Updated versions of compliance-related roles (#170)

collections/ansible_collections/demo/compliance/roles/rhel8STIG/callback_plugins/stig_xml.py

@@ -1,5 +1,4 @@
-from __future__ import absolute_import, division, print_function
-
+from __future__ import (absolute_import, division, print_function)
 __metaclass__ = type
 
 from ansible.plugins.callback import CallbackBase
@@ -12,82 +11,76 @@ import os
 import xml.etree.ElementTree as ET
 import xml.dom.minidom
 
-
 class CallbackModule(CallbackBase):
     CALLBACK_VERSION = 2.0
-    CALLBACK_TYPE = "xml"
-    CALLBACK_NAME = "stig_xml"
+    CALLBACK_TYPE = 'xml'
+    CALLBACK_NAME = 'stig_xml'
 
     CALLBACK_NEEDS_WHITELIST = True
 
     def _get_STIG_path(self):
-        cwd = os.path.abspath(".")
+        cwd = os.path.abspath('.')
         for dirpath, dirs, files in os.walk(cwd):
-            if os.path.sep + "files" in dirpath and ".xml" in files[0]:
+            if os.path.sep + 'files' in dirpath and '.xml' in files[0]:
                 return os.path.join(cwd, dirpath, files[0])
 
     def __init__(self):
         super(CallbackModule, self).__init__()
         self.rules = {}
-        self.stig_path = os.environ.get("STIG_PATH")
-        self.XML_path = os.environ.get("XML_PATH")
+        self.stig_path = os.environ.get('STIG_PATH')
+        self.XML_path = os.environ.get('XML_PATH')
         if self.stig_path is None:
             self.stig_path = self._get_STIG_path()
-        self._display.display("Using STIG_PATH: {}".format(self.stig_path))
+        self._display.display('Using STIG_PATH: {}'.format(self.stig_path))
         if self.XML_path is None:
             self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml"
-        self._display.display("Using XML_PATH: {}".format(self.XML_path))
+        self._display.display('Using XML_PATH: {}'.format(self.XML_path))
 
         print("Writing: {}".format(self.XML_path))
         STIG_name = os.path.basename(self.stig_path)
-        ET.register_namespace("cdf", "http://checklists.nist.gov/xccdf/1.2")
-        self.tr = ET.Element("{http://checklists.nist.gov/xccdf/1.2}TestResult")
-        self.tr.set(
-            "id",
-            "xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}".format(STIG_name),
-        )
+        ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2')
+        self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult')
+        self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name))
         endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
-        self.tr.set("end-time", endtime)
-        tg = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}target")
+        self.tr.set('end-time', endtime)
+        tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target')
         tg.text = platform.node()
 
     def _get_rev(self, nid):
-        with open(self.stig_path, "r") as f:
-            r = "SV-{}r(?P<rev>\d+)_rule".format(nid)
+        with open(self.stig_path, 'r') as f:
+            r = 'SV-{}r(?P<rev>\d+)_rule'.format(nid)
             m = re.search(r, f.read())
         if m:
-            rev = m.group("rev")
+            rev = m.group('rev')
         else:
-            rev = "0"
+            rev = '0'
         return rev
 
     def v2_runner_on_ok(self, result):
         name = result._task.get_name()
-        m = re.search("stigrule_(?P<id>\d+)", name)
+        m = re.search('stigrule_(?P<id>\d+)', name)
         if m:
-            nid = m.group("id")
+            nid = m.group('id')
         else:
             return
         rev = self._get_rev(nid)
         key = "{}r{}".format(nid, rev)
-        if self.rules.get(key, "Unknown") != False:
+        if self.rules.get(key, 'Unknown') != False:
             self.rules[key] = result.is_changed()
 
     def v2_playbook_on_stats(self, stats):
         for rule, changed in self.rules.items():
-            state = "fail" if changed else "pass"
-            rr = ET.SubElement(
-                self.tr, "{http://checklists.nist.gov/xccdf/1.2}rule-result"
-            )
-            rr.set("idref", "xccdf_mil.disa.stig_rule_SV-{}_rule".format(rule))
-            rs = ET.SubElement(rr, "{http://checklists.nist.gov/xccdf/1.2}result")
+            state = 'fail' if changed else 'pass'
+            rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result')
+            rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule))
+            rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result')
             rs.text = state
         passing = len(self.rules) - sum(self.rules.values())
-        sc = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}score")
-        sc.set("maximum", str(len(self.rules)))
-        sc.set("system", "urn:xccdf:scoring:flat-unweighted")
+        sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score')
+        sc.set('maximum', str(len(self.rules)))
+        sc.set('system', 'urn:xccdf:scoring:flat-unweighted')
         sc.text = str(passing)
-        with open(self.XML_path, "wb") as f:
+        with open(self.XML_path, 'wb') as f:
             out = ET.tostring(self.tr)
-            pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding="utf-8")
+            pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8')
             f.write(pretty)

collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml

@@ -142,9 +142,6 @@ rhel8STIG_stigrule_230347__etc_dconf_db_local_d_00_screensaver_Value: 'true'
 rhel8STIG_stigrule_230348_Manage: True
 rhel8STIG_stigrule_230348_ensure_tmux_is_installed_State: installed
 rhel8STIG_stigrule_230348__etc_tmux_conf_Line: 'set -g lock-command vlock'
-# R-230349 RHEL-08-020041
-rhel8STIG_stigrule_230349_Manage: True
-rhel8STIG_stigrule_230349__etc_bashrc_Line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux'
 # R-230352 RHEL-08-020060
 rhel8STIG_stigrule_230352_Manage: True
 rhel8STIG_stigrule_230352__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 900'
@@ -232,9 +229,6 @@ rhel8STIG_stigrule_230394__etc_audit_auditd_conf_Line: 'name_format = hostname'
 # R-230395 RHEL-08-030063
 rhel8STIG_stigrule_230395_Manage: True
 rhel8STIG_stigrule_230395__etc_audit_auditd_conf_Line: 'log_format = ENRICHED'
-# R-230396 RHEL-08-030070
-rhel8STIG_stigrule_230396_Manage: True
-rhel8STIG_stigrule_230396__etc_audit_auditd_conf_Line: 'log_group = root'
 # R-230398 RHEL-08-030090
 # A duplicate of 230396
 # duplicate of 230396
@@ -569,3 +563,6 @@ rhel8STIG_stigrule_244553_net_ipv4_conf_all_accept_redirects_Value: 0
 # R-244554 RHEL-08-040286
 rhel8STIG_stigrule_244554_Manage: True
 rhel8STIG_stigrule_244554__etc_sysctl_d_99_sysctl_conf_Line: 'net.core.bpf_jit_harden = 2'
+# R-256974 RHEL-08-010358
+rhel8STIG_stigrule_256974_Manage: True
+rhel8STIG_stigrule_256974_mailx_State: installed

collections/ansible_collections/demo/compliance/roles/rhel8STIG/tasks/main.yml

@@ -4,7 +4,7 @@
 - name: stigrule_230225_banner
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)banner\s+'
+    regexp: '(?i)^\s*banner\s+'
     line: "{{ rhel8STIG_stigrule_230225_banner_Line }}"
   notify: ssh_restart
   when:
@@ -82,7 +82,7 @@
 - name: stigrule_230244_ClientAliveCountMax
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)ClientAliveCountMax\s+'
+    regexp: '(?i)^\s*ClientAliveCountMax\s+'
     line: "{{ rhel8STIG_stigrule_230244_ClientAliveCountMax_Line }}"
   notify: ssh_restart
   when:
@@ -249,7 +249,7 @@
 - name: stigrule_230288_StrictModes
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)StrictModes\s+'
+    regexp: '(?i)^\s*StrictModes\s+'
     line: "{{ rhel8STIG_stigrule_230288_StrictModes_Line }}"
   notify: ssh_restart
   when:
@@ -259,7 +259,7 @@
 - name: stigrule_230290_IgnoreUserKnownHosts
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)IgnoreUserKnownHosts\s+'
+    regexp: '(?i)^\s*IgnoreUserKnownHosts\s+'
     line: "{{ rhel8STIG_stigrule_230290_IgnoreUserKnownHosts_Line }}"
   notify: ssh_restart
   when:
@@ -269,7 +269,7 @@
 - name: stigrule_230291_KerberosAuthentication
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)KerberosAuthentication\s+'
+    regexp: '(?i)^\s*KerberosAuthentication\s+'
     line: "{{ rhel8STIG_stigrule_230291_KerberosAuthentication_Line }}"
   notify: ssh_restart
   when:
@@ -279,7 +279,7 @@
 - name: stigrule_230296_PermitRootLogin
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)PermitRootLogin\s+'
+    regexp: '(?i)^\s*PermitRootLogin\s+'
     line: "{{ rhel8STIG_stigrule_230296_PermitRootLogin_Line }}"
   notify: ssh_restart
   when:
@@ -395,7 +395,7 @@
 - name: stigrule_230330_PermitUserEnvironment
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)PermitUserEnvironment\s+'
+    regexp: '(?i)^\s*PermitUserEnvironment\s+'
     line: "{{ rhel8STIG_stigrule_230330_PermitUserEnvironment_Line }}"
   notify: ssh_restart
   when:
@@ -436,14 +436,6 @@
     create: yes
   when:
     - rhel8STIG_stigrule_230348_Manage
-# R-230349 RHEL-08-020041
-- name: stigrule_230349__etc_bashrc
-  lineinfile:
-    path: /etc/bashrc
-    line: "{{ rhel8STIG_stigrule_230349__etc_bashrc_Line }}"
-    create: yes
-  when:
-    - rhel8STIG_stigrule_230349_Manage
 # R-230352 RHEL-08-020060
 - name: stigrule_230352__etc_dconf_db_local_d_00_screensaver
   ini_file:
@@ -602,7 +594,7 @@
 - name: stigrule_230382_PrintLastLog
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)PrintLastLog\s+'
+    regexp: '(?i)^\s*PrintLastLog\s+'
     line: "{{ rhel8STIG_stigrule_230382_PrintLastLog_Line }}"
   notify: ssh_restart
   when:
@@ -726,16 +718,6 @@
   notify: auditd_restart
   when:
     - rhel8STIG_stigrule_230395_Manage
-# R-230396 RHEL-08-030070
-- name: stigrule_230396__etc_audit_auditd_conf
-  lineinfile:
-    path: /etc/audit/auditd.conf
-    regexp: '^log_group = '
-    line: "{{ rhel8STIG_stigrule_230396__etc_audit_auditd_conf_Line }}"
-    create: yes
-  notify: auditd_restart
-  when:
-    - rhel8STIG_stigrule_230396_Manage
 # R-230402 RHEL-08-030121
 - name : stigrule_230402__etc_audit_rules_d_audit_rules_e2
   lineinfile:
@@ -1348,7 +1330,7 @@
 - name: stigrule_230527_RekeyLimit
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)RekeyLimit\s+'
+    regexp: '(?i)^\s*RekeyLimit\s+'
     line: "{{ rhel8STIG_stigrule_230527_RekeyLimit_Line }}"
   notify: ssh_restart
   when:
@@ -1569,7 +1551,7 @@
 - name: stigrule_230555_X11Forwarding
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)X11Forwarding\s+'
+    regexp: '(?i)^\s*X11Forwarding\s+'
     line: "{{ rhel8STIG_stigrule_230555_X11Forwarding_Line }}"
   notify: ssh_restart
   when:
@@ -1579,7 +1561,7 @@
 - name: stigrule_230556_X11UseLocalhost
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)X11UseLocalhost\s+'
+    regexp: '(?i)^\s*X11UseLocalhost\s+'
     line: "{{ rhel8STIG_stigrule_230556_X11UseLocalhost_Line }}"
   notify: ssh_restart
   when:
@@ -1635,7 +1617,7 @@
 - name: stigrule_244525_ClientAliveInterval
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)ClientAliveInterval\s+'
+    regexp: '(?i)^\s*ClientAliveInterval\s+'
     line: "{{ rhel8STIG_stigrule_244525_ClientAliveInterval_Line }}"
   notify: ssh_restart
   when:
@@ -1651,7 +1633,7 @@
 - name: stigrule_244528_GSSAPIAuthentication
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^\s*(?i)GSSAPIAuthentication\s+'
+    regexp: '(?i)^\s*GSSAPIAuthentication\s+'
     line: "{{ rhel8STIG_stigrule_244528_GSSAPIAuthentication_Line }}"
   notify: ssh_restart
   when:
@@ -1798,3 +1780,9 @@
     create: yes
   when:
     - rhel8STIG_stigrule_244554_Manage
+# R-256974 RHEL-08-010358
+- name: stigrule_256974_mailx
+  yum:
+    name: mailx
+    state: "{{ rhel8STIG_stigrule_256974_mailx_State }}"
+  when: rhel8STIG_stigrule_256974_Manage

collections/ansible_collections/demo/compliance/roles/rhel9STIG/callback_plugins/stig_xml.py

@@ -0,0 +1,86 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+from ansible.plugins.callback import CallbackBase
+from time import gmtime, strftime
+import platform
+import tempfile
+import re
+import sys
+import os
+import xml.etree.ElementTree as ET
+import xml.dom.minidom
+
+class CallbackModule(CallbackBase):
+    CALLBACK_VERSION = 2.0
+    CALLBACK_TYPE = 'xml'
+    CALLBACK_NAME = 'stig_xml'
+
+    CALLBACK_NEEDS_WHITELIST = True
+
+    def _get_STIG_path(self):
+        cwd = os.path.abspath('.')
+        for dirpath, dirs, files in os.walk(cwd):
+            if os.path.sep + 'files' in dirpath and '.xml' in files[0]:
+                return os.path.join(cwd, dirpath, files[0])
+
+    def __init__(self):
+        super(CallbackModule, self).__init__()
+        self.rules = {}
+        self.stig_path = os.environ.get('STIG_PATH')
+        self.XML_path = os.environ.get('XML_PATH')
+        if self.stig_path is None:
+            self.stig_path = self._get_STIG_path()
+        self._display.display('Using STIG_PATH: {}'.format(self.stig_path))
+        if self.XML_path is None:
+            self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml"
+        self._display.display('Using XML_PATH: {}'.format(self.XML_path))
+
+        print("Writing: {}".format(self.XML_path))
+        STIG_name = os.path.basename(self.stig_path)
+        ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2')
+        self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult')
+        self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name))
+        endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
+        self.tr.set('end-time', endtime)
+        tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target')
+        tg.text = platform.node()
+
+    def _get_rev(self, nid):
+        with open(self.stig_path, 'r') as f:
+            r = 'SV-{}r(?P<rev>\d+)_rule'.format(nid)
+            m = re.search(r, f.read())
+        if m:
+            rev = m.group('rev')
+        else:
+            rev = '0'
+        return rev
+
+    def v2_runner_on_ok(self, result):
+        name = result._task.get_name()
+        m = re.search('stigrule_(?P<id>\d+)', name)
+        if m:
+            nid = m.group('id')
+        else:
+            return
+        rev = self._get_rev(nid)
+        key = "{}r{}".format(nid, rev)
+        if self.rules.get(key, 'Unknown') != False:
+            self.rules[key] = result.is_changed()
+
+    def v2_playbook_on_stats(self, stats):
+        for rule, changed in self.rules.items():
+            state = 'fail' if changed else 'pass'
+            rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result')
+            rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule))
+            rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result')
+            rs.text = state
+        passing = len(self.rules) - sum(self.rules.values())
+        sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score')
+        sc.set('maximum', str(len(self.rules)))
+        sc.set('system', 'urn:xccdf:scoring:flat-unweighted')
+        sc.text = str(passing)
+        with open(self.XML_path, 'wb') as f:
+            out = ET.tostring(self.tr)
+            pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8')
+            f.write(pretty)

collections/ansible_collections/demo/compliance/roles/rhel9STIG/handlers/main.yml

@@ -0,0 +1,30 @@
+- name: dconf_update
+  command: dconf update
+- name: auditd_restart
+  command: /usr/sbin/service auditd restart
+- name: ssh_restart
+  service:
+    name: sshd
+    state: restarted
+- name: rsyslog_restart
+  service:
+    name: rsyslog
+    state: restarted
+- name: sysctl_load_settings
+  command: sysctl --system
+- name: daemon_reload
+  systemd:
+    daemon_reload: true
+- name: networkmanager_reload
+  service:
+    name: NetworkManager
+    state: reloaded
+- name: logind_restart
+  service:
+    name: systemd-logind
+    state: restarted
+- name: with_faillock_enable
+  command: authselect enable-feature with-faillock
+- name: do_reboot
+  reboot:
+    pre_reboot_delay: 60