File: //usr/share/scap-security-guide/ansible/rhel6-playbook-rht-ccp.yml
---
###############################################################################
#
# Ansible remediation role for profile rht-ccp
# Profile Title: Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
# Profile Description:
# This is a *draft* SCAP profile for Red Hat Certified Cloud Providers
#
# Benchmark ID: RHEL-6
# Benchmark Version: 0.1.52
#
# XCCDF Version: 1.1
#
# This file was generated by OpenSCAP 1.2.17 using:
# $ oscap xccdf generate fix --profile rht-ccp --template urn:xccdf:fix:script:ansible xccdf-file.xml
#
# This script is generated from an OpenSCAP profile without preliminary evaluation.
# It attempts to fix every selected rule, even if the system is already compliant.
#
# How to apply this remediation role:
# $ ansible-playbook -i "192.168.1.155," playbook.yml
# $ ansible-playbook -i inventory.ini playbook.yml
#
###############################################################################
- hosts: all
pre_tasks:
- name: Verify Ansible meets SCAP-Security-Guide version requirements.
assert:
that: "ansible_version.full is version_compare('2.5', '>=')"
msg: >
"You must update Ansible to at least version 2.5 to use this role."
vars:
var_accounts_password_minlen_login_defs: !!str 6
var_accounts_password_warn_age_login_defs: !!str 7
var_accounts_maximum_age_login_defs: !!str 60
var_accounts_minimum_age_login_defs: !!str 7
var_password_pam_unix_remember: !!str 5
var_accounts_passwords_pam_faillock_deny: !!str 5
var_selinux_policy_name: !!str targeted
var_selinux_state: !!str enforcing
var_sshd_set_keepalive: !!str 0
sshd_idle_timeout_value: !!str 300
tasks:
- name: Prevent Log In to Accounts With Empty Password - system-auth
replace:
dest: /etc/pam.d/system-auth
follow: true
regexp: nullok
tags:
- CCE-27038-9
- CJIS-5.5.2
- DISA-STIG-RHEL-06-000030
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- configure_strategy
- high_severity
- low_complexity
- medium_disruption
- no_empty_passwords
- no_reboot_needed
- name: Prevent Log In to Accounts With Empty Password - password-auth
replace:
dest: /etc/pam.d/password-auth
follow: true
regexp: nullok
tags:
- CCE-27038-9
- CJIS-5.5.2
- DISA-STIG-RHEL-06-000030
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- configure_strategy
- high_severity
- low_complexity
- medium_disruption
- no_empty_passwords
- no_reboot_needed
- package_facts:
manager: auto
name: Gather the package facts
tags:
- CCE-27002-5
- CJIS-5.6.2.1
- DISA-STIG-RHEL-06-000050
- NIST-800-171-3.5.7
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(f)
- accounts_password_minlen_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Password Minimum Length in login.defs
lineinfile:
dest: /etc/login.defs
regexp: ^PASS_MIN_LEN *[0-9]*
state: present
line: PASS_MIN_LEN {{ var_accounts_password_minlen_login_defs }}
create: true
when: '"shadow-utils" in ansible_facts.packages'
tags:
- CCE-27002-5
- CJIS-5.6.2.1
- DISA-STIG-RHEL-06-000050
- NIST-800-171-3.5.7
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(f)
- accounts_password_minlen_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- package_facts:
manager: auto
name: Gather the package facts
tags:
- CCE-26988-6
- DISA-STIG-RHEL-06-000054
- NIST-800-171-3.5.8
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-IA-5(f)
- accounts_password_warn_age_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Password Warning Age
lineinfile:
dest: /etc/login.defs
regexp: ^PASS_WARN_AGE *[0-9]*
state: present
line: PASS_WARN_AGE {{ var_accounts_password_warn_age_login_defs }}
create: true
when: '"shadow-utils" in ansible_facts.packages'
tags:
- CCE-26988-6
- DISA-STIG-RHEL-06-000054
- NIST-800-171-3.5.8
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-IA-5(f)
- accounts_password_warn_age_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- package_facts:
manager: auto
name: Gather the package facts
tags:
- CCE-26985-2
- CJIS-5.6.2.1
- DISA-STIG-RHEL-06-000053
- NIST-800-171-3.5.6
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.4
- accounts_maximum_age_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Password Maximum Age
lineinfile:
create: true
dest: /etc/login.defs
regexp: ^#?PASS_MAX_DAYS
line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }}
when: '"shadow-utils" in ansible_facts.packages'
tags:
- CCE-26985-2
- CJIS-5.6.2.1
- DISA-STIG-RHEL-06-000053
- NIST-800-171-3.5.6
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.4
- accounts_maximum_age_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- package_facts:
manager: auto
name: Gather the package facts
tags:
- CCE-27013-2
- CJIS-5.6.2.1.1
- DISA-STIG-RHEL-06-000051
- NIST-800-171-3.5.8
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-IA-5(f)
- accounts_minimum_age_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Password Minimum Age
lineinfile:
create: true
dest: /etc/login.defs
regexp: ^#?PASS_MIN_DAYS
line: PASS_MIN_DAYS {{ var_accounts_minimum_age_login_defs }}
when: '"shadow-utils" in ansible_facts.packages'
tags:
- CCE-27013-2
- CJIS-5.6.2.1.1
- DISA-STIG-RHEL-06-000051
- NIST-800-171-3.5.8
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-IA-5(f)
- accounts_minimum_age_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: require single user mode password
lineinfile:
create: true
dest: /etc/sysconfig/init
regexp: ^#?SINGLE=
line: SINGLE=/sbin/sulogin
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27040-5
- DISA-STIG-RHEL-06-000069
- NIST-800-171-3.1.1
- NIST-800-171-3.4.5
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- require_singleuser_auth
- restrict_strategy
- package_facts:
manager: auto
name: Gather the package facts
tags:
- CCE-27228-6
- CJIS-5.6.2.2
- DISA-STIG-RHEL-06-000063
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- set_password_hashing_algorithm_logindefs
- name: Set Password Hashing Algorithm in /etc/login.defs
lineinfile:
dest: /etc/login.defs
regexp: ^#?ENCRYPT_METHOD
line: ENCRYPT_METHOD SHA512
state: present
create: true
when: '"shadow-utils" in ansible_facts.packages'
tags:
- CCE-27228-6
- CJIS-5.6.2.2
- DISA-STIG-RHEL-06-000063
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- set_password_hashing_algorithm_logindefs
- package_facts:
manager: auto
name: Gather the package facts
tags:
- CCE-27229-4
- CJIS-5.6.2.2
- DISA-STIG-RHEL-06-000064
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- set_password_hashing_algorithm_libuserconf
- name: Set Password Hashing Algorithm in /etc/libuser.conf
lineinfile:
dest: /etc/libuser.conf
insertafter: ^\s*\[defaults]
regexp: ^#?crypt_style
line: crypt_style = sha512
state: present
create: true
when: '"libuser" in ansible_facts.packages'
tags:
- CCE-27229-4
- CJIS-5.6.2.2
- DISA-STIG-RHEL-06-000064
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- set_password_hashing_algorithm_libuserconf
- package_facts:
manager: auto
name: Gather the package facts
tags:
- CCE-26741-9
- CJIS-5.6.2.1.1
- DISA-STIG-RHEL-06-000274
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- accounts_password_pam_unix_remember
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Do not allow users to reuse recent passwords - system-auth (change)
replace:
dest: /etc/pam.d/system-auth
follow: true
regexp: ^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$
replace: \g<1>{{ var_password_pam_unix_remember }}\g<3>
when: '"pam" in ansible_facts.packages'
tags:
- CCE-26741-9
- CJIS-5.6.2.1.1
- DISA-STIG-RHEL-06-000274
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- accounts_password_pam_unix_remember
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Do not allow users to reuse recent passwords - system-auth (add)
replace:
dest: /etc/pam.d/system-auth
follow: true
regexp: ^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$
replace: \g<0> remember={{ var_password_pam_unix_remember }}
when: '"pam" in ansible_facts.packages'
tags:
- CCE-26741-9
- CJIS-5.6.2.1.1
- DISA-STIG-RHEL-06-000274
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- accounts_password_pam_unix_remember
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- package_facts:
manager: auto
name: Gather the package facts
tags:
- CCE-26844-1
- CJIS-5.5.3
- DISA-STIG-RHEL-06-000061
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add auth pam_faillock preauth deny before pam_unix.so
pamd:
name: '{{ item }}'
type: auth
control: sufficient
module_path: pam_unix.so
new_type: auth
new_control: required
new_module_path: pam_faillock.so
module_arguments: preauth silent deny={{ var_accounts_passwords_pam_faillock_deny
}}
state: before
loop:
- system-auth
- password-auth
when: '"pam" in ansible_facts.packages'
tags:
- CCE-26844-1
- CJIS-5.5.3
- DISA-STIG-RHEL-06-000061
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add deny argument to auth pam_faillock preauth
pamd:
name: '{{ item }}'
type: auth
control: required
module_path: pam_faillock.so
module_arguments: preauth silent deny={{ var_accounts_passwords_pam_faillock_deny
}}
state: args_present
loop:
- system-auth
- password-auth
when: '"pam" in ansible_facts.packages'
tags:
- CCE-26844-1
- CJIS-5.5.3
- DISA-STIG-RHEL-06-000061
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add auth pam_faillock authfail deny after pam_unix.so
pamd:
name: '{{ item }}'
type: auth
control: sufficient
module_path: pam_unix.so
new_type: auth
new_control: '[default=die]'
new_module_path: pam_faillock.so
module_arguments: authfail deny={{ var_accounts_passwords_pam_faillock_deny }}
state: after
loop:
- system-auth
- password-auth
when: '"pam" in ansible_facts.packages'
tags:
- CCE-26844-1
- CJIS-5.5.3
- DISA-STIG-RHEL-06-000061
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add deny argument to auth pam_faillock authfail
pamd:
name: '{{ item }}'
type: auth
new_type: auth
control: '[default=die]'
module_path: pam_faillock.so
module_arguments: authfail deny={{ var_accounts_passwords_pam_faillock_deny }}
state: args_present
loop:
- system-auth
- password-auth
when: '"pam" in ansible_facts.packages'
tags:
- CCE-26844-1
- CJIS-5.5.3
- DISA-STIG-RHEL-06-000061
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Add account pam_faillock before pam_unix.so
pamd:
name: '{{ item }}'
type: account
control: required
module_path: pam_unix.so
new_type: account
new_control: required
new_module_path: pam_faillock.so
state: before
loop:
- system-auth
- password-auth
when: '"pam" in ansible_facts.packages'
tags:
- CCE-26844-1
- CJIS-5.5.3
- DISA-STIG-RHEL-06-000061
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure aide is installed
package:
name: aide
state: present
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27024-9
- CJIS-5.10.1.3
- DISA-STIG-RHEL-06-000016
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-11.5
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_aide_installed
- package_facts:
manager: auto
name: Gather the package facts
tags:
- CCE-26709-6
- CJIS-5.10.4.1
- DISA-STIG-RHEL-06-000013
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_gpgcheck_globally_activated
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Check existence of yum on Fedora
stat:
path: /etc/yum.conf
register: yum_config_file
check_mode: false
when:
- ansible_distribution == "Fedora"
- '"yum" in ansible_facts.packages'
tags:
- CCE-26709-6
- CJIS-5.10.4.1
- DISA-STIG-RHEL-06-000013
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_gpgcheck_globally_activated
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Ensure GPG check is globally activated (yum)
ini_file:
dest: /etc/yum.conf
section: main
option: gpgcheck
value: 1
no_extra_spaces: true
create: false
when:
- (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution
== "Scientific" or yum_config_file.stat.exists)
- '"yum" in ansible_facts.packages'
tags:
- CCE-26709-6
- CJIS-5.10.4.1
- DISA-STIG-RHEL-06-000013
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_gpgcheck_globally_activated
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Ensure GPG check is globally activated (dnf)
ini_file:
dest: /etc/dnf/dnf.conf
section: main
option: gpgcheck
value: 1
no_extra_spaces: true
create: false
when:
- ansible_distribution == "Fedora"
- '"yum" in ansible_facts.packages'
tags:
- CCE-26709-6
- CJIS-5.10.4.1
- DISA-STIG-RHEL-06-000013
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_gpgcheck_globally_activated
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Security patches are up to date
package:
name: '*'
state: latest
tags:
- CCE-27635-2
- CJIS-5.10.4.1
- DISA-STIG-RHEL-06-000011
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-2(5)
- NIST-800-53-SI-2(c)
- PCI-DSS-Req-6.2
- high_disruption
- high_severity
- low_complexity
- patch_strategy
- reboot_required
- security_patches_up_to_date
- skip_ansible_lint
- name: Read permission of GPG key directory
stat:
path: /etc/pki/rpm-gpg/
register: gpg_key_directory_permission
check_mode: false
tags:
- CCE-26506-6
- CJIS-5.10.4.1
- DISA-STIG-RHEL-06-000008
- NIST-800-171-3.4.8
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_redhat_gpgkey_installed
- high_severity
- medium_complexity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- name: Read signatures in GPG key
command: gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
args:
warn: false
changed_when: false
register: gpg_fingerprints
check_mode: false
tags:
- CCE-26506-6
- CJIS-5.10.4.1
- DISA-STIG-RHEL-06-000008
- NIST-800-171-3.4.8
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_redhat_gpgkey_installed
- high_severity
- medium_complexity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- name: Set Fact - Installed GPG Fingerprints
set_fact:
gpg_installed_fingerprints: |-
{{ gpg_fingerprints.stdout | regex_findall('^pub.*
(?:^fpr[:]*)([0-9A-Fa-f]*)', '\1') | list }}
tags:
- CCE-26506-6
- CJIS-5.10.4.1
- DISA-STIG-RHEL-06-000008
- NIST-800-171-3.4.8
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_redhat_gpgkey_installed
- high_severity
- medium_complexity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- name: Set Fact - Valid fingerprints
set_fact:
gpg_valid_fingerprints: ("567E347AD0044ADE55BA8A5F199E2F91FD431D51" "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0")
tags:
- CCE-26506-6
- CJIS-5.10.4.1
- DISA-STIG-RHEL-06-000008
- NIST-800-171-3.4.8
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_redhat_gpgkey_installed
- high_severity
- medium_complexity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- name: Import RedHat GPG key
rpm_key:
state: present
key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
when:
- gpg_key_directory_permission.stat.mode <= '0755'
- (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length ==
0
- gpg_installed_fingerprints | length > 0
- ansible_distribution == "RedHat"
tags:
- CCE-26506-6
- CJIS-5.10.4.1
- DISA-STIG-RHEL-06-000008
- NIST-800-171-3.4.8
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_redhat_gpgkey_installed
- high_severity
- medium_complexity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- name: Grep for yum repo section names
shell: grep -HEr '^\[.+\]' -r /etc/yum.repos.d/
register: repo_grep_results
ignore_errors: true
changed_when: false
tags:
- CCE-26647-8
- CJIS-5.10.4.1
- DISA-STIG-RHEL-06-000015
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- enable_strategy
- ensure_gpgcheck_never_disabled
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- name: Set gpgcheck=1 for each yum repo
ini_file:
path: '{{ item[0] }}'
section: '{{ item[1] }}'
option: gpgcheck
value: '1'
no_extra_spaces: true
loop: '{{ repo_grep_results.stdout | regex_findall( ''(.+\.repo):\[(.+)\]\n?'' )
}}'
tags:
- CCE-26647-8
- CJIS-5.10.4.1
- DISA-STIG-RHEL-06-000015
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- enable_strategy
- ensure_gpgcheck_never_disabled
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- name: Enable service ip6tables
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable service ip6tables
service:
name: ip6tables
enabled: 'yes'
state: started
when:
- '"iptables-ipv6" in ansible_facts.packages'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27006-6
- DISA-STIG-RHEL-06-000103
- NIST-800-53-AC-4
- NIST-800-53-CA-3(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(21)
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_ip6tables_enabled
- name: Enable service iptables
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable service iptables
service:
name: iptables
enabled: 'yes'
state: started
when:
- '"iptables" in ansible_facts.packages'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27018-1
- DISA-STIG-RHEL-06-000117
- NIST-800-53-AC-4
- NIST-800-53-CA-3(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(21)
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_iptables_enabled
- name: Disable IPv6 Networking kernel module
lineinfile:
create: true
dest: /etc/modprobe.d/ipv6.conf
regexp: ^options\s+ipv6\s+disable=\d
line: options ipv6 disable=1
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27153-6
- DISA-STIG-RHEL-06-000098
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_ipv6_option_disabled
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: Ensure disable_ipv6 (all and default) is set to 1
sysctl:
name: '{{ item }}'
value: '1'
state: present
reload: true
with_items:
- net.ipv6.conf.all.disable_ipv6
- net.ipv6.conf.default.disable_ipv6
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27153-6
- DISA-STIG-RHEL-06-000098
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_ipv6_option_disabled
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: Ensure kernel module 'dccp' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/dccp.conf
regexp: dccp
line: install dccp /bin/true
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26448-1
- CJIS-5.10.1
- DISA-STIG-RHEL-06-000124
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_dccp_disabled
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: Ensure kernel module 'tipc' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/tipc.conf
regexp: tipc
line: install tipc /bin/true
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26696-5
- DISA-STIG-RHEL-06-000127
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_tipc_disabled
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: Ensure kernel module 'sctp' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/sctp.conf
regexp: sctp
line: install sctp /bin/true
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26410-1
- CJIS-5.10.1
- DISA-STIG-RHEL-06-000125
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_sctp_disabled
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: Ensure kernel module 'rds' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/rds.conf
regexp: rds
line: install rds /bin/true
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26239-4
- DISA-STIG-RHEL-06-000126
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_rds_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Configure SELinux Policy
block:
- name: Deduplicate values from /etc/selinux/config
lineinfile:
path: /etc/selinux/config
create: false
regexp: ^SELINUXTYPE=
state: absent
- name: Insert correct line to /etc/selinux/config
lineinfile:
path: /etc/selinux/config
create: true
line: SELINUXTYPE={{ var_selinux_policy_name }}
state: present
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26875-5
- DISA-STIG-RHEL-06-000023
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- NIST-800-53-AU-9
- NIST-800-53-SC-7(21)
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- selinux_policytype
- name: Ensure SELinux State is Enforcing
block:
- name: Deduplicate values from /etc/selinux/config
lineinfile:
path: /etc/selinux/config
create: false
regexp: ^SELINUX=
state: absent
- name: Insert correct line to /etc/selinux/config
lineinfile:
path: /etc/selinux/config
create: true
line: SELINUX={{ var_selinux_state }}
state: present
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26969-6
- DISA-STIG-RHEL-06-000020
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- NIST-800-53-AU-9
- NIST-800-53-SC-7(21)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- selinux_state
- name: Test for existence /boot/grub/grub.conf
stat:
path: /boot/grub/grub.conf
register: file_exists
tags:
- CCE-26995-1
- DISA-STIG-RHEL-06-000065
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-7.1
- configure_strategy
- file_owner_grub_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner 0 on /boot/grub/grub.conf
file:
path: /boot/grub/grub.conf
owner: '0'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-26995-1
- DISA-STIG-RHEL-06-000065
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-7.1
- configure_strategy
- file_owner_grub_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /boot/grub/grub.conf
stat:
path: /boot/grub/grub.conf
register: file_exists
tags:
- CCE-27022-3
- DISA-STIG-RHEL-06-000066
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-7.1
- configure_strategy
- file_groupowner_grub_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner 0 on /boot/grub/grub.conf
file:
path: /boot/grub/grub.conf
group: '0'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-27022-3
- DISA-STIG-RHEL-06-000066
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-7.1
- configure_strategy
- file_groupowner_grub_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /boot/grub/grub.conf
stat:
path: /boot/grub/grub.conf
register: file_exists
tags:
- CCE-26949-8
- DISA-STIG-RHEL-06-000067
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_permissions_grub_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission 0600 on /boot/grub/grub.conf
file:
path: /boot/grub/grub.conf
mode: '0600'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-26949-8
- DISA-STIG-RHEL-06-000067
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_permissions_grub_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/group
stat:
path: /etc/group
register: file_exists
tags:
- CCE-26822-7
- CJIS-5.5.2.2
- DISA-STIG-RHEL-06-000042
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- configure_strategy
- file_owner_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner 0 on /etc/group
file:
path: /etc/group
owner: '0'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-26822-7
- CJIS-5.5.2.2
- DISA-STIG-RHEL-06-000042
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- configure_strategy
- file_owner_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/group
stat:
path: /etc/group
register: file_exists
tags:
- CCE-26954-8
- CJIS-5.5.2.2
- DISA-STIG-RHEL-06-000044
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- configure_strategy
- file_permissions_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission 0644 on /etc/group
file:
path: /etc/group
mode: '0644'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-26954-8
- CJIS-5.5.2.2
- DISA-STIG-RHEL-06-000044
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- configure_strategy
- file_permissions_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/shadow
stat:
path: /etc/shadow
register: file_exists
tags:
- CCE-26967-0
- CJIS-5.5.2.2
- DISA-STIG-RHEL-06-000034
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- configure_strategy
- file_groupowner_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner 0 on /etc/shadow
file:
path: /etc/shadow
group: '0'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-26967-0
- CJIS-5.5.2.2
- DISA-STIG-RHEL-06-000034
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- configure_strategy
- file_groupowner_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/shadow
stat:
path: /etc/shadow
register: file_exists
tags:
- CCE-26992-8
- CJIS-5.5.2.2
- DISA-STIG-RHEL-06-000035
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- configure_strategy
- file_permissions_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission 0000 on /etc/shadow
file:
path: /etc/shadow
mode: '0000'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-26992-8
- CJIS-5.5.2.2
- DISA-STIG-RHEL-06-000035
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- configure_strategy
- file_permissions_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/gshadow
stat:
path: /etc/gshadow
register: file_exists
tags:
- CCE-26975-3
- DISA-STIG-RHEL-06-000037
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_groupowner_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner 0 on /etc/gshadow
file:
path: /etc/gshadow
group: '0'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-26975-3
- DISA-STIG-RHEL-06-000037
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_groupowner_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/passwd
stat:
path: /etc/passwd
register: file_exists
tags:
- CCE-26953-0
- CJIS-5.5.2.2
- DISA-STIG-RHEL-06-000039
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- configure_strategy
- file_owner_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner 0 on /etc/passwd
file:
path: /etc/passwd
owner: '0'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-26953-0
- CJIS-5.5.2.2
- DISA-STIG-RHEL-06-000039
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- configure_strategy
- file_owner_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/gshadow
stat:
path: /etc/gshadow
register: file_exists
tags:
- CCE-27026-4
- DISA-STIG-RHEL-06-000036
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_owner_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner 0 on /etc/gshadow
file:
path: /etc/gshadow
owner: '0'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-27026-4
- DISA-STIG-RHEL-06-000036
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_owner_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/group
stat:
path: /etc/group
register: file_exists
tags:
- CCE-26930-8
- CJIS-5.5.2.2
- DISA-STIG-RHEL-06-000043
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- configure_strategy
- file_groupowner_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner 0 on /etc/group
file:
path: /etc/group
group: '0'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-26930-8
- CJIS-5.5.2.2
- DISA-STIG-RHEL-06-000043
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- configure_strategy
- file_groupowner_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/passwd
stat:
path: /etc/passwd
register: file_exists
tags:
- CCE-26868-0
- CJIS-5.5.2.2
- DISA-STIG-RHEL-06-000041
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- configure_strategy
- file_permissions_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission 0644 on /etc/passwd
file:
path: /etc/passwd
mode: '0644'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-26868-0
- CJIS-5.5.2.2
- DISA-STIG-RHEL-06-000041
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- configure_strategy
- file_permissions_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/shadow
stat:
path: /etc/shadow
register: file_exists
tags:
- CCE-26947-2
- CJIS-5.5.2.2
- DISA-STIG-RHEL-06-000033
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- configure_strategy
- file_owner_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner 0 on /etc/shadow
file:
path: /etc/shadow
owner: '0'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-26947-2
- CJIS-5.5.2.2
- DISA-STIG-RHEL-06-000033
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- configure_strategy
- file_owner_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/gshadow
stat:
path: /etc/gshadow
register: file_exists
tags:
- CCE-26951-4
- DISA-STIG-RHEL-06-000038
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_permissions_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission 0000 on /etc/gshadow
file:
path: /etc/gshadow
mode: '0000'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-26951-4
- DISA-STIG-RHEL-06-000038
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_permissions_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/passwd
stat:
path: /etc/passwd
register: file_exists
tags:
- CCE-26856-5
- CJIS-5.5.2.2
- DISA-STIG-RHEL-06-000040
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- configure_strategy
- file_groupowner_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner 0 on /etc/passwd
file:
path: /etc/passwd
group: '0'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-26856-5
- CJIS-5.5.2.2
- DISA-STIG-RHEL-06-000040
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- configure_strategy
- file_groupowner_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Read list libraries without root ownership
command: find -L /usr/lib /usr/lib64 /lib /lib64 \! -user root
register: libraries_not_owned_by_root
changed_when: false
failed_when: false
check_mode: false
tags:
- CCE-27424-1
- DISA-STIG-RHEL-06-000046
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- file_ownership_library_dirs
- medium_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set ownership of system libraries to root
file:
path: '{{ item }}'
owner: root
with_items: '{{ libraries_not_owned_by_root.stdout_lines }}'
when: libraries_not_owned_by_root | length > 0
tags:
- CCE-27424-1
- DISA-STIG-RHEL-06-000046
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- file_ownership_library_dirs
- medium_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Read list of world and group writable system executables
command: find /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec
-perm /022 -type f
register: world_writable_library_files
changed_when: false
failed_when: false
check_mode: false
tags:
- CCE-27289-8
- DISA-STIG-RHEL-06-000047
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- file_permissions_binary_dirs
- medium_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Remove world/group writability of system executables
file:
path: '{{ item }}'
mode: go-w
with_items: '{{ world_writable_library_files.stdout_lines }}'
when: world_writable_library_files.stdout_lines | length > 0
tags:
- CCE-27289-8
- DISA-STIG-RHEL-06-000047
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- file_permissions_binary_dirs
- medium_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Read list of system executables without root ownership
command: find /bin/ /usr/bin/ /usr/local/bin/ /sbin/ /usr/sbin/ /usr/local/sbin/
/usr/libexec \! -user root
register: no_root_system_executables
changed_when: false
failed_when: false
check_mode: false
tags:
- CCE-27623-8
- DISA-STIG-RHEL-06-000048
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- file_ownership_binary_dirs
- medium_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set ownership to root of system executables
file:
path: '{{ item }}'
owner: root
with_items: '{{ no_root_system_executables.stdout_lines }}'
when: no_root_system_executables.stdout_lines | length > 0
tags:
- CCE-27623-8
- DISA-STIG-RHEL-06-000048
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- file_ownership_binary_dirs
- medium_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Read list of world and group writable files in libraries directories
command: find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f
register: world_writable_library_files
changed_when: false
failed_when: false
check_mode: false
tags:
- CCE-27381-3
- DISA-STIG-RHEL-06-000045
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- file_permissions_library_dirs
- high_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable world/group writability to library files
file:
path: '{{ item }}'
mode: go-w
with_items: '{{ world_writable_library_files.stdout_lines }}'
when: world_writable_library_files.stdout_lines | length > 0
tags:
- CCE-27381-3
- DISA-STIG-RHEL-06-000045
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- file_permissions_library_dirs
- high_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Stop autofs
command: /sbin/service 'autofs' stop
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26976-1
- DISA-STIG-RHEL-06-000526
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_autofs_disabled
- name: Switch off autofs
command: /sbin/chkconfig --level 0123456 'autofs' off
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26976-1
- DISA-STIG-RHEL-06-000526
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_autofs_disabled
- name: Ensure sysctl kernel.randomize_va_space is set to 2
sysctl:
name: kernel.randomize_va_space
value: '2'
state: present
reload: true
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26999-3
- DISA-STIG-RHEL-06-000078
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_randomize_va_space
- name: Ensure rsh-server is removed
package:
name: rsh-server
state: absent
tags:
- CCE-27062-9
- DISA-STIG-RHEL-06-000213
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-5(1)(c)
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- package_rsh-server_removed
- name: Stop rlogin
command: /sbin/service 'rlogin' stop
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26865-6
- DISA-STIG-RHEL-06-000218
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-5(1)(c)
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- service_rlogin_disabled
- name: Switch off rlogin
command: /sbin/chkconfig --level 0123456 'rlogin' off
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26865-6
- DISA-STIG-RHEL-06-000218
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-5(1)(c)
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- service_rlogin_disabled
- name: Stop rexec
command: /sbin/service 'rexec' stop
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27208-8
- DISA-STIG-RHEL-06-000216
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-5(1)(c)
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- service_rexec_disabled
- name: Switch off rexec
command: /sbin/chkconfig --level 0123456 'rexec' off
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27208-8
- DISA-STIG-RHEL-06-000216
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-5(1)(c)
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- service_rexec_disabled
- name: Stop rsh
command: /sbin/service 'rsh' stop
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26994-4
- DISA-STIG-RHEL-06-000214
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-5(1)(c)
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- service_rsh_disabled
- name: Switch off rsh
command: /sbin/chkconfig --level 0123456 'rsh' off
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26994-4
- DISA-STIG-RHEL-06-000214
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-5(1)(c)
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- service_rsh_disabled
- name: Ensure telnet-server is removed
package:
name: telnet-server
state: absent
tags:
- CCE-27073-6
- DISA-STIG-RHEL-06-000206
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- package_telnet-server_removed
- name: Stop telnet
command: /sbin/service 'telnet' stop
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26836-7
- DISA-STIG-RHEL-06-000211
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-5(1)(c)
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- service_telnet_disabled
- name: Switch off telnet
command: /sbin/chkconfig --level 0123456 'telnet' off
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26836-7
- DISA-STIG-RHEL-06-000211
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-5(1)(c)
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- service_telnet_disabled
- name: Ensure ypserv is removed
package:
name: ypserv
state: absent
tags:
- CCE-27079-3
- DISA-STIG-RHEL-06-000220
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-5(1)(c)
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- package_ypserv_removed
- name: Stop ypbind
command: /sbin/service 'ypbind' stop
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26894-6
- DISA-STIG-RHEL-06-000221
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-5(1)(c)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_ypbind_disabled
- name: Switch off ypbind
command: /sbin/chkconfig --level 0123456 'ypbind' off
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26894-6
- DISA-STIG-RHEL-06-000221
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-5(1)(c)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_ypbind_disabled
- name: Ensure tftp-server is removed
package:
name: tftp-server
state: absent
tags:
- CCE-26946-4
- DISA-STIG-RHEL-06-000222
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- package_tftp-server_removed
- name: Stop tftp
command: /sbin/service 'tftp' stop
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27055-3
- DISA-STIG-RHEL-06-000223
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- service_tftp_disabled
- name: Switch off tftp
command: /sbin/chkconfig --level 0123456 'tftp' off
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27055-3
- DISA-STIG-RHEL-06-000223
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- service_tftp_disabled
- name: Ensure xinetd is removed
package:
name: xinetd
state: absent
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27005-8
- DISA-STIG-RHEL-06-000204
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_xinetd_removed
- name: Stop xinetd
command: /sbin/service 'xinetd' stop
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27046-2
- DISA-STIG-RHEL-06-000203
- NIST-800-171-3.4.7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_xinetd_disabled
- name: Switch off xinetd
command: /sbin/chkconfig --level 0123456 'xinetd' off
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27046-2
- DISA-STIG-RHEL-06-000203
- NIST-800-171-3.4.7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_xinetd_disabled
- name: Stop atd
command: /sbin/service 'atd' stop
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27249-2
- DISA-STIG-RHEL-06-000262
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_atd_disabled
- name: Switch off atd
command: /sbin/chkconfig --level 0123456 'atd' off
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27249-2
- DISA-STIG-RHEL-06-000262
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_atd_disabled
- name: Stop rdisc
command: /sbin/service 'rdisc' stop
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27261-7
- DISA-STIG-RHEL-06-000268
- NIST-800-53-AC-4
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_rdisc_disabled
- name: Switch off rdisc
command: /sbin/chkconfig --level 0123456 'rdisc' off
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27261-7
- DISA-STIG-RHEL-06-000268
- NIST-800-53-AC-4
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_rdisc_disabled
- name: Stop oddjobd
command: /sbin/service 'oddjobd' stop
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27257-5
- DISA-STIG-RHEL-06-000266
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_oddjobd_disabled
- name: Switch off oddjobd
command: /sbin/chkconfig --level 0123456 'oddjobd' off
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27257-5
- DISA-STIG-RHEL-06-000266
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_oddjobd_disabled
- name: Stop qpidd
command: /sbin/service 'qpidd' stop
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26928-2
- DISA-STIG-RHEL-06-000267
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- service_qpidd_disabled
- name: Switch off qpidd
command: /sbin/chkconfig --level 0123456 'qpidd' off
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26928-2
- DISA-STIG-RHEL-06-000267
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- service_qpidd_disabled
- name: Stop abrtd
command: /sbin/service 'abrtd' stop
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27247-6
- DISA-STIG-RHEL-06-000261
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_abrtd_disabled
- name: Switch off abrtd
command: /sbin/chkconfig --level 0123456 'abrtd' off
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27247-6
- DISA-STIG-RHEL-06-000261
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_abrtd_disabled
- name: Stop ntpdate
command: /sbin/service 'ntpdate' stop
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27256-7
- DISA-STIG-RHEL-06-000265
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- service_ntpdate_disabled
- name: Switch off ntpdate
command: /sbin/chkconfig --level 0123456 'ntpdate' off
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27256-7
- DISA-STIG-RHEL-06-000265
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- service_ntpdate_disabled
- name: Stop avahi-daemon
command: /sbin/service 'avahi-daemon' stop
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27087-6
- DISA-STIG-RHEL-06-000246
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_avahi-daemon_disabled
- name: Switch off avahi-daemon
command: /sbin/chkconfig --level 0123456 'avahi-daemon' off
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27087-6
- DISA-STIG-RHEL-06-000246
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_avahi-daemon_disabled
- name: Disable SSH Access via Empty Passwords
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*PermitEmptyPasswords\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: PermitEmptyPasswords no
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26887-0
- CJIS-5.5.6
- DISA-STIG-RHEL-06-000239
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- sshd_disable_empty_passwords
- name: Set SSH Client Alive Max Count
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*ClientAliveCountMax\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: ClientAliveCountMax {{ var_sshd_set_keepalive }}
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26282-4
- CJIS-5.5.6
- DISA-STIG-RHEL-06-000231
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_keepalive
- name: Set SSH Idle Timeout Interval
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*ClientAliveInterval\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: ClientAliveInterval {{ sshd_idle_timeout_value }}
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-26919-1
- CJIS-5.5.6
- DISA-STIG-RHEL-06-000230
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSS-Req-8.1.8
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_idle_timeout
- name: Enable SSH Warning Banner
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*Banner\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: Banner /etc/issue
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27112-2
- CJIS-5.5.6
- DISA-STIG-RHEL-06-000240
- NIST-800-171-3.1.9
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_warning_banner
- name: Allow Only SSH Protocol 2
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*Protocol\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: Protocol 2
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27072-8
- CJIS-5.5.6
- DISA-STIG-RHEL-06-000227
- NIST-800-171-3.1.13
- NIST-800-171-3.5.4
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-13
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- sshd_allow_only_protocol2
- name: Do Not Allow SSH Environment Options
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*PermitUserEnvironment\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: PermitUserEnvironment no
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27201-3
- CJIS-5.5.6
- DISA-STIG-RHEL-06-000241
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_do_not_permit_user_env
- name: Disable Host-Based Authentication
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*HostbasedAuthentication\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: HostbasedAuthentication no
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27091-8
- CJIS-5.5.6
- DISA-STIG-RHEL-06-000236
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_host_auth
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable SSH Root Login
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*PermitRootLogin\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: PermitRootLogin no
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
tags:
- CCE-27100-7
- CJIS-5.5.6
- DISA-STIG-RHEL-06-000237
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(2)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-2
- NIST-800-53-IA-2(5)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_root_login