From 552acdcb6cc9a421f0303eed1a817f9b873755d7 Mon Sep 17 00:00:00 2001 From: Chris Edillon <67980205+jce-redhat@users.noreply.github.com> Date: Tue, 20 Aug 2024 13:30:48 -0400 Subject: [PATCH] Updated versions of compliance-related roles (#170) --- .gitignore | 4 +- .pre-commit-config.yaml | 4 + .../rhel8STIG/callback_plugins/stig_xml.py | 67 +- .../roles/rhel8STIG/defaults/main.yml | 9 +- ...l => U_RHEL_8_STIG_V1R13_Manual-xccdf.xml} | 1075 +-- .../compliance/roles/rhel8STIG/tasks/main.yml | 50 +- .../rhel9STIG/callback_plugins/stig_xml.py | 86 + .../roles/rhel9STIG/defaults/main.yml | 1011 +++ .../files/U_RHEL_9_STIG_V1R2_Manual-xccdf.xml | 7020 +++++++++++++++++ .../roles/rhel9STIG/handlers/main.yml | 30 + .../compliance/roles/rhel9STIG/tasks/main.yml | 3055 +++++++ linux/compliance-enforce.yml | 2 +- linux/setup.yml | 5 +- roles/requirements.yml | 80 +- 14 files changed, 11876 insertions(+), 622 deletions(-) rename collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/{U_RHEL_8_STIG_V1R9_Manual-xccdf.xml => U_RHEL_8_STIG_V1R13_Manual-xccdf.xml} (84%) create mode 100644 collections/ansible_collections/demo/compliance/roles/rhel9STIG/callback_plugins/stig_xml.py create mode 100644 collections/ansible_collections/demo/compliance/roles/rhel9STIG/defaults/main.yml create mode 100644 collections/ansible_collections/demo/compliance/roles/rhel9STIG/files/U_RHEL_9_STIG_V1R2_Manual-xccdf.xml create mode 100644 collections/ansible_collections/demo/compliance/roles/rhel9STIG/handlers/main.yml create mode 100644 collections/ansible_collections/demo/compliance/roles/rhel9STIG/tasks/main.yml diff --git a/.gitignore b/.gitignore index fc9639e..da93076 100644 --- a/.gitignore +++ b/.gitignore @@ -7,6 +7,6 @@ choose_demo_example_aws.yml .ansible.cfg *.gz *artifact*.json -**/roles/* -!**/roles/requirements.yml +roles/* +!roles/requirements.yml .deployment_id diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 196f849..7a17953 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -4,7 +4,10 @@ repos: rev: v4.4.0 hooks: - id: end-of-file-fixer + exclude: rhel[89]STIG/.*$ + - id: trailing-whitespace + exclude: rhel[89]STIG/.*$ - id: check-yaml exclude: \.j2.(yaml|yml)$|\.(yaml|yml).j2$ @@ -26,4 +29,5 @@ repos: rev: 23.11.0 hooks: - id: black + exclude: rhel[89]STIG/.*$ ... diff --git a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/callback_plugins/stig_xml.py b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/callback_plugins/stig_xml.py index 5474b83..cfff078 100644 --- a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/callback_plugins/stig_xml.py +++ b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/callback_plugins/stig_xml.py @@ -1,5 +1,4 @@ -from __future__ import absolute_import, division, print_function - +from __future__ import (absolute_import, division, print_function) __metaclass__ = type from ansible.plugins.callback import CallbackBase @@ -12,82 +11,76 @@ import os import xml.etree.ElementTree as ET import xml.dom.minidom - class CallbackModule(CallbackBase): CALLBACK_VERSION = 2.0 - CALLBACK_TYPE = "xml" - CALLBACK_NAME = "stig_xml" + CALLBACK_TYPE = 'xml' + CALLBACK_NAME = 'stig_xml' CALLBACK_NEEDS_WHITELIST = True def _get_STIG_path(self): - cwd = os.path.abspath(".") + cwd = os.path.abspath('.') for dirpath, dirs, files in os.walk(cwd): - if os.path.sep + "files" in dirpath and ".xml" in files[0]: + if os.path.sep + 'files' in dirpath and '.xml' in files[0]: return os.path.join(cwd, dirpath, files[0]) def __init__(self): super(CallbackModule, self).__init__() self.rules = {} - self.stig_path = os.environ.get("STIG_PATH") - self.XML_path = os.environ.get("XML_PATH") + self.stig_path = os.environ.get('STIG_PATH') + self.XML_path = os.environ.get('XML_PATH') if self.stig_path is None: self.stig_path = self._get_STIG_path() - self._display.display("Using STIG_PATH: {}".format(self.stig_path)) + self._display.display('Using STIG_PATH: {}'.format(self.stig_path)) if self.XML_path is None: self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml" - self._display.display("Using XML_PATH: {}".format(self.XML_path)) + self._display.display('Using XML_PATH: {}'.format(self.XML_path)) print("Writing: {}".format(self.XML_path)) STIG_name = os.path.basename(self.stig_path) - ET.register_namespace("cdf", "http://checklists.nist.gov/xccdf/1.2") - self.tr = ET.Element("{http://checklists.nist.gov/xccdf/1.2}TestResult") - self.tr.set( - "id", - "xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}".format(STIG_name), - ) + ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2') + self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult') + self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name)) endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime()) - self.tr.set("end-time", endtime) - tg = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}target") + self.tr.set('end-time', endtime) + tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target') tg.text = platform.node() def _get_rev(self, nid): - with open(self.stig_path, "r") as f: - r = "SV-{}r(?P\d+)_rule".format(nid) + with open(self.stig_path, 'r') as f: + r = 'SV-{}r(?P\d+)_rule'.format(nid) m = re.search(r, f.read()) if m: - rev = m.group("rev") + rev = m.group('rev') else: - rev = "0" + rev = '0' return rev def v2_runner_on_ok(self, result): name = result._task.get_name() - m = re.search("stigrule_(?P\d+)", name) + m = re.search('stigrule_(?P\d+)', name) if m: - nid = m.group("id") + nid = m.group('id') else: return rev = self._get_rev(nid) key = "{}r{}".format(nid, rev) - if self.rules.get(key, "Unknown") != False: + if self.rules.get(key, 'Unknown') != False: self.rules[key] = result.is_changed() def v2_playbook_on_stats(self, stats): for rule, changed in self.rules.items(): - state = "fail" if changed else "pass" - rr = ET.SubElement( - self.tr, "{http://checklists.nist.gov/xccdf/1.2}rule-result" - ) - rr.set("idref", "xccdf_mil.disa.stig_rule_SV-{}_rule".format(rule)) - rs = ET.SubElement(rr, "{http://checklists.nist.gov/xccdf/1.2}result") + state = 'fail' if changed else 'pass' + rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result') + rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule)) + rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result') rs.text = state passing = len(self.rules) - sum(self.rules.values()) - sc = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}score") - sc.set("maximum", str(len(self.rules))) - sc.set("system", "urn:xccdf:scoring:flat-unweighted") + sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score') + sc.set('maximum', str(len(self.rules))) + sc.set('system', 'urn:xccdf:scoring:flat-unweighted') sc.text = str(passing) - with open(self.XML_path, "wb") as f: + with open(self.XML_path, 'wb') as f: out = ET.tostring(self.tr) - pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding="utf-8") + pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8') f.write(pretty) diff --git a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml index f11ea09..994d04b 100644 --- a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml +++ b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml @@ -142,9 +142,6 @@ rhel8STIG_stigrule_230347__etc_dconf_db_local_d_00_screensaver_Value: 'true' rhel8STIG_stigrule_230348_Manage: True rhel8STIG_stigrule_230348_ensure_tmux_is_installed_State: installed rhel8STIG_stigrule_230348__etc_tmux_conf_Line: 'set -g lock-command vlock' -# R-230349 RHEL-08-020041 -rhel8STIG_stigrule_230349_Manage: True -rhel8STIG_stigrule_230349__etc_bashrc_Line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux' # R-230352 RHEL-08-020060 rhel8STIG_stigrule_230352_Manage: True rhel8STIG_stigrule_230352__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 900' @@ -232,9 +229,6 @@ rhel8STIG_stigrule_230394__etc_audit_auditd_conf_Line: 'name_format = hostname' # R-230395 RHEL-08-030063 rhel8STIG_stigrule_230395_Manage: True rhel8STIG_stigrule_230395__etc_audit_auditd_conf_Line: 'log_format = ENRICHED' -# R-230396 RHEL-08-030070 -rhel8STIG_stigrule_230396_Manage: True -rhel8STIG_stigrule_230396__etc_audit_auditd_conf_Line: 'log_group = root' # R-230398 RHEL-08-030090 # A duplicate of 230396 # duplicate of 230396 @@ -569,3 +563,6 @@ rhel8STIG_stigrule_244553_net_ipv4_conf_all_accept_redirects_Value: 0 # R-244554 RHEL-08-040286 rhel8STIG_stigrule_244554_Manage: True rhel8STIG_stigrule_244554__etc_sysctl_d_99_sysctl_conf_Line: 'net.core.bpf_jit_harden = 2' +# R-256974 RHEL-08-010358 +rhel8STIG_stigrule_256974_Manage: True +rhel8STIG_stigrule_256974_mailx_State: installed diff --git a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R13_Manual-xccdf.xml similarity index 84% rename from collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml rename to collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R13_Manual-xccdf.xml index 31c877d..78a900c 100644 --- a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml +++ b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R13_Manual-xccdf.xml @@ -1,4 +1,4 @@ -acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 9 Benchmark Date: 26 Jan 20233.4.0.342221.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010000RHEL 8 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. +acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 13 Benchmark Date: 24 Jan 20243.4.1.229161.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>