 or newer, this is Not Applicable."

• [x] RHEL-07-010490: "For systems that are running RHEL 7.2 or newer, this is Not Applicable."

• [x] RHEL-07-020110: stop autofs in addition to disable

• [x] RHEL-07-020620: now considers non-privileged UID range as 1000-4999 (no change needed)

• [x] RHEL-07-021100: also allow configs in "/etc/rsyslog.d/*.conf", remove ordering requirement (no change required)

• [x] RHEL-07-021600: items required only on uncommented lines in /etc/aide.conf

• [x] RHEL-07-021610: items required only on uncommented lines in /etc/aide.conf

• [x] RHEL-07-021620: items required only on uncommented lines in /etc/aide.conf

• [x] RHEL-07-030320: removed reference to 'network_failure_action', a different rule

• [x] RHEL-07-030360: audit both arches, update audit key

• [x] RHEL-07-030560: remove '-F perm=x'

• [x] RHEL-07-030570: remove '-F perm=x'

• [x] RHEL-07-030580: remove '-F perm=x'

• [x] RHEL-07-030590: remove '-F perm=x'

• [x] RHEL-07-030640: remove '-F perm=x'

• [x] RHEL-07-030680: remove '-F perm=x'

• [x] RHEL-07-030690: remove '-F perm=x'

• [x] RHEL-07-030710: remove '-F perm=x'

• [x] RHEL-07-030720: remove '-F perm=x'

• [x] RHEL-07-030740: "command" -> "command and syscall", updated audit rules, use absolute command path

• [x] RHEL-07-030750: update path, remove '-F perm=x'

• [x] RHEL-07-030760: remove '-F perm=x'

• [x] RHEL-07-030770: remove '-F perm=x'

• [x] RHEL-07-030780: remove '-F perm=x'

• [x] RHEL-07-030800: remove '-F perm=x'

• [x] RHEL-07-030810: remove '-F perm=x', use absolute command path

• [x] RHEL-07-030820: require b32 on all arches; "command" -> "syscall"

• [x] RHEL-07-030830: require b32 on all arches; "command" -> "syscall"

• [x] RHEL-07-030840: "insmod" -> "kmod" -- did this remove '-F perm=x'? (PR #210) added it

• [x] RHEL-07-030880: remove '-F perm=x', "command" -> "syscall"

• [x] RHEL-07-030890: remove '-F perm=x', "command" -> "syscall"

• [x] RHEL-07-030900: remove '-F perm=x', "command" -> "syscall"

• [x] RHEL-07-030910: remove '-F perm=x', "command" -> "syscall"

• [x] RHEL-07-030920: remove '-F perm=x', "command" -> "syscall"

• [x] RHEL-07-031010: "Modify the "/etc/rsyslog.conf" file to remove the "ModLoad imtcp", "ModLoad imudp", and "ModLoad imrelp" configuration lines, or document the system as being used for log aggregation."

• [x] RHEL-07-040160: use /etc/profile.d/* (e.g., tmout.sh) instead of /etc/profile

• [x] RHEL-07-040300: only require openssh-server, no longer require openssh-clients (#252)

• [x] RHEL-07-040310: use "systemctl enable sshd.service" for the fix (no change needed)

• [x] RHEL-07-040330: "If the release is 7.4 or newer this requirement is Not Applicable."

• [x] RHEL-07-040340: ClientAliveCountMax -- REMOVED "If the release is 7.4 or newer this requirement is Not Applicable." -- now applicable everywhere

• [x] RHEL-07-040360: remove "session required pam_lastlog.so showfailed", must now use "PrintLastLog yes" in /etc/ssh/sshd_config (no change required)

• [x] RHEL-07-040420: SSH private host key files mode "0600" -> "0640"

• [x] RHEL-07-040530: "/etc/pam.d/postlogin-ac" -> "/etc/pam.d/postlogin", remove reference to printlastlog in /etc/ssh/sshd_config

• [x] RHEL-07-040700: tftp -> tftp-server (#261)

• [x] RHEL-07-010119: "/etc/pam.d/passwd"->"/etc/pam.d/system-auth"

• [x] RHEL-07-030321: "stop" -> "syslog" in the check content, but "stop" was never a valid option

• [x] RHEL-07-030871: "audit_rules_usergroup_modification" -> "identity"

• [x] RHEL-07-010061: run "dconf update" to make the change effective (#266)

• [x] RHEL-07-020101: 'install dccp /bin/true' in /etc/modprobe.d/dccp.conf AND now also "blacklist dccp" in /etc/modprobe.d/blacklist.conf (#278)

• [x] RHEL-07-030819: "command" -> "syscall", require b32 everywhere

• [x] RHEL-07-030821: "command" -> "syscall", require b32 everywhere

Deleted

• [x] RHEL-07-020070: removed (YAY, no more repo_gpgcheck that always fails)
• [x] RHEL-07-030600: removed (audit /var/log/tallylog)
• [x] RHEL-07-030730: removed (audit sudoedit)
• [x] RHEL-07-030850: removed (audit rmmod, should modify RHEL-07-030840 first)
• [x] RHEL-07-030860: removed (audit modprobe, should modify RHEL-07-030840 first)
• [x] RHEL-07-032010: removed (weekly virus cvd/dat updates)
• [x] RHEL-07-010062: removed (prevent a user from overriding the screensaver lock-enabled setting)

Added

• [ ] RHEL-07-010118: NEW ('password substack system-auth' in /etc/pam.d/passwd)
• [x] RHEL-07-010482: NEW (really, replaces 010480 for RHEL 7.2+) (CAT I)
• [x] RHEL-07-010491: NEW (really, replaces 010490 for RHEL 7.2+) (CAT I)
• [x] RHEL-07-021022: NEW (nodev on /dev/shm)
• [x] RHEL-07-021023: NEW (nosuid on /dev/shm)
• [x] RHEL-07-021024: NEW (noexec on /dev/shm)
• [x] RHEL-07-030200: NEW ('active = yes' in /etc/audisp/plugins.d/au-remote.conf)
• [ ] RHEL-07-030201: NEW (configure the au-remote plugin to off-load audit logs using the audisp-remote daemon)
• [ ] RHEL-07-030210: NEW (set 'overflow_action' to "syslog", "single", or "halt" in /etc/audisp/audispd.conf)
• [ ] RHEL-07-030211: NEW (set 'name_format' to "hostname", "fqd", or "numeric" in /etc/audisp/audispd.conf)

Cosmetic Changes

• [x] RHEL-07-020030: aide cron clarification, no real change
• [x] RHEL-07-020040: aide cron clarification, no real change
• [x] RHEL-07-020250: updated EOL dates
• [x] RHEL-07-030370: "command" -> "syscall"
• [x] RHEL-07-030380: "command" -> "syscall"
• [x] RHEL-07-030390: "command" -> "syscall"
• [x] RHEL-07-030400: "command" -> "syscall"
• [x] RHEL-07-030410: "command" -> "syscall"
• [x] RHEL-07-030420: "command" -> "syscall"
• [x] RHEL-07-030430: "command" -> "syscall"
• [x] RHEL-07-030440: "command" -> "syscall"
• [x] RHEL-07-030450: "command" -> "syscall"
• [x] RHEL-07-030460: "command" -> "syscall"
• [x] RHEL-07-030470: "command" -> "syscall"
• [x] RHEL-07-030480: "command" -> "syscall"
• [x] RHEL-07-030490: "command" -> "syscall"
• [x] RHEL-07-030500: "command" -> "syscall"
• [x] RHEL-07-030510: "command" -> "syscall"
• [x] RHEL-07-030520: "command" -> "syscall"
• [x] RHEL-07-030530: "command" -> "syscall"
• [x] RHEL-07-030540: "command" -> "syscall"
• [x] RHEL-07-030550: "command" -> "syscall"
• [x] RHEL-07-040820: openswan -> libreswan in check content, no real change

[shepdelacreme]

I sent a couple emails to the DISA STIG support mailbox about this. This new "version" has no revision history and they don't plan on releasing one. So trying to figure out the differences is going to be a painful process of comparing XML documents or going rule by rule with STIG viewer.

[jamescassell]

Yeah, I saw that... I might get around to doing that in the next week depending on what else comes up.

[jamescassell]

edit: moved changelog to first comment

[jamescassell]

I've updated the first comment with a fairly comprehensive changelog, based on diffing the V1R4 and the V2R1 STIGs. As @shepdelacreme pointed out, DISA declined to provide this change log.

[amkuchta]

Is there a particular way that you guys would like PRs for the items in the original issue report (e.g. a separate PR for each task, or a PR for each category, etc.)?

I am currently working on the low-hanging (but tedious) fruit of knocking out the title updates, and want to make sure I am providing my changes in a way that is

1. easy to review, and
2. jives with what you expect

Also, as a side note, VSCode wants to change the formatting for each file on save - I've disabled this while I am making the updates, but am curious as to whether or not anyone else is running into that issue...

Thanks in advance!

[shepdelacreme]

I think generally we like to see related changes grouped. If you are updating titles across a lot of different items I think it is ok to group them in one PR but try and split out the changes in separate commits within the same PR to make it easy to review/comment.

For functional changes to existing tasks or newly implemented remediations, we prefer to have those changes in their own PR.

I'm not sure about the VSCode thing. I use it exclusively and I don't run into this issue...maybe its an extension? Are your yml files recognized as YAML or as Ansible files?

[amkuchta]

@shepdelacreme I'll keep that in mind - I'll be pushing all of the title updates in one go, but will be breaking out each individual change moving forward so that they are easier to track and review.

With regards to the VSCode issue, it looks like it may have been an extension (either "Prettier" or "Beautify" - I disabled both).

Thanks for the input!

[amkuchta]

Can we mark all of the cosmetic changes that are just command -> syscall to be completed? Looking at them, there is no action to update the playbooks. Same can be said for RHEL-07-020250

[amkuchta]

RHEL-07-030880 through RHEL-07-030920 also seem to be done...

[shepdelacreme]

Thanks! I went through a verified and checked off some more. Need to do a full audit of this list and update soon.

[amkuchta]

@shepdelacreme I actually ran a SCAP against a box (CentOS, but still), and am verifying quite a few non-SCAP findings manually. I'll be providing a list of everything that I see as being closed- it's extensive, and shows that this effort is much further along than the checklist details!

[amkuchta]

@jamescassell @shepdelacreme I went ahead and ran the playbook against a CentOS system, SCAP'd it, and completed a manual checklist, which I've attached for your review. My initial impression is that the playbook looks awesome and is ready for a release (with the exception of the PR (#238) that I submitted yesterday), but I will leave that to your discretion. As a side note, ignore the comments about OpenLDAP - that is what we use in our environment, and are specific to the next steps my group is going to have to take.

RHEL7_MPG_20190425_REDACTED.ckl.zip

[jamescassell]

Updated checklist to reflect current status. Added recommendations to some of the outstanding items.

[georgenalen]

Hello, I wanted to reach out and let you know that this issue is being closed. We have re-worked the role and want to start with a fresh issues list with this latest version. There was a post in the Ansible-Lockdown google group (https://groups.google.com/g/ansible-lockdown) with the details of the changes that are coming. Please checkout the thread titled RHEL 7 CIS and STIG Changes for all of the details, I also have the message pasted at below. Please as you use the latest version and open issue tickets as you find them, it is the best way for us to improve the role for everyone. Thank you for being part of the community and providing awareness of problems or advice on improvement. Reporting is a huge part of improving this project.

---

Hello, Thank you to everyone in the Ansible-Lockdown community who has contributed to RHEL7 STIG/CIS. Our team at MindPoint Group has been working with the entirety of the Ansible-Lockdown project, and we have some significant updates for both RHEL 7 STIG and CIS. With these updates, some larger changes have been made. I have these changes/updates outlined below. Testing:

1. CI/CD - We have implemented some automated testing pipelines to test pull requests into the devel and main branches. With the current workflow, the community will PR into the devel branch (never the main branch) for review by the administrators. When your PR is created, the first check will remain the DCO check. The second check is a functional testing pipeline that will automatically perform a functional test of the branch the PR is initiated from. Once both tests pass, someone from the Administrator Team will review the changes and merge them into the devel branch. From there, an additional review is completed before the devel branch is merged into the main branch. Only the Admin Team will perform PRs/merges into the main branch. There is also an automated pipeline for PRs from devel to main. Please do not edit the .github/workflows files since those are used as part of the pipeline.
2. Compliance Checking – MindPoint Group has been working to create our own compliance audit scan tool. The tool uses a goss framework executable to run custom checks that we have created. The goal is to provide a more thorough check for control compliance and decrease the number of false positives/negatives. For example, it will check the configuration file related to the control and as well as checking if that configuration is active. With a smarter scan, we can hopefully identify attempts to trick scanners as well (for example stacking a parameter in a config file where the first instance is enabled and second disabled. Most audit tools search for the first instance but the application might look for the last instance of the parameter, thus making the scanning tool think it's enabled). In testing, we have found that our audit scan runs significantly faster than other audit tools, reducing audit times. Our audit tool and profiles will have their own repositories in the Ansible-Lockdown org, but within the remediation role there will be an integrated way to incorporate the audit. Keep an eye out for the audit tools as they are released. We plan on developing a goss audit profile for each current remediation role. Going forward, we plan to release a remediation role and goss audit tool profile simultaneously. Role Updates:
3. RHEL 7 STIG/CIS – We have re-written much of the RHEL 7 STIG and CIS roles to increase clarity and readability and address some functionality items. We performed these updates while creating our goss testing framework for each of these roles. We plan on pushing our update to the devel and main branches. We will move the current devel and master branches to a develstable and masterstable branch in the respective repositories. Accordingly, community members who rely on the current version can still use that version going forward; this process will not remove what is currently there. The latest versions of the roles have also been updated to comply with the latest benchmarks.
4. Role Architecture – All roles will change with regard to the structure in the tasks folder. Taking CIS as an example, there will be a folder per section and yaml files for each sub-section. For example control 1.2.1 in CIS will be located in RHEL7-CIS/tasks/section_1/cis_1.2.x.yml. The cis_1.2.x.yml file will contain all controls related to section 1.2.x. This will hopefully make updates to roles a bit easier with less risk. This matches the architecture of our audit tool, creating consistency across remediation and audit platforms. The end goal is to repeat this architecture (the best we can) on STIG roles, but we are starting with CIS.
5. Existing PRs and Issues – With all of these changes comes the task of cleaning up existing PR’s and issues. Our plan is to close all of the existing PR’s and issues because of the re-work. Our team is growing and should be able to stay on top of the new issues and PRs as they come in. Again, I would like to thank the community for your involvement in this project. The input and work from the community has contributed significantly to the success of this project. Please keep an eye out for these changes, which will be rolling out in the coming weeks.