STIG Compliance (#61)

collections/ansible_collections/demo/compliance/roles/iosxeSTIG/callback_plugins/stig_xml.py

@@ -0,0 +1,98 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+from ansible.plugins.callback import CallbackBase
+from time import gmtime, strftime
+import platform
+import tempfile
+import re
+import sys
+import os
+import json
+import xml.etree.ElementTree as ET
+import xml.dom.minidom
+
+role = "iosxeSTIG"
+
+class CallbackModule(CallbackBase):
+    CALLBACK_VERSION = 2.0
+    CALLBACK_TYPE = 'xml'
+    CALLBACK_NAME = 'stig_xml'
+
+    CALLBACK_NEEDS_WHITELIST = True
+
+    def __init__(self):
+        super(CallbackModule, self).__init__()
+        self.rules = {}
+        self.stig_path = os.environ.get('STIG_PATH')
+        self.XML_path = os.environ.get('XML_PATH')
+        if self.stig_path is None:
+            self.stig_path = os.path.join(os.getcwd(), "roles", role, "files")
+            self._display.display('Using STIG_PATH: {}'.format(self.stig_path))
+        if self.XML_path is None:
+            self.XML_path = os.getcwd()
+            self._display.display('Using XML_PATH: {}'.format(self.XML_path))
+
+        print("Writing: {}".format(self.XML_path))
+        STIG_name = os.path.basename(self.stig_path)
+        ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2')
+        self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult')
+        self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name))
+        endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
+        self.tr.set('end-time', endtime)
+        tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target')
+        tg.text = platform.node()
+
+    def __get_rev(self, nid):
+        rev = '0'
+        # Check all files for the rule number.
+        for file in os.listdir(self.stig_path):
+            with open(os.path.join(self.stig_path, file), 'r') as f:
+                r = 'SV-{}r(?P<rev>\d)_rule'.format(nid)
+                m = re.search(r, f.read())
+            if m:
+                rev = m.group('rev')
+                break
+        return rev
+
+    def v2_runner_on_ok(self, result):
+        name = result._task.get_name()
+        m = re.search('stigrule_(?P<id>\d+)', name)
+        if m:
+            nid = m.group('id')
+        else:
+            return
+        rev = self.__get_rev(nid)
+        key = "{}r{}".format(nid, rev)
+        if self.rules.get(key, 'Unknown') != False:
+            self.rules[key] = result.is_changed()
+
+    def __set_duplicates(self):
+        with open(os.path.join(self.stig_path, 'duplicates.json')) as f:
+            dups = json.load(f)
+        for d in dups:
+            dup_of = str(dups[d][0])
+            rev = self.__get_rev(d)
+            key = "{}r{}".format(d, rev)
+            dup_of_rev = self.__get_rev(dup_of)
+            dup_of_key = "{}r{}".format(dup_of, dup_of_rev)
+            if dup_of_key in self.rules:
+                self.rules[key] = self.rules[dup_of_key]
+
+    def v2_playbook_on_stats(self, stats):
+        self.__set_duplicates()
+        for rule, changed in self.rules.items():
+            state = 'fail' if changed else 'pass'
+            rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result')
+            rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule))
+            rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result')
+            rs.text = state
+        passing = len(self.rules) - sum(self.rules.values())
+        sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score')
+        sc.set('maximum', str(len(self.rules)))
+        sc.set('system', 'urn:xccdf:scoring:flat-unweighted')
+        sc.text = str(passing)
+        with open(os.path.join(self.XML_path, "xccdf-results.xml"), 'w') as f:
+            out = ET.tostring(self.tr)
+            pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8')
+            f.write(pretty)

collections/ansible_collections/demo/compliance/roles/iosxeSTIG/defaults/main.yml

@@ -0,0 +1,280 @@
+# R-215807 CISC-ND-000010
+iosxeSTIG_stigrule_215807_Manage: True
+iosxeSTIG_stigrule_215807_ip_http_max_connections_2_Lines:
+  - ip http max-connections 2
+iosxeSTIG_stigrule_215807_session_limit_for_all_line_vty_sections_Lines:
+  - session-limit 2
+# R-215808 CISC-ND-000090
+# A partial of 215815
+# duplicate of 215815
+# R-215809 CISC-ND-000100
+# A partial of 215815
+# duplicate of 215815
+# R-215810 CISC-ND-000110
+# A partial of 215815
+# duplicate of 215815
+# R-215811 CISC-ND-000120
+# A partial of 215815
+# duplicate of 215815
+# R-215813 CISC-ND-000150
+iosxeSTIG_stigrule_215813_Manage: True
+iosxeSTIG_stigrule_215813_login_block_for_900_attempts_3_within_120_Lines:
+  - login block-for 900 attempts 3 within 120
+# R-215814 CISC-ND-000160
+iosxeSTIG_stigrule_215814_Manage: True
+iosxeSTIG_stigrule_215814_login_Text: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and 
+
+counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE, or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, 
+
+psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'
+# R-215815 CISC-ND-000210
+iosxeSTIG_stigrule_215815_Manage: True
+iosxeSTIG_stigrule_215815_login_logging_Lines:
+  - logging userinfo
+iosxeSTIG_stigrule_215815_logging_enable_Lines:
+  - logging enable
+iosxeSTIG_stigrule_215815_logging_enable_Parents:
+  - archive
+  - log config
+# R-215816 CISC-ND-000250
+iosxeSTIG_stigrule_215816_Manage: True
+iosxeSTIG_stigrule_215816_login_logging_Lines:
+  - login on-failure log
+  - login on-success log
+# R-215817 CISC-ND-000280
+iosxeSTIG_stigrule_215817_Manage: True
+iosxeSTIG_stigrule_215817_service_timestamps_log_datetime_localtime_Lines:
+  - service timestamps log datetime localtime
+# R-215819 CISC-ND-000330
+# A partial of 215815
+# duplicate of 215815
+# R-215820 CISC-ND-000380
+iosxeSTIG_stigrule_215820_Manage: True
+iosxeSTIG_stigrule_215820_file_privilege_Lines:
+  - file privilege 15
+# R-215821 CISC-ND-000390
+# A duplicate of 215820
+# duplicate of 215820
+# R-215822 CISC-ND-000460
+# A duplicate of 215820
+# duplicate of 215820
+# R-215823 CISC-ND-000470
+iosxeSTIG_stigrule_215823_Manage: True
+iosxeSTIG_stigrule_215823_disable_boot_network_Lines:
+  - no boot network
+iosxeSTIG_stigrule_215823_disable_boot_server_Lines:
+  - no ip boot server
+iosxeSTIG_stigrule_215823_disable_bootp_server_Lines:
+  - no ip bootp server
+iosxeSTIG_stigrule_215823_disable_dns_server_Lines:
+  - no ip dns server
+iosxeSTIG_stigrule_215823_disable_identd_Lines:
+  - no ip identd
+iosxeSTIG_stigrule_215823_disable_finger_Lines:
+  - no ip finger
+iosxeSTIG_stigrule_215823_disable_http_server_Lines:
+  - no ip http server
+iosxeSTIG_stigrule_215823_disable_rcmd_rcp_enable_Lines:
+  - no ip rcmd rcp-enable
+iosxeSTIG_stigrule_215823_disable_rcmd_rsh_enable_Lines:
+  - no ip rcmd rsh-enable
+iosxeSTIG_stigrule_215823_disable_tcp_small_servers_Lines:
+  - no service tcp-small-servers
+iosxeSTIG_stigrule_215823_disable_udp_small_servers_Lines:
+  - no service udp-small-servers
+iosxeSTIG_stigrule_215823_disable_service_finger_Lines:
+  - no service finger
+iosxeSTIG_stigrule_215823_disable_service_config_Lines:
+  - no service config
+iosxeSTIG_stigrule_215823_disable_service_pad_Lines:
+  - no service pad
+# R-215825 CISC-ND-000530
+# ip ssh server algorithm encryption is set in 215845.
+iosxeSTIG_stigrule_215825_Manage: True
+iosxeSTIG_stigrule_215825_ip_ssh_version_2_Lines:
+  - ip ssh version 2
+# R-215826 CISC-ND-000550
+iosxeSTIG_stigrule_215826_Manage: False
+iosxeSTIG_stigrule_215826_password_min_len_Lines:
+  - min-length 15
+iosxeSTIG_stigrule_215826_password_min_len_Parents:
+  - aaa common-criteria policy PASSWORD_POLICY
+# R-215827 CISC-ND-000570
+iosxeSTIG_stigrule_215827_Manage: False
+iosxeSTIG_stigrule_215827_password_upper_case_Lines:
+  - upper-case 1
+iosxeSTIG_stigrule_215827_password_upper_case_Parents:
+  - aaa common-criteria policy PASSWORD_POLICY
+# R-215828 CISC-ND-000580
+iosxeSTIG_stigrule_215828_Manage: False
+iosxeSTIG_stigrule_215828_password_lower_case_Lines:
+  - lower-case 1
+iosxeSTIG_stigrule_215828_password_lower_case_Parents:
+  - aaa common-criteria policy PASSWORD_POLICY
+# R-215829 CISC-ND-000590
+iosxeSTIG_stigrule_215829_Manage: False
+iosxeSTIG_stigrule_215829_password_numeric_count_Lines:
+  - numeric-count 1
+iosxeSTIG_stigrule_215829_password_numeric_count_Parents:
+  - aaa common-criteria policy PASSWORD_POLICY
+# R-215830 CISC-ND-000600
+iosxeSTIG_stigrule_215830_Manage: False
+iosxeSTIG_stigrule_215830_password_special_case_Lines:
+  - special-case 1
+iosxeSTIG_stigrule_215830_password_special_case_Parents:
+  - aaa common-criteria policy PASSWORD_POLICY
+# R-215831 CISC-ND-000610
+iosxeSTIG_stigrule_215831_Manage: False
+iosxeSTIG_stigrule_215831_password_upper_case_Lines:
+  - char-changes 8
+iosxeSTIG_stigrule_215831_password_upper_case_Parents:
+  - aaa common-criteria policy PASSWORD_POLICY
+# R-215832 CISC-ND-000620
+iosxeSTIG_stigrule_215832_Manage: True
+iosxeSTIG_stigrule_215832_service_password_encryption_Lines:
+  - service password-encryption
+# R-215833 CISC-ND-000720
+iosxeSTIG_stigrule_215833_Manage: True
+iosxeSTIG_stigrule_215833_exec_timeout_for_console_Lines:
+  - exec-timeout 10 0
+iosxeSTIG_stigrule_215833_exec_timeout_for_console_Parents:
+  - line con 0
+iosxeSTIG_stigrule_215833_exec_timeout_for_all_line_vty_sections_Lines:
+  - exec-timeout 10 0
+iosxeSTIG_stigrule_215833_ip_http_timeout_policy_idle_600_life_3600_requests_10_Lines:
+  - ip http timeout-policy idle 600 life 3600 requests 10
+# R-215834 CISC-ND-000880
+# A partial of 215815
+# duplicate of 215815
+# R-215835 CISC-ND-000940
+# A duplicate of 215815
+# duplicate of 215815
+# R-215836 CISC-ND-000980
+iosxeSTIG_stigrule_215836_Manage: True
+iosxeSTIG_stigrule_215836_logging_buffered_4096_informational_Lines:
+  - logging buffered 4096 informational
+# R-215837 CISC-ND-001000
+# Please configure name IP address to a valid one.
+iosxeSTIG_stigrule_215837_Manage: False
+iosxeSTIG_stigrule_215837_host_Name: '192.0.2.128'
+iosxeSTIG_stigrule_215837_logging_trap_critical_Lines:
+  - logging trap critical
+# R-215838 CISC-ND-001030
+# Replace ntp servers' IP address before enabling.
+iosxeSTIG_stigrule_215838_Manage: False
+iosxeSTIG_stigrule_215838_ntp_server_1_Server: '192.0.2.0'
+iosxeSTIG_stigrule_215838_ntp_server_2_Server: '192.0.2.1'
+# R-215839 CISC-ND-001040
+# A duplicate of 215817
+# duplicate of 215817
+# R-215840 CISC-ND-001050
+# service timestamps log datetime localtime is set in 215817.
+iosxeSTIG_stigrule_215840_Manage: True
+iosxeSTIG_stigrule_215840_service_timestamps_log_datetime_localtime_Lines:
+  - clock timezone EST -5 0
+# R-215844 CISC-ND-001200
+iosxeSTIG_stigrule_215844_Manage: True
+iosxeSTIG_stigrule_215844_ip_ssh_server_algorithm_mac_hmac_sha1_Lines:
+  - ip ssh server algorithm mac hmac-sha1
+iosxeSTIG_stigrule_215844_ip_http_secure_ciphersuite_aes_128_cbc_sha_Lines:
+  - ip http secure-ciphersuite aes-128-cbc-sha
+# R-215845 CISC-ND-001210
+# Option ip http secure-ciphersuite is set in 215844
+iosxeSTIG_stigrule_215845_Manage: True
+iosxeSTIG_stigrule_215845_ip_ssh_server_algorithm_encryption_aes128_cbc_aes128_ctr_aes192_cbc_aes192_ctr_Lines:
+  - ip ssh server algorithm encryption aes128-cbc aes128-ctr aes192-cbc aes192-ctr
+# R-215847 CISC-ND-001240
+# A duplicate of 215815
+# duplicate of 215815
+# R-215848 CISC-ND-001250
+# A partial of 215815
+# duplicate of 215815
+# R-215849 CISC-ND-001260
+# A subset of 215816
+# duplicate of 215816
+# R-215850 CISC-ND-001270
+# A partial of 215815
+# duplicate of 215815
+# R-215852 CISC-ND-001290
+# A subset of 215816
+# duplicate of 215816
+# R-215853 CISC-ND-001310
+# A duplicate of 215837
+# duplicate of 215837
+# R-215854 CISC-ND-001370
+# Configure the authentication server key before enabling.
+iosxeSTIG_stigrule_215854_Manage: False
+iosxeSTIG_stigrule_215854_radius_host_10_1_48_2_key_xxxxxx_Lines:
+  - radius host 10.1.48.2 key xxxxxx
+iosxeSTIG_stigrule_215854_aaa_authentication_login_LOGIN_AUTHENTICATION_group_radius_local_Lines:
+  - aaa authentication login LOGIN_AUTHENTICATION group radius local
+iosxeSTIG_stigrule_215854_ip_http_authentication_aaa_login_authentication_LOGIN_AUTHENTICATION_Lines:
+  - ip http authentication aaa login-authentication LOGIN_AUTHENTICATION
+iosxeSTIG_stigrule_215854_login_authentication_for_console_Lines:
+  - login authentication LOGIN_AUTHENTICATION
+iosxeSTIG_stigrule_215854_login_authentication_for_console_Parents:
+  - line con 0
+iosxeSTIG_stigrule_215854_login_authentication_for_all_line_vty_sections_Lines:
+  - login authentication LOGIN_AUTHENTICATION
+# R-215856 CISC-ND-001440
+# Insert an appropriate URL (including protocol and port)
+iosxeSTIG_stigrule_215856_Manage: False
+iosxeSTIG_stigrule_215856_enrollment_url_Lines:
+  - enrollment url http://trustpoint1.example.com:80
+iosxeSTIG_stigrule_215856_enrollment_url_Parents:
+  - crypto pki trustpoint CA_X
+# R-216647 CISC-RT-000070
+# A duplicate of 215823
+# duplicate of 215823
+# R-216661 CISC-RT-000230
+iosxeSTIG_stigrule_216661_Manage: False
+iosxeSTIG_stigrule_216661_Disable_the_auxiliary_port_Lines:
+  - no exec
+  - transport input none
+iosxeSTIG_stigrule_216661_Disable_the_auxiliary_port_Parents:
+  - line aux 0
+# R-216675 CISC-RT-000370
+iosxeSTIG_stigrule_216675_Manage: True
+iosxeSTIG_stigrule_216675_no_cdp_run_Lines:
+  - no cdp run
+# R-216700 CISC-RT-000620
+iosxeSTIG_stigrule_216700_Manage: True
+iosxeSTIG_stigrule_216700_no_mpls_ip_propagate_ttl_Lines:
+  - no mpls ip propagate-ttl
+# R-216723 CISC-RT-000850
+iosxeSTIG_stigrule_216723_Manage: False
+iosxeSTIG_stigrule_216723_ip_pim_register_rate_limit_10_Lines:
+  - ip pim register-rate-limit 10
+# R-216726 CISC-RT-000880
+iosxeSTIG_stigrule_216726_Manage: True
+iosxeSTIG_stigrule_216726_ip_igmp_limit_Lines:
+  - ip igmp limit 2
+# R-216727 CISC-RT-000890
+iosxeSTIG_stigrule_216727_Manage: True
+iosxeSTIG_stigrule_216727_ip_pim_spt_threshold_infinity_Lines:
+  - ip pim spt-threshold infinity
+# R-216996 CISC-RT-000080
+iosxeSTIG_stigrule_216996_Manage: True
+iosxeSTIG_stigrule_216996_no_call_home_Lines:
+  - no call-home
+# R-217001 CISC-RT-000750
+# Options drop or ignore are allowed.
+iosxeSTIG_stigrule_217001_Manage: True
+iosxeSTIG_stigrule_217001_ip_options_drop_Lines:
+  - ip options drop
+# R-220139 CISC-ND-001450
+# A duplicate of 215837
+# duplicate of 215837
+iosxeSTIG_save_configuration_Manage: False

collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/duplicates.json

@@ -0,0 +1,20 @@
+{
+  "215808":[ "215815" ],
+  "215809":[ "215815" ],
+  "215810":[ "215815" ],
+  "215811":[ "215815" ],
+  "215819":[ "215815" ],
+  "215821":[ "215820" ],
+  "215822":[ "215820" ],
+  "215834":[ "215815" ],
+  "215835":[ "215815" ],
+  "215839":[ "215817" ],
+  "215847":[ "215815" ],
+  "215848":[ "215815" ],
+  "215849":[ "215816" ],
+  "215850":[ "215815" ],
+  "215852":[ "215816" ],
+  "215853":[ "215837" ],
+  "216647":[ "215823" ],
+  "220139":[ "215837" ]
+}

collections/ansible_collections/demo/compliance/roles/iosxeSTIG/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: save configuration
+  ios_command:
+    commands: write memory
+  when: iosxeSTIG_save_configuration_Manage

collections/ansible_collections/demo/compliance/roles/iosxeSTIG/tasks/main.yml

@@ -0,0 +1,595 @@
+# R-215807 CISC-ND-000010
+- name : stigrule_215807_ip_http_max_connections_2
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215807_ip_http_max_connections_2_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215807_Manage
+# R-215807 CISC-ND-000010
+- name: get line vty sections
+  ios_command:
+    commands: show running-config all | include ^line vty
+  register: cmd_result
+- name : stigrule_215807_session_limit_for_all_line_vty_sections
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215807_session_limit_for_all_line_vty_sections_Lines }}"
+    parents: "{{ item }}"
+  loop: "{{ cmd_result.stdout_lines|flatten(levels=1) }}"
+  when:
+    - iosxeSTIG_stigrule_215807_Manage
+# R-215813 CISC-ND-000150
+- name : stigrule_215813_login_block_for_900_attempts_3_within_120
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215813_login_block_for_900_attempts_3_within_120_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215813_Manage
+# R-215814 CISC-ND-000160
+- name : stigrule_215814_login
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_banner:
+    banner: login
+    text: "{{ iosxeSTIG_stigrule_215814_login_Text }}"
+  when: iosxeSTIG_stigrule_215814_Manage
+# R-215815 CISC-ND-000210
+- name : stigrule_215815_login_logging
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215815_login_logging_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215815_Manage
+# R-215815 CISC-ND-000210
+- name : stigrule_215815_logging_enable
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215815_logging_enable_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_215815_logging_enable_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_215815_Manage
+# R-215816 CISC-ND-000250
+- name : stigrule_215816_login_logging
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215816_login_logging_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215816_Manage
+# R-215817 CISC-ND-000280
+- name : stigrule_215817_service_timestamps_log_datetime_localtime
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215817_service_timestamps_log_datetime_localtime_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215817_Manage
+# R-215820 CISC-ND-000380
+- name : stigrule_215820_file_privilege
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215820_file_privilege_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215820_Manage
+# R-215823 CISC-ND-000470
+- name: check for boot network
+  ios_command:
+    commands: show running-config all | include ^boot network
+  register: cmd_result
+- name : stigrule_215823_disable_boot_network
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_boot_network_Lines }}"
+  when:
+    - (cmd_result.stdout|join('\n')).find('boot network') != -1
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name: check for ip boot server
+  ios_command:
+    commands: show running-config all | include ^ip boot server
+  register: cmd_result
+- name : stigrule_215823_disable_boot_server
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_boot_server_Lines }}"
+  when:
+    - (cmd_result.stdout|join('\n')).find('ip boot server') != -1
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name : stigrule_215823_disable_bootp_server
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_bootp_server_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name: check for DNS server configuration
+  ios_command:
+    commands: show running-config all | include ^ip dns server
+  register: cmd_result
+- name : stigrule_215823_disable_dns_server
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_dns_server_Lines }}"
+  when:
+    - (cmd_result.stdout|join('\n')).find('ip dns server') != -1
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name : stigrule_215823_disable_identd
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_identd_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name : stigrule_215823_disable_finger
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_finger_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name : stigrule_215823_disable_http_server
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_http_server_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name: check for ip rcmd rcp-enable
+  ios_command:
+    commands: show running-config all | include ^ip rcmd rcp-enable
+  register: cmd_result
+- name : stigrule_215823_disable_rcmd_rcp_enable
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_rcmd_rcp_enable_Lines }}"
+  when:
+    - (cmd_result.stdout|join('\n')).find('ip rcmd rcp-enable') != -1
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name: check for ip rcmd rsh-enable
+  ios_command:
+    commands: show running-config all | include ^ip rcmd rsh-enable
+  register: cmd_result
+- name : stigrule_215823_disable_rcmd_rsh_enable
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_rcmd_rsh_enable_Lines }}"
+  when:
+    - (cmd_result.stdout|join('\n')).find('ip rcmd rsh-enable') != -1
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name: check for tcp-small-servers
+  ios_command:
+    commands: show running-config all | include ^service tcp-small-servers
+  register: cmd_result
+- name : stigrule_215823_disable_tcp_small_servers
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_tcp_small_servers_Lines }}"
+  when:
+    - (cmd_result.stdout|join('\n')).find('service tcp-small-servers') != -1
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name: check for udp-small-servers
+  ios_command:
+    commands: show running-config all | include ^service udp-small-servers
+  register: cmd_result
+- name : stigrule_215823_disable_udp_small_servers
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_udp_small_servers_Lines }}"
+  when:
+    - (cmd_result.stdout|join('\n')).find('service udp-small-servers') != -1
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name: check for service finger
+  ios_command:
+    commands: show running-config all | include ^service finger
+  register: cmd_result
+- name : stigrule_215823_disable_service_finger
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_service_finger_Lines }}"
+  when:
+    - (cmd_result.stdout|join('\n')).find('service finger') != -1
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name : stigrule_215823_disable_service_config
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_service_config_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name : stigrule_215823_disable_service_pad
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_service_pad_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215825 CISC-ND-000530
+# ip ssh server algorithm encryption is set in 215845.
+- name : stigrule_215825_ip_ssh_version_2
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215825_ip_ssh_version_2_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215825_Manage
+# R-215826 CISC-ND-000550
+- name : stigrule_215826_password_min_len
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215826_password_min_len_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_215826_password_min_len_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_215826_Manage
+# R-215827 CISC-ND-000570
+- name : stigrule_215827_password_upper_case
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215827_password_upper_case_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_215827_password_upper_case_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_215827_Manage
+# R-215828 CISC-ND-000580
+- name : stigrule_215828_password_lower_case
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215828_password_lower_case_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_215828_password_lower_case_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_215828_Manage
+# R-215829 CISC-ND-000590
+- name : stigrule_215829_password_numeric_count
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215829_password_numeric_count_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_215829_password_numeric_count_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_215829_Manage
+# R-215830 CISC-ND-000600
+- name : stigrule_215830_password_special_case
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215830_password_special_case_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_215830_password_special_case_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_215830_Manage
+# R-215831 CISC-ND-000610
+- name : stigrule_215831_password_upper_case
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215831_password_upper_case_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_215831_password_upper_case_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_215831_Manage
+# R-215832 CISC-ND-000620
+- name : stigrule_215832_service_password_encryption
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215832_service_password_encryption_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215832_Manage
+# R-215833 CISC-ND-000720
+- name : stigrule_215833_exec_timeout_for_console
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215833_exec_timeout_for_console_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_215833_exec_timeout_for_console_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_215833_Manage
+# R-215833 CISC-ND-000720
+- name: get line vty sections
+  ios_command:
+    commands: show running-config all | include ^line vty
+  register: cmd_result
+- name : stigrule_215833_exec_timeout_for_all_line_vty_sections
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215833_exec_timeout_for_all_line_vty_sections_Lines }}"
+    parents: "{{ item }}"
+  loop: "{{ cmd_result.stdout_lines|flatten(levels=1) }}"
+  when:
+    - iosxeSTIG_stigrule_215833_Manage
+# R-215833 CISC-ND-000720
+- name : stigrule_215833_ip_http_timeout_policy_idle_600_life_3600_requests_10
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215833_ip_http_timeout_policy_idle_600_life_3600_requests_10_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215833_Manage
+# R-215836 CISC-ND-000980
+- name : stigrule_215836_logging_buffered_4096_informational
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215836_logging_buffered_4096_informational_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215836_Manage
+# R-215837 CISC-ND-001000
+# Please configure name IP address to a valid one.
+- name : stigrule_215837_host
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_logging:
+    dest: host
+    name: "{{ iosxeSTIG_stigrule_215837_host_Name }}"
+  when: iosxeSTIG_stigrule_215837_Manage
+# R-215837 CISC-ND-001000
+# Please configure name IP address to a valid one.
+- name : stigrule_215837_logging_trap_critical
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215837_logging_trap_critical_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215837_Manage
+# R-215838 CISC-ND-001030
+# Replace ntp servers' IP address before enabling.
+- name : stigrule_215838_ntp_server_1
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_ntp:
+    server: "{{ iosxeSTIG_stigrule_215838_ntp_server_1_Server }}"
+  when: iosxeSTIG_stigrule_215838_Manage
+# R-215838 CISC-ND-001030
+# Replace ntp servers' IP address before enabling.
+- name : stigrule_215838_ntp_server_2
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_ntp:
+    server: "{{ iosxeSTIG_stigrule_215838_ntp_server_2_Server }}"
+  when: iosxeSTIG_stigrule_215838_Manage
+# R-215840 CISC-ND-001050
+# service timestamps log datetime localtime is set in 215817.
+- name : stigrule_215840_service_timestamps_log_datetime_localtime
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215840_service_timestamps_log_datetime_localtime_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215840_Manage
+# R-215844 CISC-ND-001200
+- name : stigrule_215844_ip_ssh_server_algorithm_mac_hmac_sha1
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215844_ip_ssh_server_algorithm_mac_hmac_sha1_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215844_Manage
+# R-215844 CISC-ND-001200
+- name : stigrule_215844_ip_http_secure_ciphersuite_aes_128_cbc_sha
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215844_ip_http_secure_ciphersuite_aes_128_cbc_sha_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215844_Manage
+# R-215845 CISC-ND-001210
+# Option ip http secure-ciphersuite is set in 215844
+- name : stigrule_215845_ip_ssh_server_algorithm_encryption_aes128_cbc_aes128_ctr_aes192_cbc_aes192_ctr
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215845_ip_ssh_server_algorithm_encryption_aes128_cbc_aes128_ctr_aes192_cbc_aes192_ctr_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215845_Manage
+# R-215854 CISC-ND-001370
+# Configure the authentication server key before enabling.
+- name : stigrule_215854_radius_host_10_1_48_2_key_xxxxxx
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215854_radius_host_10_1_48_2_key_xxxxxx_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215854_Manage
+# R-215854 CISC-ND-001370
+# Configure the authentication server key before enabling.
+- name : stigrule_215854_aaa_authentication_login_LOGIN_AUTHENTICATION_group_radius_local
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215854_aaa_authentication_login_LOGIN_AUTHENTICATION_group_radius_local_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215854_Manage
+# R-215854 CISC-ND-001370
+# Configure the authentication server key before enabling.
+- name : stigrule_215854_ip_http_authentication_aaa_login_authentication_LOGIN_AUTHENTICATION
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215854_ip_http_authentication_aaa_login_authentication_LOGIN_AUTHENTICATION_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215854_Manage
+# R-215854 CISC-ND-001370
+# Configure the authentication server key before enabling.
+- name : stigrule_215854_login_authentication_for_console
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215854_login_authentication_for_console_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_215854_login_authentication_for_console_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_215854_Manage
+# R-215854 CISC-ND-001370
+# Configure the authentication server key before enabling.
+- name: get line vty sections
+  ios_command:
+    commands: show running-config all | include ^line vty
+  register: cmd_result
+- name : stigrule_215854_login_authentication_for_all_line_vty_sections
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215854_login_authentication_for_all_line_vty_sections_Lines }}"
+    parents: "{{ item }}"
+  loop: "{{ cmd_result.stdout_lines|flatten(levels=1) }}"
+  when:
+    - iosxeSTIG_stigrule_215854_Manage
+# R-215856 CISC-ND-001440
+# Insert an appropriate URL (including protocol and port)
+- name : stigrule_215856_enrollment_url
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215856_enrollment_url_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_215856_enrollment_url_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_215856_Manage
+# R-216661 CISC-RT-000230
+- name : stigrule_216661_Disable_the_auxiliary_port
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_216661_Disable_the_auxiliary_port_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_216661_Disable_the_auxiliary_port_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_216661_Manage
+# R-216675 CISC-RT-000370
+- name : stigrule_216675_no_cdp_run
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_216675_no_cdp_run_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_216675_Manage
+# R-216700 CISC-RT-000620
+- name : stigrule_216700_no_mpls_ip_propagate_ttl
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_216700_no_mpls_ip_propagate_ttl_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_216700_Manage
+# R-216723 CISC-RT-000850
+- name : stigrule_216723_ip_pim_register_rate_limit_10
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_216723_ip_pim_register_rate_limit_10_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_216723_Manage
+# R-216726 CISC-RT-000880
+- name : stigrule_216726_ip_igmp_limit
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_216726_ip_igmp_limit_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_216726_Manage
+# R-216727 CISC-RT-000890
+- name : stigrule_216727_ip_pim_spt_threshold_infinity
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_216727_ip_pim_spt_threshold_infinity_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_216727_Manage
+# R-216996 CISC-RT-000080
+- name: check for call-home
+  ios_command:
+    commands: show running-config | include ^call-home
+  register: cmd_result
+- name : stigrule_216996_no_call_home
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_216996_no_call_home_Lines }}"
+  when:
+    - (cmd_result.stdout|join('\n')).find('call-home') != -1
+    - iosxeSTIG_stigrule_216996_Manage
+# R-217001 CISC-RT-000750
+# Options drop or ignore are allowed.
+- name : stigrule_217001_ip_options_drop
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_217001_ip_options_drop_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_217001_Manage