Fix ci (#269)

Co-authored-by: Matthew Fernandez <l3acon@users.noreply.github.com>

.ansible-lint

@@ -0,0 +1,19 @@
+---
+profile: production
+offline: true
+
+skip_list:
+  - "galaxy[no-changelog]"
+
+warn_list:
+  # seems to be a bug, see https://github.com/ansible/ansible-lint/issues/4172
+  - "fqcn[canonical]"
+  # @matferna: really not sure why lint thinks it can't find jmespath, it is installed and functional
+  - "jinja[invalid]"
+
+exclude_paths:
+  # would be better to move the roles here to the top-level roles directory
+  - collections/ansible_collections/demo/compliance/roles/
+  - roles/redhatofficial.*
+  - .github/
+  - execution_environments/ee_contexts/

.devfile.yaml

@@ -0,0 +1,13 @@
+---
+schemaVersion: 2.2.0
+metadata:
+  name: product-demos
+components:
+  - name: product-demos-ee
+    container:
+      image: quay.io/mloriedo/ansible-creator-ee:latest  # workaround for https://github.com/eclipse/che/issues/21778
+      memoryRequest: 256M
+      memoryLimit: 5Gi
+      cpuRequest: 250m
+      cpuLimit: 2000m
+      args: ['tail', '-f', '/dev/null']

.github/ISSUE_TEMPLATE/bug_report.yaml

@@ -1,18 +0,0 @@
----
-name: Cat Lady Membership Application
-description: Tell us what qualifies you to be a registered cat fancier.
-body:
-- type: textarea
-  attributes:
-    label: Your favorite cat
-    placeholder: "Examples: Garfield, Maru, Mr. Mistoffolees"
-  validations:
-    required: true
-- type: dropdown
-  attributes:
-    label: How many rooms in your house are dedicated to cats?
-    options:
-    - 1
-    - 2
-    - All of them
-issue_body: false

.github/workflows/README.md

@@ -0,0 +1,25 @@
+# GitHub Actions
+## Background
+We want to make attempts to run our integration tests in the same manner wether using GitHub actions or on a developers's machine locally. For this reason, the tests are curated to run using container images. As of this writing, two images exist which we would like to test against:
+  - quay.io/ansible-product-demos/apd-ee-24:latest
+  - quay.io/ansible-product-demos/apd-ee-25:latest
+
+These images are built given the structure defined in their respective EE [definitions][../execution_environments]. Because they differ (mainly due to their python versions), each gets some special handling.
+
+## Troubleshooting GitHub Actions
+
+### Interactive
+It is likely the most straight-forward approach to interactively debug issues. The following podman command can be run from the project root directory to replicate the GitHub action:
+```
+podman run \
+           --user root  \
+           -v $(pwd):/runner:Z \
+           -it \
+           <image> \
+           /bin/bash
+```
+`<image>` is one of `quay.io/ansible-product-demos/apd-ee-25:latest`, `quay.io/ansible-product-demos/apd-ee-24:latest`
+It is not exact because GitHub seems to run closer to a sidecar container paradigm, and uses docker instead of podman, but hopefully it's close enough.
+
+For the 24 EE, the python interpreriter verions is set for our pre-commit script like so: `USE_PYTHON=python3.9 ./.github/workflows/run-pc.sh`
+The 25 EE is similary run but without the need for this variable: `./.github/workflows/run-pc.sh`

.github/workflows/pre-commit.yml

@@ -0,0 +1,17 @@
+---
+name: pre-commit
+on:
+ - push
+ - pull_request_target
+
+jobs:
+  pre-commit-25:
+    container:
+      image: quay.io/ansible-product-demos/apd-ee-25
+      options: --user root
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - run: ./.github/workflows/run-pc.sh
+      shell: bash
+

.github/workflows/release.yml

@@ -0,0 +1,41 @@
+---
+name: release
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "v*.*.*"
+
+  workflow_run:
+    workflows: ["pre-commit"]
+    types:
+      - completed
+
+jobs:
+  release:
+    name: Release Job
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/v')
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Install go (required for Changelog parsing)
+        uses: actions/setup-go@v4
+
+      - name: Parse CHANGELOG.md
+        run: |
+          GO111MODULE=on go install github.com/rcmachado/changelog@0.7.0
+          changelog show "$GITHUB_REF_NAME" > ${{ github.workspace }}-CHANGELOG.txt
+          echo "Release note for $GITHUB_REF_NAME :"
+          cat ${{ github.workspace }}-CHANGELOG.txt
+
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        with:
+          body_path: ${{ github.workspace }}-CHANGELOG.txt
+          files: |
+            LICENSE
+            CHANGELOG.md

.github/workflows/run-pc.sh

@@ -0,0 +1,25 @@
+#!/bin/bash -x
+
+# should no longer need this
+#dnf install git-lfs -y
+
+PYTHON_VARIANT="${USE_PYTHON:-python3.11}"
+PATH="$PATH:$HOME/.local/bin"
+
+# intsall pip
+eval "${PYTHON_VARIANT} -m pip install --user --upgrade pip"
+
+# try to fix 2.4 incompatibility 
+eval "${PYTHON_VARIANT} -m pip install --user --upgrade setuptools wheel twine check-wheel-contents"
+
+# intsall pre-commit
+eval "${PYTHON_VARIANT} -m pip install --user pre-commit"
+
+# view pip packages
+eval "${PYTHON_VARIANT} -m pip freeze --local"
+
+# fix permissions on directory
+git config --global --add safe.directory $(pwd)
+
+# run pre-commit
+pre-commit run --config $(pwd)/.pre-commit-gh.yml --show-diff-on-failure --color=always 

.gitignore

@@ -1,4 +1,4 @@
-
+ansible-navigator.log
 sean_login_info.yml
 .DS_Store
 choose_demo.yml
@@ -6,3 +6,11 @@ choose_demo_example_azure.yml
 choose_demo_example_aws.yml
 .ansible.cfg
 *.gz
+*artifact*.json
+roles/*
+!roles/requirements.yml
+.deployment_id
+.cache/
+.ansible/
+**/tmp/
+execution_environments/context/

.pre-commit-config.yaml

@@ -0,0 +1,29 @@
+---
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: trailing-whitespace
+        exclude: rhel[89]STIG/.*$
+
+      - id: check-yaml
+        exclude: \.j2.(yaml|yml)$|\.(yaml|yml).j2$
+        args: [--unsafe]   # see https://github.com/pre-commit/pre-commit-hooks/issues/273
+
+      - id: check-toml
+      - id: check-json
+      - id: check-symlinks
+
+  - repo: local
+    hooks:
+      - id: ansible-lint
+        name: ansible-navigator lint --eei quay.io/ansible-product-demos/apd-ee-25:latest --mode stdout
+        language: python
+        entry: bash -c "ansible-navigator lint --eei quay.io/ansible-product-demos/apd-ee-25 -v --force-color --mode stdout"
+
+  - repo: https://github.com/psf/black-pre-commit-mirror
+    rev: 23.11.0
+    hooks:
+      - id: black
+        exclude: rhel[89]STIG/.*$
+...

.pre-commit-gh.yml

@@ -0,0 +1,30 @@
+---
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: trailing-whitespace
+        exclude: rhel[89]STIG/.*$
+
+      - id: check-yaml
+        exclude: \.j2.(yaml|yml)$|\.(yaml|yml).j2$
+        args: [--unsafe]   # see https://github.com/pre-commit/pre-commit-hooks/issues/273
+
+      - id: check-toml
+      - id: check-json
+      - id: check-symlinks
+
+  - repo: https://github.com/ansible/ansible-lint.git
+    # get latest release tag from https://github.com/ansible/ansible-lint/releases/
+    rev: v25.7.0
+    hooks:
+      - id: ansible-lint
+        additional_dependencies:
+          - jmespath
+
+  - repo: https://github.com/psf/black-pre-commit-mirror
+    rev: 23.11.0
+    hooks:
+      - id: black
+        exclude: rhel[89]STIG/.*$
+...

.vscode/extensions.json

@@ -0,0 +1,7 @@
+{
+    "recommendations": [
+        "redhat.vscode-yaml",
+        "redhat.ansible",
+        "ms-python.black-formatter"
+    ]
+}

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+    "editor.renderWhitespace": "all"
+}

.yamllint

@@ -0,0 +1,19 @@
+---
+extends: default
+
+rules:
+  line-length: disable
+  trailing-spaces: enable
+  colons:
+    max-spaces-before: 0
+    max-spaces-after: -1
+  indentation:
+    level: error
+    indent-sequences: true  # consistent with ansible-lint
+  truthy:
+    level: error
+    allowed-values:
+      - 'true'
+      - 'false'
+
+...

CONTRIBUTING.md

@@ -0,0 +1,72 @@
+# Contribution Guidelines
+This document aims to outline the requirements for the various forms of contribution for this project.
+
+## Project Architecture
+
+![project-architecture](.github/images/project-architecture.png)
+
+## Pull Requests
+
+**ALL** contributions are subject to review via pull request
+
+### Pull Requests
+1) Ensure the "base repository" is set to "ansible/product-demos".
+
+#### Pull Request Guidelines
+- PRs should include the playbook/demo and required entry in corresponding `<demo>/setup.yml`.
+- PRs should include documentation in corresponding `<demo>/README.md`.
+- PRs should be rebased against the `main` branch to avoid conflicts.
+- PRs should not impact more than a single directory/demo section.
+- PRs should not rely on external infrastructure or configuration unless the dependency is automated or specified in the `user_message` of `setup.yml`.
+- PR titles should describe the work done in the PR.  Titles should not be generic ("Added new demo") and should not refer to an issue number ("Fix for issue #123").
+
+## Adding a New Demo
+1) Create a new branch based on main. (eg. `git checkout -b <branch name>`)
+2) Add your playbook to the appropriate demo/section subdirectory.
+3) Make any changes needed to match the existing standards in the directory.
+   1) Ex: Parameterized hosts
+   ```ansible
+   hosts: "{{ _hosts | default('windows') }}"
+   ```
+4) Create an entry for your playbook in your subdirectories `setup.yml`
+   1) You can copy paste an existing one and edit it.
+   2) Ensure you edit the name, playbook path, survey etc.
+5) Add any needed roles/collections to the [requirements.yml](/collections/requirements.yml)
+6) Test via [demo.redhat.com](https://demo.redhat.com/catalog?search=product&item=babylon-catalog-prod%2Fopenshift-cnv.aap-product-demos-cnv.prod), specifying your branch name within the project configuration.
+
+> NOTE: demo.redhat.com is available to Red Hat Associates and Partners with a valid account.
+
+## New Demo Section/Category
+1) Create a new subdirectory with no spaces
+2) Create a new setup.yml copying appropriate elements from another
+   - Below is a sample skeleton for a new setup.yml
+    ```ansible
+    ---
+    user_message: ''
+
+    controller_templates:
+    ...
+    ```
+   - Configuration variables can be from any of the roles defined in the [infra.controller_configuration collection](https://github.com/redhat-cop/controller_configuration/tree/devel/roles)
+   - Add variables for each component listed
+3) Include a README.md in the subdirectory
+
+## Testing
+
+We utilize pre-commit to handle Git hooks, initiating a pre-commit check with each commit, both locally and on CI.
+
+To install pre-commit, use the following commands:
+```bash
+pip install pre-commit
+pre-commit install
+```
+
+For further details, refer to the [pre-commit installation documentation](https://pre-commit.com/#installation).
+
+To execute ansible-lint (whether within pre-commit or independently), you must configure an environment variable for the token required to connect to Automation Hub. Obtain the token [here](https://console.redhat.com/ansible/automation-hub/token).
+
+Copy the token value and execute the following command:
+
+```bash
+export ANSIBLE_GALAXY_SERVER_AH_TOKEN=<token>
+```

README.md

@@ -1,268 +1,35 @@
-# Official Ansible Product Demos
+[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
+[![Dev Spaces](https://img.shields.io/badge/Customize%20Here-0078d7.svg?style=for-the-badge&logo=visual-studio-code&logoColor=white)](https://workspaces.openshift.com/f?url=https://github.com/ansible/product-demos)
 
-This repo currently under construction and working on a minimal viable demo for testing purposes
+# APD - Ansible Product Demos
 
-# Table of contents
+The Ansible Product Demos (APD) project is a set of Ansible demos that are deployed using [Red Hat Ansible Automation Platform](https://www.redhat.com/en/technologies/management/ansible).  It uses configuraton-as-code to create AAP resources such as projects, templates, and credentials that form the basis for demonstrating automation use cases in several technology domains:
 
-   * [How to use](#how-to-use)
-      * [1. Provide login information and choose demo](#1-provide-login-information-and-choose-demo)
-      * [2. Run Ansible Playbook](#2-run-ansible-playbook)
-   * [Demo Repository](#demo-repository)
-      * [Infrastructure Demos](#infrastructure-demos)
-      * [Network Demos](#network-demos)
-      * [Security Demos](#security-demos)
-      * [Developer Demos](#developer-demos)
-   * [Contribute](#contribute)
-   * [Notes](#notes)
+| Demo Name | Description |
+|-----------|-------------|
+| [Linux](linux/README.md) | Repository of demos for RHEL and Linux automation |
+| [Windows](windows/README.md) | Repository of demos for Windows Server automation |
+| [Cloud](cloud/README.md) | Demo for infrastructure and cloud provisioning automation |
+| [Network](network/README.md) | Network automation demos |
+| [OpenShift](openshift/README.md) | OpenShift automation demos |
+| [Satellite](satellite/README.md) | Demos of automation with Red Hat Satellite Server |
 
-# How to use
+## Using this project
 
-## 1. Provide login information and choose demo
+Use the [APD bootstrap](https://github.com/ansible/product-demos-bootstrap) repo to add APD to an existing Ansible Automation Platform deployment.  The bootstrap repo provides the initial manual prerequisite steps as well as a playbook for adding APD to the existing deployment.
 
-  - Modify the `choose_demo.yml` file that is included in this repo with the username, password and IP address (or DNS name) of your Ansible Tower
-  - Choose the demo name you want from the table below (or choose `all`)
+For Red Hat associates and partners, there is an Ansible Product Demos catalog item [available on demo.redhat.com](https://red.ht/apd-sandbox) (account required).
 
-## 2. Run Ansible Playbook
+## Bring Your Own Demo
 
-```
-ansible-playbook playbooks/install_demo.yml -e @choose_demo.yml
-```
+Can't find what you're looking for? Customize this repo to make it your own.
 
-# Demo Repository
+1. Create a fork of this repo.
+2. Update the URL of the `Ansible Project Demos` project your Ansible Automation Platform controller.
+3. Make changes to your fork as needed and run the **Product Demos | Single demo setup** job
 
-This repository currently holds 21 demos.
+See the [contributing guide](CONTRIBUTING.md) for more details on how to customize the project.
 
-## Infrastructure Demos
-<table>
-  <tr>
-    <th>Demo Name</th>
-    <th>Author</th>
-    <th>install_demo.yml value</th>
-    <th>Description</th>
-    <th>Video Walkthrough</th>
-    <th>Workshop Types</th>
-  </tr>
-  <tr>
-    <td><a href="https://github.com/ansible/product-demos/blob/master/docs/infrastructure/azure_provision_vm.md">INFRASTRUCTURE / Azure create a MySQL Server</a></td>
-    <td>David Rojas</td>
-    <td><pre>demo: azure_mysql_server</pre></td>
-    <td>Provision MySQL server on Azure with Ansible Tower Survey and Environmental variables</td>
-    <td>Not available </td>
-    <td><ul><li>windows</li><li>demo</li></ul></td>
-  </tr>
-  <tr>
-    <td><a href="https://github.com/ansible/product-demos/blob/master/docs/infrastructure/azure_provision_vm.md">INFRASTRUCTURE / Azure Provision VM</a></td>
-    <td>David Rojas</td>
-    <td><pre>demo: azure_provision_vm</pre></td>
-    <td>Provision RHEL VM on Azure with Ansible Tower Survey and Environmental variables</td>
-    <td>Not available </td>
-    <td><ul><li>windows</li><li>demo</li></ul></td>
-  </tr>
-  <tr>
-    <td><a href="https://github.com/ansible/product-demos/blob/master/docs/infrastructure/chocolatey_app_install.md">INFRASTRUCTURE / Chocolatey App Install</a></td>
-    <td>David Rojas</td>
-    <td><pre>demo: chocolatey_app_install</pre></td>
-    <td>Install various application packages using Chocolatey from a survey</td>
-    <td>Not available </td>
-    <td><ul><li>windows</li><li>demo</li></ul></td>
-  </tr>
-  <tr>
-    <td><a href="https://github.com/ansible/product-demos/blob/master/docs/infrastructure/chocolatey_config.md">INFRASTRUCTURE / Chocolatey Config</a></td>
-    <td>David Rojas</td>
-    <td><pre>demo: chocolatey_config</pre></td>
-    <td>Configure Chocolatey parameters that require not just enabling but adding values</td>
-    <td>Not available </td>
-    <td><ul><li>windows</li><li>demo</li></ul></td>
-  </tr>
-  <tr>
-    <td><a href="https://github.com/ansible/product-demos/blob/master/docs/infrastructure/chocolatey_features.md">INFRASTRUCTURE / Chocolatey Features Config</a></td>
-    <td>David Rojas</td>
-    <td><pre>demo: chocolatey_features</pre></td>
-    <td>Enable or disable various Chocolatey features</td>
-    <td>Not available </td>
-    <td><ul><li>windows</li><li>demo</li></ul></td>
-  </tr>
-  <tr>
-    <td><a href="https://github.com/ansible/product-demos/blob/master/docs/infrastructure/deploy_application.md">INFRASTRUCTURE / Deploy Application</a></td>
-    <td>Sean Cavanaugh</td>
-    <td><pre>demo: deploy_application</pre></td>
-    <td>install yum applications on Linux with a survey</td>
-    <td><a href="https://www.youtube.com/watch?v=pU8ZgSBuEJw&list=PLdu06OJoEf2bp-PNtxPP_2n7Avkax8TED">Video Link</a></td>
-    <td><ul><li>f5</li><li>rhel</li><li>rhel_90</li><li>demo</li></ul></td>
-  </tr>
-  <tr>
-    <td>INFRASTRUCTURE / Fact Scan</td>
-    <td>Will Tome</td>
-    <td><pre>demo: fact_scan</pre></td>
-    <td>scan facts for Linux and Windows systems</td>
-    <td>Not available </td>
-    <td><ul><li>f5</li><li>rhel</li><li>windows</li><li>rhel_90</li><li>demo</li></ul></td>
-  </tr>
-  <tr>
-    <td>INFRASTRUCTURE / Gather Debug Info</td>
-    <td>Will Tome</td>
-    <td><pre>demo: debug_info</pre></td>
-    <td>provide info for memory and CPU usage for specified systems</td>
-    <td>Not available </td>
-    <td><ul><li>f5</li><li>rhel</li><li>rhel_90</li><li>demo</li></ul></td>
-  </tr>
-  <tr>
-    <td>INFRASTRUCTURE / Grant Sudo</td>
-    <td>Will Tome</td>
-    <td><pre>demo: grant_sudo</pre></td>
-    <td>grant sudo privledges for specified time via survey</td>
-    <td>Not available </td>
-    <td><ul><li>f5</li><li>rhel</li><li>rhel_90</li><li>demo</li></ul></td>
-  </tr>
-  <tr>
-    <td>INFRASTRUCTURE / Patching</td>
-    <td>Will Tome</td>
-    <td><pre>demo: patching</pre></td>
-    <td>patching for Linux servers</td>
-    <td>Not available </td>
-    <td><ul><li>f5</li><li>rhel</li><li>rhel_90</li><li>demo</li></ul></td>
-  </tr>
-  <tr>
-    <td>INFRASTRUCTURE / Red Hat Insights</td>
-    <td>Sean Cavanaugh</td>
-    <td><pre>demo: insights</pre></td>
-    <td>install and configure Red Hat Insights</td>
-    <td>Not available </td>
-    <td><ul><li>f5</li><li>rhel</li><li>rhel_90</li><li>demo</li></ul></td>
-  </tr>
-  <tr>
-    <td>INFRASTRUCTURE / Security Patching</td>
-    <td>Will Tome</td>
-    <td><pre>demo: security_patching</pre></td>
-    <td>upgrade all yum packages for security related except kernel</td>
-    <td>Not available </td>
-    <td><ul><li>f5</li><li>rhel</li><li>rhel_90</li><li>demo</li></ul></td>
-  </tr>
-  <tr>
-    <td>INFRASTRUCTURE / Turn off IBM Community Grid</td>
-    <td>Sean Cavanaugh</td>
-    <td><pre>demo: turn_off_community_grid</pre></td>
-    <td>this role turns off IBM Community Grid boinc-client</td>
-    <td>Not available </td>
-    <td><ul><li>f5</li><li>rhel</li><li>rhel_90</li><li>demo</li></ul></td>
-  </tr>
-  <tr>
-    <td><a href="https://github.com/ansible/product-demos/blob/master/docs/infrastructure/windows_regedit_legal_notice.md">INFRASTRUCTURE / Windows regedit legal notice</a></td>
-    <td>David Rojas</td>
-    <td><pre>demo: windows_regedit_legal_notice</pre></td>
-    <td>using regedit modify the legal notice</td>
-    <td>Not available </td>
-    <td><ul><li>windows</li><li>demo</li></ul></td>
-  </tr>
-  <tr>
-    <td>SERVER / Windows IIS Server</td>
-    <td>Colin McNaughton</td>
-    <td><pre>demo: windows_iis</pre></td>
-    <td>install webserver on Windows Server with a survey</td>
-    <td>Not available </td>
-    <td><ul><li>windows</li><li>demo</li></ul></td>
-  </tr>
-</table>
+---
 
-## Network Demos
-
-<table>
-  <tr>
-    <th>Demo Name</th>
-    <th>Author</th>
-    <th>install_demo.yml value</th>
-    <th>Description</th>
-    <th>Video Walkthrough</th>
-    <th>Workshop Types</th>
-  </tr>
-  <tr>
-    <td>Cisco IOS logging config audit/remediation</td>
-    <td>Colin McCarthy</td>
-    <td><pre>demo: configlet_logging</pre></td>
-    <td>Cisco IOS logging config audit/remediation</td>
-    <td>Not available </td>
-    <td><ul><li>network</li><li>demo</li></ul></td>
-  </tr>
-  <tr>
-    <td>Cisco IOS ntp config audit/remediation</td>
-    <td>Colin McCarthy</td>
-    <td><pre>demo: configlet_ntp</pre></td>
-    <td>Cisco IOS ntp config audit/remediation</td>
-    <td>Not available </td>
-    <td><ul><li>network</li><li>demo</li></ul></td>
-  </tr>
-  <tr>
-    <td>NETWORK / WORKFLOW - F5 BIG-IP</td>
-    <td>Sean Cavanaugh</td>
-    <td><pre>demo: f5_bigip_workflow</pre></td>
-    <td>Workflow for F5 BIG-IP to setup a VIP (Virtual IP) load balancer between two RHEL webservers</td>
-    <td>Not available </td>
-    <td><ul><li>f5</li><li>demo</li></ul></td>
-  </tr>
-</table>
-
-## Security Demos
-
-<table>
-  <tr>
-    <th>Demo Name</th>
-    <th>Author</th>
-    <th>install_demo.yml value</th>
-    <th>Description</th>
-    <th>Video Walkthrough</th>
-    <th>Workshop Types</th>
-  </tr>
-  <tr>
-    <td>SECURITY / Create Openscap Report</td>
-    <td>Sean Cavanaugh</td>
-    <td><pre>demo: openscap</pre></td>
-    <td>Create HTML report using SCAP Security Guide (SSG)</td>
-    <td>Not available </td>
-    <td><ul><li>f5</li><li>rhel</li><li>rhel_90</li><li>demo</li></ul></td>
-  </tr>
-  <tr>
-    <td>SECURITY / Hardening</td>
-    <td>Will Tome</td>
-    <td><pre>demo: hardening</pre></td>
-    <td>hardening for Linux servers</td>
-    <td>Not available </td>
-    <td><ul><li>f5</li><li>rhel</li><li>rhel_90</li><li>demo</li></ul></td>
-  </tr>
-</table>
-
-## Developer Demos
-
-<table>
-  <tr>
-    <th>Demo Name</th>
-    <th>Author</th>
-    <th>install_demo.yml value</th>
-    <th>Description</th>
-    <th>Video Walkthrough</th>
-    <th>Workshop Types</th>
-  </tr>
-  <tr>
-    <td>DEVELOPER / Create Developer Report</td>
-    <td>Sean Cavanaugh</td>
-    <td><pre>demo: developer_report</pre></td>
-    <td>'Create HTML report using <a href="https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#variables-discovered-from-systems-facts">Ansible facts</a>'
-</td>
-    <td>Not available </td>
-    <td><ul><li>f5</li><li>rhel</li><li>rhel_90</li><li>demo</li></ul></td>
-  </tr>
-</table>
-
-
-# Contribute
-
-please refer to the [contribute.md](docs/contribute.md) documentation included in this collection.
-
-# Notes
-
-This README.md was auto-generated by Ansible user **colin** on **2020-12-09** with Ansible version **2.9.13.post0**
-
-To generate a README.md, execute the following command
-
-```
-ansible-playbook playbooks/generate_readme.yml
-```
+[Privacy statement](https://www.redhat.com/en/about/privacy-policy) | [Terms of use](https://www.redhat.com/en/about/terms-use) | [Security disclosure](https://www.ansible.com/security?hsLang=en-us) | [All policies and guidelines](https://www.redhat.com/en/about/all-policies-guidelines)

ansible.cfg

@@ -0,0 +1,20 @@
+[defaults]
+collections_path=./collections:/usr/share/ansible/collections
+roles_path=./roles
+
+[galaxy]
+server_list = certified,validated,galaxy
+
+[galaxy_server.certified]
+# Grab a token at https://console.redhat.com/ansible/automation-hub/token
+# Then define it in the ANSIBLE_GALAXY_SERVER_CERTIFIED_TOKEN environment variable
+url=https://console.redhat.com/api/automation-hub/content/published/
+auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
+
+[galaxy_server.validated]
+# Define the token in the ANSIBLE_GALAXY_SERVER_VALIDATED_TOKEN environment variable
+url=https://console.redhat.com/api/automation-hub/content/validated/
+auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
+
+[galaxy_server.galaxy]
+url=https://galaxy.ansible.com/

choose_demo.yml

@@ -1,29 +0,0 @@
----
-## example file for how to choose a demo
-## chose specific demo or choose all
-
-# SPECIFIC - example that installs just the deploy_application job template
-demo: developer_report
-
-# ALL - example that installs all demos
-# demo: all
-
-## Ansible Tower login infomation
-my_tower_username: colin
-my_tower_password: mahalo
-my_tower_host: test.rhdemo.io
-workshop_type: rhel
-
-# leave as comments unless you are deploying an public cloud Demo. Possible values are aws or azure
-public_cloud: none
-#only uncomment these and supply values for setting up an Azure Cloud Demo which means public_cloud: azure above
-#these value below are fake sample values only
-#my_subscription: bb66f723-9eb9-405b-7889-2e722a5a5a45
-#my_tenant: bbe51e50-8759-5cc6-93f7-71985d8dbddf
-#my_client: 7e7d5fd3-c84b-b64c-ae96-cf474f4aa573
-#my_secret: K1S5~EqpmvG68i8ni9-b1hmn3~yROfHM_I 
-#only uncomment these and supply values for setting up an AWS Cloud Demo which means public_cloud: aws above
-#these value below are fake sample values only
-#my_access_key: kwjewk4h54jker
-#my_secret_key: wnwrl4nwwrh6srwo4rwher4
-

choose_demo_example_aws.yml

@@ -1,33 +0,0 @@
----
-## example file for how to choose a demo
-## chose specific demo or choose all
-
-# SPECIFIC - example that installs just the deploy_application job template
-demo: aws_provision_vm
-
-# ALL - example that installs all demos
-# demo: all
-
-## Ansible Tower login infomation
-my_tower_username: student1  
-my_tower_password: TnSynS1Re31ZAF
-my_tower_host: student1.cb8b.open.redhat.com
-workshop_type: windows
-
-# leave as comments unless you are deploying an public cloud Demo 
-public_cloud: aws
-#only uncomment these and supply values for setting up an Azure Cloud Demo which means public_cloud: azure above
-#these value below are fake sample values only
-#my_subscription: bb66f723-9eb9-405b-7889-2e722a5a5a45
-#my_tenant: bbe51e50-8759-5cc6-93f7-71985d8dbddf
-#my_client: 7e7d5fd3-c84b-b64c-ae96-cf474f4aa573
-#my_secret: K1S5~EqpmvG68i8ni9-b1hmn3~yROfHM_I 
-#only uncomment these and supply values for setting up an AWS Cloud Demo which means public_cloud: aws above
-#these value below are fake sample values only
-my_access_key: 345IAJUNULTMIXFDSDFGF
-my_secret_key: 567BqE+YAH7DFG4RGSSDFG5SGDFGSDGF4
-
-
-
- 
-

choose_demo_example_azure.yml

@@ -1,32 +0,0 @@
----
-## example file for how to choose a demo
-## chose specific demo or choose all
-
-# SPECIFIC - example that installs just the deploy_application job template
-demo: azure_provision_vm
-
-# ALL - example that installs all demos
-# demo: all
-
-## Ansible Tower login infomation
-my_tower_username: drojas  
-my_tower_password: zapata
-my_tower_host: test.rhdemo.io
-workshop_type: windows
-
-# leave as comments unless you are deploying an public cloud Demo. Possible values are aws or azure
-public_cloud: azure
-#only uncomment these and supply values for setting up an Azure Cloud Demo which means public_cloud: azure above
-#these value below are fake sample values only
-my_subscription: bb66f723-9eb9-405b-7889-2e722a5a5a45
-my_tenant: bbe51e50-8759-5cc6-93f7-71985d8dbddf
-my_client: 7e7d5fd3-c84b-b64c-ae96-cf474f4aa573
-my_secret: K1S5~EqpmvG68i8ni9-b1hmn3~yROfHM_I 
-#only uncomment these and supply values for setting up an AWS Cloud Demo which means public_cloud: aws above
-#these value below are fake sample values only
-#my_access_key: kwjewk4h54jker
-#my_secret_key: wnwrl4nwwrh6srwo4rwher4 
-
-
- 
-

cloud/README.md

@@ -0,0 +1,70 @@
+# Cloud Demos
+
+## Table of Contents
+- [Cloud Demos](#cloud-demos)
+  - [Table of Contents](#table-of-contents)
+  - [About These Demos](#about-these-demos)
+    - [Jobs](#jobs)
+    - [Inventory](#inventory)
+  - [Post Setup Setup](#post-setup-setup)
+    - [Configure Credentials](#configure-credentials)
+    - [Add Workshop Credential Password](#add-workshop-credential-password)
+    - [Remove Inventory Variables](#remove-inventory-variables)
+    - [Getting your Public Key for Create Keypair Job](#getting-your-public-key-for-create-keypair-job)
+  - [Suggested Usage](#suggested-usage)
+  - [Known Issues](#known-issues)
+
+## About These Demos
+This category of demos shows examples of multi-cloud provisioning and management with Ansible Automation Platform. The list of demos can be found below. These demos are particularly helpful in building additional infrastructure for other demo categories such as Linux and Windows. See the [Suggested Usage](#suggested-usage) section of this document for recommendations on how to best use these demos.
+
+### Jobs
+
+- [**Cloud / AWS / Create VM**](create_vm.yml) - Create a VM based on a [blueprint](blueprints/) in the selected cloud provider
+- [**Cloud / AWS / Destroy VM**](destroy_vm.yml) - Destroy a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be deleted.
+- [**Cloud / AWS / Snapshot EC2**](snapshot_ec2.yml) - Snapshot a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be snapshot.
+- [**Cloud / AWS / Restore EC2 from Snapshot**](snapshot_ec2.yml) - Restore a VM that has been created in a cloud provider.  By default, volumes will be restored from their latest snapshot. VM must be imported into dynamic inventory to be patched.
+- [**Cloud / Resize EC2**](resize_ec2.yml) - Re-size an EC2 instance.
+
+### Inventory
+
+A dynamic inventory is created to pull inventory hosts from cloud providers. The VM will be added by name therefore provisioning VMs with the same name will cause conflict in the inventory.
+
+Groups will be created based on the operating system (platform) of the VM provisioned as well as a group called `cloud_<cloud provider>`.
+
+## Post Setup Setup
+After running the setup job template, there are a few steps required to make the demos fully functional. See post setup actions below.
+
+   > These steps may differ if you in your environment
+
+### Configure Credentials
+
+- Add AWS Access and Secret key to the `AWS` Credential created by the setup job.
+
+### Add Workshop Credential Password
+
+1) Add a password that meets the [default complexity requirements](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements#reference). This allows you to connect to Windows Servers provisioned with Create VM job. Required until [RFE](https://github.com/ansible/workshops/issues/1597]) is complete
+
+### Remove Inventory Variables
+
+1) Remove Workshop Inventory variables on the Details page of the inventory. Required until [RFE](https://github.com/ansible/workshops/issues/1597]) is complete
+
+### Getting your Public Key for Create Keypair Job
+
+1) Connect to the command line of your Controller server. This is easiest to do by opening the VS Code Web Editor from the landing page where you found the Controller login details.
+2) Open a Terminal Window in the VS Code Web Editor.
+3) SSH to one of your linux nodes (eg. `ssh aws_rhel9`). This should log you into the node as `ec2-user`
+4) `cat .ssh/authorized_keys` and copy the key listed including the  `ssh-rsa` prefix
+
+
+## Suggested Usage
+
+**Deploy Cloud Stack in AWS** - This workflow builds out many helpful and convient resources in AWS. Given an AWS region, key, and some organizational paremetres for tagging it builds a default VPC, keypair, five VMs (three RHEL and two Windows), and even provides a report for cloud stats. It is the typical starting point for using Ansible Product-Demos in AWS.
+
+**Cloud / Create VM** - The Create VM job builds a VM in the given provider based on the included `demo.cloud` collection. VM [blueprints](blueprints/) define variables for each provider that override the defaults in the collection. When creating VMs it is recommended to follow naming conventions that can be used as host patterns. (eg. VM names: `win1`, `win2`, `win3`.  Host Pattern: `win*` )
+
+**Cloud / AWS / Patch EC2 Workflow** - Create a VPC and one or more linux VM(s) in AWS using the `Cloud / Create VPC` and `Cloud / Create VM` templates. Run the workflow and observe the instance snapshots followed by patching operation. Optionally, use the survey to force a patch failure in order to demonstrate the restore path. At this time, the workflow does not support patching Windows instances.
+
+**Cloud / AWS / Resize EC2** - Given an EC2 instance, change its size. This takes an AWS region, target host pattern, and a target instance size as parameters. As a final step, this job refreshes the AWS inventory so the re-created instance is accessible from AAP.
+
+## Known Issues
+Azure does not work without a custom execution environment that includes the Azure dependencies.

cloud/aws_key.yml

@@ -0,0 +1,30 @@
+---
+- name: Create AWS keypair
+  hosts: localhost
+  vars:
+    aws_key_name: aws-test-key
+    aws_keypair_owner: undef
+
+  tasks:
+    - name: Fail if variables not defined
+      ansible.builtin.assert:
+        that:
+          - aws_key_name is defined
+          - create_vm_aws_region is defined
+          - aws_public_key is defined
+          - aws_keypair_owner is defined
+        fail_msg: "Required variables not set"
+
+    - name: Create AWS keypair
+      amazon.aws.ec2_key:
+        name: "{{ aws_key_name }}"
+        region: "{{ create_vm_aws_region }}"
+        key_material: "{{ aws_public_key }}"
+        state: present
+        tags:
+          owner: "{{ aws_keypair_owner }}"
+
+    - name: Set VPC stats
+      ansible.builtin.set_stats:
+        data:
+          stat_aws_key_pair: '{{ aws_key_name }}'

cloud/blueprints/al2023.yml

@@ -0,0 +1,6 @@
+---
+vm_providers:
+  - aws
+aws_instance_size: t3.micro
+aws_image_architecture: x86_64
+aws_image_filter: 'al2023-ami-2023*'

cloud/blueprints/rhel7.yml

@@ -0,0 +1,7 @@
+---
+vm_providers:
+  - aws
+aws_image_owners: 309956199498
+aws_instance_size: t2.medium
+aws_image_architecture: x86_64
+aws_image_filter: 'RHEL-7.9_HVM*'

cloud/blueprints/rhel8.yml

@@ -0,0 +1,7 @@
+---
+vm_providers:
+  - aws
+aws_image_owners: 309956199498
+aws_instance_size: t3.micro
+aws_image_architecture: x86_64
+aws_image_filter: 'RHEL-8*HVM-*Hourly*'

cloud/blueprints/rhel9.yml

@@ -0,0 +1,7 @@
+---
+vm_providers:
+  - aws
+aws_image_owners: 309956199498
+aws_instance_size: t3.micro
+aws_image_architecture: x86_64
+aws_image_filter: 'RHEL-9*HVM-*Hourly*'

cloud/blueprints/windows.yml

@@ -0,0 +1,14 @@
+---
+vm_blueprint_providers:
+  - aws
+  - azure
+aws_image_filter: 'Windows_Server-2019-English-Core-Base*'
+aws_instance_size: t3.medium
+aws_userdata_template: aws_windows_userdata
+az_vm_os_type: Windows
+az_vm_size: Standard_DS1_v2
+az_vm_image:
+  offer: WindowsServer
+  publisher: MicrosoftWindowsServer
+  sku: 2022-Datacenter
+  version: latest

cloud/blueprints/windows_core.yml

@@ -0,0 +1,6 @@
+---
+vm_blueprint_providers:
+ - aws
+aws_image_filter: 'Windows_Server-2019-English-Core-Base*'
+aws_instance_size: t3.medium
+aws_userdata_template: aws_windows_userdata

cloud/blueprints/windows_full.yml

@@ -0,0 +1,6 @@
+---
+vm_blueprint_providers:
+ - aws
+aws_image_filter: 'Windows_Server-2019-English-Full-Base*'
+aws_instance_size: t3.medium
+aws_userdata_template: aws_windows_userdata

cloud/create_vpc.yml

@@ -0,0 +1,156 @@
+---
+- name: Create Cloud Infra
+  hosts: localhost
+  gather_facts: false
+
+  vars:
+    aws_vpc_name: aws-test-vpc
+    aws_owner_tag: default
+    aws_purpose_tag: ansible_demo
+    aws_tenancy: default
+    aws_vpc_cidr_block: 10.0.0.0/16
+    aws_subnet_cidr: 10.0.1.0/24
+    aws_sg_name: aws-test-sg
+    aws_subnet_name: aws-test-subnet
+    aws_rt_name: aws-test-rt
+
+    # map of availability zones to use per region, added since not all
+    # instance types are available in all AZs.  must match the drop-down
+    # list for the create_vm_aws_region variable described in cloud/setup.yml
+    _azs:
+      us-east-1:
+        - us-east-1a
+        - us-east-1b
+        - us-east-1c
+      us-east-2:
+        - us-east-2a
+        - us-east-2b
+        - us-east-2c
+      us-west-1:
+        # us-west-1a not available when last checked 20250218
+        - us-west-1b
+        - us-west-1c
+      us-west-2:
+        - us-west-2a
+        - us-west-2b
+        - us-west-2c
+
+  tasks:
+    - name: Create VPC
+      amazon.aws.ec2_vpc_net:
+        state: present
+        name: "{{ aws_vpc_name }}"
+        cidr_block: "{{ aws_vpc_cidr_block }}"
+        tenancy: "{{ aws_tenancy }}"
+        region: "{{ create_vm_aws_region }}"
+        tags:
+          owner: "{{ aws_owner_tag }}"
+          purpose: "{{ aws_purpose_tag }}"
+      register: aws_vpc
+
+    - name: Create internet gateway
+      amazon.aws.ec2_vpc_igw:
+        state: present
+        vpc_id: "{{ aws_vpc.vpc.id }}"
+        region: "{{ create_vm_aws_region }}"
+        tags:
+          Name: "{{ aws_vpc_name }}"
+          owner: "{{ aws_owner_tag }}"
+          purpose: "{{ aws_purpose_tag }}"
+      register: aws_gateway
+
+    - name: Create security group internal
+      amazon.aws.ec2_security_group:
+        state: present
+        name: "{{ aws_sg_name }}"
+        region: "{{ create_vm_aws_region }}"
+        description: Inbound WinRM and RDP, http for demo servers and internal AD ports
+        rules:
+          - proto: tcp
+            ports:
+              - 80  # HTTP
+              - 443  # HTTPS
+              - 22  # SSH
+              - 5986  # WinRM
+              - 3389  # RDP
+              - 9090  # Cockpit
+            cidr_ip: 0.0.0.0/0
+          - proto: icmp
+            to_port: -1
+            from_port: -1
+            cidr_ip: 0.0.0.0/0
+          - proto: tcp
+            ports:
+              - 80  # HTTP
+              - 5986  # WinRM
+              - 3389  # RDP
+              - 53  # DNS
+              - 88  # Kerberos Authentication
+              - 135  # RPC
+              - 139  # Netlogon
+              - 389  # LDAP
+              - 445  # SMB
+              - 464  # Kerberos Authentication
+              - 5432  # PostgreSQL
+              - 636  # LDAPS (LDAP over TLS)
+              - 873  # Rsync
+              - 3268-3269  # Global Catalog
+              - 1024-65535  # Ephemeral RPC ports
+            cidr_ip: "{{ aws_vpc_cidr_block }}"
+          - proto: udp
+            ports:
+              - 53  # DNS
+              - 88  # Kerberos Authentication
+              - 123  # NTP
+              - 137-138  # Netlogon
+              - 389  # LDAP
+              - 445  # SMB
+              - 464  # Kerberos Authentication
+              - 1024-65535  # Ephemeral RPC ports
+            cidr_ip: "{{ aws_vpc_cidr_block }}"
+        rules_egress:
+          - proto: -1
+            cidr_ip: 0.0.0.0/0
+        vpc_id: "{{ aws_vpc.vpc.id }}"
+        tags:
+          Name: "{{ aws_sg_name }}"
+          owner: "{{ aws_owner_tag }}"
+          purpose: "{{ aws_purpose_tag }}"
+
+    - name: Create a subnet in the VPC
+      amazon.aws.ec2_vpc_subnet:
+        state: present
+        vpc_id: "{{ aws_vpc.vpc.id }}"
+        cidr: "{{ aws_subnet_cidr }}"
+        region: "{{ create_vm_aws_region }}"
+        az: "{{ _azs[create_vm_aws_region] | shuffle | first }}"
+        map_public: true
+        tags:
+          Name: "{{ aws_subnet_name }}"
+          owner: "{{ aws_owner_tag }}"
+          purpose: "{{ aws_purpose_tag }}"
+      register: aws_subnet
+
+    - name: Create a subnet route table
+      amazon.aws.ec2_vpc_route_table:
+        state: present
+        vpc_id: "{{ aws_vpc.vpc.id }}"
+        region: "{{ create_vm_aws_region }}"
+        subnets:
+          - "{{ aws_subnet.subnet.id }}"
+        routes:
+          - dest: 0.0.0.0/0
+            gateway_id: "{{ aws_gateway.gateway_id }}"
+        tags:
+          Name: "{{ aws_rt_name }}"
+          owner: "{{ aws_owner_tag }}"
+          purpose: "{{ aws_purpose_tag }}"
+
+    - name: Set VPC stats
+      ansible.builtin.set_stats:
+        data:
+          stat_aws_region: '{{ create_vm_aws_region }}'
+          stat_aws_vpc_id: '{{ aws_vpc.vpc.id }}'
+          stat_aws_vpc_cidr: '{{ aws_vpc_cidr_block }}'
+          stat_aws_subnet_id: '{{ aws_subnet.subnet.id }}'
+          stat_aws_subnet_cidr: '{{ aws_subnet_cidr }}'

cloud/display-ec2-stats.yml

@@ -0,0 +1,18 @@
+---
+- name: Display EC2 stats
+  hosts: localhost
+  gather_facts: false
+
+  tasks:
+    - name: Display stats for EC2 VPC and key pair
+      ansible.builtin.debug:
+        var: '{{ item }}'
+      loop:
+        - stat_aws_region
+        - stat_aws_key_pair
+        - stat_aws_vpc_id
+        - stat_aws_vpc_cidr
+        - stat_aws_subnet_id
+        - stat_aws_subnet_cidr
+
+...

cloud/resize_ec2.yml

@@ -0,0 +1,10 @@
+---
+- name: Resize ec2 instances
+  hosts: "{{ _hosts | default(omit) }}"
+  gather_facts: false
+
+  tasks:
+    - name: Include snapshot role
+      ansible.builtin.include_role:
+        name: "demo.cloud.aws"
+        tasks_from: resize_ec2

cloud/restore_ec2.yml

@@ -0,0 +1,10 @@
+---
+- name: Restore ec2 instance from snapshot
+  hosts: "{{ _hosts | default(omit) }}"
+  gather_facts: false
+
+  tasks:
+    - name: Include restore from snapshot role
+      ansible.builtin.include_role:
+        name: "demo.cloud.aws"
+        tasks_from: restore_vm

cloud/setup.yml

@@ -0,0 +1,394 @@
+---
+_deployment_id: "{{ lookup('file', playbook_dir + '/.deployment_id') }}"
+
+user_message:
+
+controller_templates:
+  - name: Cloud / AWS / Create Peer Infrastructure
+    job_type: run
+    organization: Default
+    credentials:
+      - AWS
+    project: Ansible Cloud Content Lab - AWS
+    playbook: playbooks/create_peer_network.yml
+    inventory: Demo Inventory
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    extra_vars:
+      aws_region: us-east-1
+      dmz_ssh_key_name: aws-test-key
+      priv_network_ssh_key_name: aws-test-key
+
+  - name: Cloud / AWS / Delete Peer Infrastructure
+    job_type: run
+    organization: Default
+    credentials:
+      - AWS
+    project: Ansible Cloud Content Lab - AWS
+    playbook: playbooks/delete_peer_network.yml
+    inventory: Demo Inventory
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    extra_vars:
+      aws_region: us-east-1
+
+  - name: Cloud / AWS / Create Transit Infrastructure
+    job_type: run
+    organization: Default
+    credentials:
+      - AWS
+    project: Ansible Cloud Content Lab - AWS
+    playbook: playbooks/create_transit_network.yml
+    inventory: Demo Inventory
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    extra_vars:
+      aws_region: us-east-1
+      dmz_ssh_key_name: aws-test-key
+      priv_network_ssh_key_name: aws-test-key
+
+  - name: Cloud / AWS / Delete Transit Infrastructure
+    job_type: run
+    organization: Default
+    credentials:
+      - AWS
+    project: Ansible Cloud Content Lab - AWS
+    playbook: playbooks/delete_transit_network.yml
+    inventory: Demo Inventory
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    extra_vars:
+      aws_region: us-east-1
+
+  - name: Cloud / AWS / VPC Report
+    job_type: run
+    organization: Default
+    credentials:
+      - AWS
+    project: Ansible Cloud AWS Demos
+    playbook: playbooks/cloud_report.yml
+    inventory: Demo Inventory
+    execution_environment: Cloud Services Execution Environment
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    extra_vars:
+      reports_aws_bucket_name: reports-pd-{{ _deployment_id }}
+      reports_aws_region: "us-east-1"
+
+  - name: Cloud / AWS / Tags Report
+    job_type: run
+    organization: Default
+    credentials:
+      - AWS
+    project: Ansible Cloud Content Lab - AWS
+    playbook: playbooks/create_reports.yml
+    inventory: Demo Inventory
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    extra_vars:
+      aws_report: tags
+      reports_aws_bucket_name: reports-pd-{{ _deployment_id }}
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: AWS Region
+          type: multiplechoice
+          variable: create_vm_aws_region
+          required: true
+          choices:
+            - us-east-1
+            - us-east-2
+            - us-west-1
+            - us-west-2
+
+  - name: Cloud / AWS / Snapshot EC2
+    job_type: run
+    organization: Default
+    credentials:
+      - AWS
+    project: Ansible Product Demos
+    playbook: cloud/snapshot_ec2.yml
+    inventory: Demo Inventory
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: AWS Region
+          type: multiplechoice
+          variable: aws_region
+          required: true
+          default: us-east-1
+          choices:
+            - us-east-1
+            - us-east-2
+            - us-west-1
+            - us-west-2
+        - question_name: Specify target hosts
+          type: text
+          variable: _hosts
+          required: false
+
+  - name: Cloud / AWS / Restore EC2 from Snapshot
+    job_type: run
+    organization: Default
+    credentials:
+      - AWS
+    project: Ansible Product Demos
+    playbook: cloud/restore_ec2.yml
+    inventory: Demo Inventory
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: AWS Region
+          type: multiplechoice
+          variable: aws_region
+          required: true
+          default: us-east-1
+          choices:
+            - us-east-1
+            - us-east-2
+            - us-west-1
+            - us-west-2
+        - question_name: Specify target hosts
+          type: text
+          variable: _hosts
+          required: false
+
+  - name: Cloud / AWS / Display EC2 Stats
+    job_type: run
+    organization: Default
+    credentials:
+      - AWS
+    project: Ansible Product Demos
+    playbook: cloud/display-ec2-stats.yml
+    inventory: Demo Inventory
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+
+  - name: "LINUX / Patching"
+    job_type: check
+    inventory: "Demo Inventory"
+    project: "Ansible Product Demos"
+    playbook: "linux/patching.yml"
+    execution_environment: Default execution environment
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    use_fact_cache: true
+    ask_job_type_on_launch: true
+    credentials:
+      - "Demo Credential"
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: Server Name or Pattern
+          type: text
+          variable: _hosts
+          required: true
+
+controller_workflows:
+  - name: Deploy Cloud Stack in AWS
+    description: A workflow to deploy a cloud stack
+    organization: Default
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    extra_vars:
+      vm_deployment: cloud_stack
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: AWS Region
+          type: multiplechoice
+          variable: create_vm_aws_region
+          required: true
+          choices:
+            - us-east-1
+            - us-east-2
+            - us-west-1
+            - us-west-2
+        - question_name: Owner
+          type: text
+          variable: create_vm_aws_owner_tag
+          required: true
+        - question_name: Environment
+          type: multiplechoice
+          variable: vm_environment
+          required: true
+          choices:
+            - Dev
+            - QA
+            - Prod
+        - question_name: Keypair Public Key
+          type: textarea
+          variable: aws_public_key
+          required: true
+        - question_name: Email
+          type: text
+          variable: email
+          required: true
+    simplified_workflow_nodes:
+      - identifier: Create Keypair
+        unified_job_template: Cloud / AWS / Create Keypair
+        success_nodes:
+          - EC2 Stats
+        failure_nodes:
+          - Ticket - Keypair Failed
+      - identifier: Create VPC
+        unified_job_template: Cloud / AWS / Create VPC
+        success_nodes:
+          - EC2 Stats
+        failure_nodes:
+          - Ticket - VPC Failed
+      - identifier: Ticket - Keypair Failed
+        unified_job_template: 'SUBMIT FEEDBACK'
+        extra_data:
+          feedback: Failed to create AWS keypair
+      - identifier: EC2 Stats
+        unified_job_template: Cloud / AWS / Display EC2 Stats
+        all_parents_must_converge: true
+        always_nodes:
+          - VPC Report
+      - identifier: VPC Report
+        unified_job_template: Cloud / AWS / VPC Report
+        all_parents_must_converge: true
+        always_nodes:
+          - Deploy Windows GUI Blueprint
+          - Deploy RHEL8 Blueprint
+          - Deploy RHEL9 Blueprint
+          - Deploy Windows Core Blueprint
+          - Deploy Report Server
+      - identifier: Deploy Windows GUI Blueprint
+        unified_job_template: Cloud / AWS / Create VM
+        extra_data:
+          create_vm_vm_name: aws-dc
+          vm_blueprint: windows_full
+        success_nodes:
+          - Update Inventory
+        failure_nodes:
+          - Ticket - Instance Failed
+      - identifier: Deploy Windows Core Blueprint
+        unified_job_template: Cloud / AWS / Create VM
+        extra_data:
+          create_vm_vm_name: aws_win1
+          vm_blueprint: windows_core
+        success_nodes:
+          - Update Inventory
+        failure_nodes:
+          - Ticket - Instance Failed
+      - identifier: Deploy RHEL8 Blueprint
+        unified_job_template: Cloud / AWS / Create VM
+        extra_data:
+          create_vm_vm_name: aws_rhel8
+          vm_blueprint: rhel8
+        success_nodes:
+          - Update Inventory
+        failure_nodes:
+          - Ticket - Instance Failed
+      - identifier: Deploy RHEL9 Blueprint
+        unified_job_template: Cloud / AWS / Create VM
+        extra_data:
+          create_vm_vm_name: aws_rhel9
+          vm_blueprint: rhel9
+        success_nodes:
+          - Update Inventory
+        failure_nodes:
+          - Ticket - Instance Failed
+      - identifier: Deploy Report Server
+        unified_job_template: Cloud / AWS / Create VM
+        extra_data:
+          create_vm_vm_name: reports
+          vm_blueprint: rhel9
+        success_nodes:
+          - Update Inventory
+        failure_nodes:
+          - Ticket - Instance Failed
+      - identifier: Update Inventory
+        unified_job_template: AWS Inventory
+        success_nodes:
+          - Tag Report
+      - identifier: Ticket - Instance Failed
+        unified_job_template: 'SUBMIT FEEDBACK'
+        extra_data:
+          feedback: Failed to create AWS instance
+      - identifier: Tag Report
+        unified_job_template: Cloud / AWS / Tags Report
+      - identifier: Ticket - VPC Failed
+        unified_job_template: 'SUBMIT FEEDBACK'
+        extra_data:
+          feedback: Failed to create AWS VPC
+
+  - name: Cloud / AWS / Patch EC2 Workflow
+    description: A workflow to patch ec2 instances with snapshot and restore on failure.
+    organization: Default
+    notification_templates_started: Telemetry
+    notification_templates_success: Telemetry
+    notification_templates_error: Telemetry
+    survey_enabled: true
+    survey:
+      name: ''
+      description: ''
+      spec:
+        - question_name: AWS Region
+          type: multiplechoice
+          variable: aws_region
+          required: true
+          default: us-east-1
+          choices:
+            - us-east-1
+            - us-east-2
+            - us-west-1
+            - us-west-2
+        - question_name: Specify target hosts
+          type: text
+          variable: _hosts
+          required: true
+          default: os_linux
+    simplified_workflow_nodes:
+      - identifier: Project Sync
+        unified_job_template: Ansible Product Demos
+        success_nodes:
+          - Take Snapshot
+      - identifier: Inventory Sync
+        unified_job_template: AWS Inventory
+        success_nodes:
+          - Take Snapshot
+      - identifier: Take Snapshot
+        unified_job_template: Cloud / AWS / Snapshot EC2
+        success_nodes:
+          - Patch Instance
+      - identifier: Patch Instance
+        unified_job_template: LINUX / Patching
+        job_type: run
+        failure_nodes:
+          - Restore from Snapshot
+      - identifier: Restore from Snapshot
+        unified_job_template: Cloud / AWS / Restore EC2 from Snapshot
+        failure_nodes:
+          - Ticket - Restore Failed
+      - identifier: Ticket - Restore Failed
+        unified_job_template: 'SUBMIT FEEDBACK'
+        extra_data:
+          feedback: Cloud / AWS / Patch EC2 Workflow | Failed to restore ec2 from snapshot

cloud/snapshot_ec2.yml

@@ -0,0 +1,10 @@
+---
+- name: Snapshot ec2 instance
+  hosts: "{{ _hosts | default(omit) }}"
+  gather_facts: false
+
+  tasks:
+    - name: Include snapshot role
+      ansible.builtin.include_role:
+        name: "demo.cloud.aws"
+        tasks_from: snapshot_vm

collections/ansible_collections/demo/cloud/roles/aws/defaults/main.yml

@@ -0,0 +1,24 @@
+---
+#######
+# AWS VARS
+#######
+aws_vpc_name: ansible
+aws_vpc_prefix: demo
+aws_vpc_cidr_block: 10.0.0.0/16
+aws_subnet_cidr: 10.0.1.0/24
+aws_region: us-east-1
+aws_vm_name: "{{ vm_name }}"
+aws_vm_owner: "{{ vm_owner }}"
+aws_blueprint: "{{ vm_blueprint }}"
+# aws_image_filter: "{{ omit }}"
+# aws_instance_size: "{{ omit }}"
+# aws_image_architecture: "{{ omit }}"
+# aws_image_owners: "{{ omit }} "
+aws_userdata_template: default
+aws_keypair_name: "{{ aws_vpc_name }}-{{ aws_vpc_prefix }}-demo-key"
+aws_securitygroup_name: "{{ aws_vpc_name }}-{{ aws_vpc_prefix }}-sec-group"
+aws_env_tag: prod
+aws_purpose_tag: ansible_demo
+aws_ansiblegroup_tag: cloud
+aws_ec2_wait: true
+aws_snapshots: {}

collections/ansible_collections/demo/cloud/roles/aws/tasks/create_infra.yml

@@ -0,0 +1,118 @@
+---
+- name: AWS | CREATE INFRA | vpc
+  amazon.aws.ec2_vpc_net:
+    state: present
+    name: "{{ aws_vpc_name }}-{{ aws_vpc_prefix }}-vpc"
+    cidr_block: "{{ aws_vpc_cidr_block }}"
+    tenancy: default
+    region: "{{ aws_region }}"
+    tags:
+      owner: "{{ aws_vpc_name }}"
+      purpose: "{{ aws_purpose_tag }}"
+  register: aws_vpc
+
+- name: AWS | CREATE INFRA | internet gateway
+  amazon.aws.ec2_vpc_igw:
+    state: present
+    vpc_id: "{{ aws_vpc.vpc.id }}"
+    region: "{{ aws_region }}"
+    tags:
+      Name: "{{ aws_vpc_name }}-{{ aws_vpc_prefix }}-vpc-igw"
+      owner: "{{ aws_vpc_name }}"
+      purpose: "{{ aws_purpose_tag }}"
+  register: aws_gateway
+
+- name: Create security group internal
+  amazon.aws.ec2_security_group:
+    state: present
+    name: "{{ aws_vpc_name }}-{{ aws_vpc_prefix }}-sec-group"
+    region: "{{ aws_region }}"
+    description: Inbound WinRM and RDP, http for demo servers and internal AD ports
+    rules:
+      - proto: tcp
+        ports:
+          - 80  # HTTP
+          - 443  # HTTPS
+          - 22  # SSH
+          - 5986  # WinRM
+          - 3389  # RDP
+        cidr_ip: 0.0.0.0/0
+      - proto: icmp
+        to_port: -1
+        from_port: -1
+        cidr_ip: 0.0.0.0/0
+      - proto: tcp
+        ports:
+          - 80  # HTTP
+          - 5986  # WinRM
+          - 3389  # RDP
+          - 53  # DNS
+          - 88  # Kerberos Authentication
+          - 135  # RPC
+          - 139  # Netlogon
+          - 389  # LDAP
+          - 445  # SMB
+          - 464  # Kerberos Authentication
+          - 5432  # PostgreSQL
+          - 636  # LDAPS (LDAP over TLS)
+          - 873  # Rsync
+          - 3268-3269  # Global Catalog
+          - 1024-65535  # Ephemeral RPC ports
+        cidr_ip: 10.0.0.0/16
+      - proto: udp
+        ports:
+          - 53  # DNS
+          - 88  # Kerberos Authentication
+          - 123  # NTP
+          - 137-138  # Netlogon
+          - 389  # LDAP
+          - 445  # SMB
+          - 464  # Kerberos Authentication
+          - 1024-65535  # Ephemeral RPC ports
+        cidr_ip: 10.0.0.0/16
+    rules_egress:
+      - proto: -1
+        cidr_ip: 0.0.0.0/0
+    vpc_id: "{{ aws_vpc.vpc.id }}"
+    tags:
+      Name: "{{ aws_vpc_name }}-{{ aws_vpc_prefix }}-sec-group"
+      owner: "{{ aws_vpc_name }}"
+      purpose: "{{ aws_purpose_tag }}"
+
+- name: Create a subnet on the VPC
+  amazon.aws.ec2_vpc_subnet:
+    state: present
+    vpc_id: "{{ aws_vpc.vpc.id }}"
+    cidr: "{{ aws_subnet_cidr }}"
+    region: "{{ aws_region }}"
+    map_public: true
+    tags:
+      Name: "{{ aws_vpc_name }}-{{ aws_vpc_prefix }}-subnet"
+      owner: "{{ aws_vpc_name }}"
+      purpose: "{{ aws_purpose_tag }}"
+  register: aws_subnet
+
+- name: Create a subnet route table
+  amazon.aws.ec2_vpc_route_table:
+    state: present
+    vpc_id: "{{ aws_vpc.vpc.id }}"
+    region: "{{ aws_region }}"
+    subnets:
+      - "{{ aws_subnet.subnet.id }}"
+    routes:
+      - dest: 0.0.0.0/0
+        gateway_id: "{{ aws_gateway.gateway_id }}"
+    tags:
+      Name: "{{ aws_vpc_name }}-{{ aws_vpc_prefix }}-vpc-rtbl"
+      owner: "{{ aws_vpc_name }}"
+      purpose: "{{ aws_purpose_tag }}"
+
+- name: Create AWS keypair
+  amazon.aws.ec2_key:
+    name: "{{ aws_vpc_name }}-{{ aws_vpc_prefix }}-demo-key"
+    region: "{{ aws_region }}"
+    key_material: "{{ aws_public_key }}"
+    state: present
+    tags:
+      owner: "{{ aws_vpc_name }}"
+      purpose: "{{ aws_purpose_tag }}"

collections/ansible_collections/demo/cloud/roles/aws/tasks/create_vm.yml

@@ -0,0 +1,47 @@
+---
+- name: AWS | CREATE VM | get subnet info
+  amazon.aws.ec2_vpc_subnet_info:
+    region: "{{ aws_region }}"
+    filters:
+      "tag:Name": "{{ aws_vpc_name }}-{{ aws_vpc_prefix }}-subnet"
+  register: aws_subnet
+
+- name: AWS | CREATE VM | save subnet id
+  ansible.builtin.set_fact:
+    aws_subnet_id: "{{ aws_subnet.subnets | map(attribute='id') | list | last }}"
+
+- name: AWS| CREATE VM | find ami
+  amazon.aws.ec2_ami_info:
+    region: "{{ aws_region }}"
+    owners: "{{ aws_image_owners | default(omit) }}"
+    filters:
+      name: "{{ aws_image_filter }}"
+      architecture: "{{ aws_image_architecture | default(omit) }}"
+  register: aws_amis
+
+- name: AWS| CREATE VM | save ami
+  ansible.builtin.set_fact:
+    aws_instance_ami: >
+      {{ (aws_amis.images | selectattr('name', 'defined') | sort(attribute='creation_date'))[-2] }}
+
+- name: AWS| CREATE VM | create instance
+  amazon.aws.ec2_instance:
+    network:
+      assign_public_ip: true
+    key_name: "{{ aws_keypair_name }}"
+    instance_type: "{{ aws_instance_size }}"
+    image_id: "{{ aws_instance_ami.image_id }}"
+    region: "{{ aws_region }}"
+    security_group: "{{ aws_securitygroup_name }}"
+    tags:
+      blueprint: "{{ aws_blueprint }}"
+      purpose: "{{ aws_purpose_tag }}"
+      env: "{{ aws_env_tag }}"
+      ansible_group: "{{ aws_ansiblegroup_tag }}"
+      owner: "{{ aws_vm_owner }}"
+      info: "This instance was built by Red Hat Product Demos"
+      Name: "{{ aws_vm_name }}"
+    wait: "{{ aws_ec2_wait }}"
+    vpc_subnet_id: "{{ aws_subnet_id }}"
+    user_data: "{{ lookup('template', aws_userdata_template + '.j2', template_vars=dict(aws_vm_name=vm_name)) }}"
+  register: aws_vm_output

collections/ansible_collections/demo/cloud/roles/aws/tasks/destroy_vm.yml

@@ -0,0 +1,7 @@
+---
+- name: Destroy VM
+  amazon.aws.ec2_instance:
+    state: absent
+    instance_ids: "{{ instance_id }}"
+    region: "{{ placement.region }}"
+  delegate_to: localhost

collections/ansible_collections/demo/cloud/roles/aws/tasks/resize_ec2.yml

@@ -0,0 +1,45 @@
+---
+# parameters
+# instance_type: new instance type, e.g. t3.large
+- name: AWS | RESIZE VM
+  delegate_to: localhost
+  vars:
+    controller_dependency_check: false  # noqa: var-naming[no-role-prefix]
+    controller_inventory_sources:
+      - name: AWS Inventory
+        inventory: Demo Inventory
+        organization: Default
+        wait: true
+  block:
+    - name: AWS | RESIZE EC2 | assert required vars
+      ansible.builtin.assert:
+        that:
+          - instance_id is defined
+          - aws_region is defined
+        fail_msg: "instance_id, aws_region is required for resize operations"
+
+    - name: AWS | RESIZE EC2 | shutdown instance
+      amazon.aws.ec2_instance:
+        instance_ids: "{{ instance_id }}"
+        region: "{{ aws_region }}"
+        state: stopped
+        wait: true
+
+    - name: AWS | RESIZE EC2 | update instance type
+      amazon.aws.ec2_instance:
+        region: "{{ aws_region }}"
+        instance_ids: "{{ instance_id }}"
+        instance_type: "{{ instance_type }}"
+        wait: true
+
+    - name: AWS | RESIZE EC2 | start instance
+      amazon.aws.ec2_instance:
+        instance_ids: "{{ instance_id }}"
+        region: "{{ aws_region }}"
+        state: started
+        wait: true
+
+    - name: Synchronize inventory
+      run_once: true
+      ansible.builtin.include_role:
+        name: infra.controller_configuration.inventory_source_update

collections/ansible_collections/demo/cloud/roles/aws/tasks/restore_vm.yml

@@ -0,0 +1,62 @@
+---
+- name: AWS | RESTORE VM
+  delegate_to: localhost
+  block:
+    - name: AWS | RESTORE VM | stop vm
+      amazon.aws.ec2_instance:
+        region: "{{ aws_region }}"
+        instance_ids: "{{ instance_id }}"
+        state: stopped
+        wait: true
+
+    - name: AWS | RESTORE VM | get volumes
+      register: aws_r_vol_info
+      amazon.aws.ec2_vol_info:
+        region: "{{ aws_region }}"
+        filters:
+          attachment.instance-id: "{{ instance_id }}"
+
+    - name: AWS | RESTORE VM | detach volumes
+      loop: "{{ aws_r_vol_info.volumes }}"
+      loop_control:
+        loop_var: volume
+        label: "{{ volume.id }}"
+      amazon.aws.ec2_vol:
+        region: "{{ aws_region }}"
+        id: "{{ volume.id }}"
+        instance: None
+
+    - name: AWS | RESTORE VM | attach snapshots from stat
+      when: inventory_hostname in aws_snapshots
+      loop: "{{ aws_snapshots[inventory_hostname] }}"
+      loop_control:
+        loop_var: snap
+        label: "{{ snap.snapshot_id }}"
+      amazon.aws.ec2_vol:
+        region: "{{ aws_region }}"
+        instance: "{{ instance_id }}"
+        snapshot: "{{ snap.snapshot_id }}"
+        device_name: "{{ snap.device }}"
+
+    - name: AWS | RESTORE VM | get all snapshots
+      when: inventory_hostname not in aws_snapshots
+      register: aws_r_snapshots
+      amazon.aws.ec2_snapshot_info:
+        region: "{{ aws_region }}"
+        filters:
+          "tag:Name": "{{ inventory_hostname }}"
+
+    - name: AWS | RESTORE VM | create volume from latest snapshot
+      when: inventory_hostname not in aws_snapshots
+      amazon.aws.ec2_vol:
+        region: "{{ aws_region }}"
+        instance: "{{ instance_id }}"
+        snapshot: "{{ aws_r_snapshots.snapshots[0].snapshot_id }}"
+        device_name: "/dev/sda1"
+
+    - name: AWS | RESTORE VM | start vm
+      amazon.aws.ec2_instance:
+        region: "{{ aws_region }}"
+        instance_ids: "{{ instance_id }}"
+        state: started
+        wait: true

collections/ansible_collections/demo/cloud/roles/aws/tasks/snapshot_vm.yml

@@ -0,0 +1,42 @@
+---
+- name: AWS | SNAPSHOT VM
+  delegate_to: localhost
+  block:
+    - name: AWS | SNAPSHOT VM | assert id
+      ansible.builtin.assert:
+        that: instance_id is defined
+        fail_msg: "instance_id is required for snapshot operations"
+
+    - name: AWS | SNAPSHOT VM | include vars
+      ansible.builtin.include_vars:
+        file: snapshot_vm.yml
+
+    - name: AWS | SNAPSHOT VM | get volumes
+      register: aws_r_vol_info
+      amazon.aws.ec2_vol_info:
+        region: "{{ aws_region }}"
+        filters:
+          attachment.instance-id: "{{ instance_id }}"
+
+    - name: AWS | SNAPSHOT VM | take snapshots
+      loop: "{{ aws_r_vol_info.volumes }}"
+      loop_control:
+        loop_var: volume
+        label: "{{ volume.id }}"
+      register: aws_r_snapshots
+      amazon.aws.ec2_snapshot:
+        region: "{{ aws_region }}"
+        volume_id: "{{ volume.id }}"
+        description: "Snapshot taken by Red Hat Product demos"
+        snapshot_tags: "{{ tags }}"
+
+- name: AWS | SNAPSHOT VM | format snapshot stat
+  ansible.builtin.set_fact:
+    aws_snapshot_stat:
+      - key: "{{ inventory_hostname }}"
+        value: "{{ aws_r_snapshots.results | json_query(aws_ec2_snapshot_query) }}"
+
+- name: AWS | SNAPSHOT VM | record snapshot with host key
+  ansible.builtin.set_stats:
+    data:
+      aws_snapshots: "{{ aws_snapshot_stat | items2dict }}"

collections/ansible_collections/demo/cloud/roles/aws/templates/aws_windows_userdata.j2

@@ -0,0 +1,29 @@
+<powershell>
+# Disable .Net Optimization Service
+Get-ScheduledTask *ngen* | Disable-ScheduledTask
+
+# Disable Windows Auto Updates
+# https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/troubleshooting-windows-instances.html#high-cpu-issue
+reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v AUOptions /t REG_DWORD /d 1 /f
+net stop wuauserv
+net start wuauserv
+
+# Remove policies stopping us from enabling WinRM
+reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" /v AllowBasic /f
+reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" /v AllowUnencryptedTraffic /f
+reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" /v DisableRunAs /f
+
+# Disable Windows Defender Monitoring
+Set-MpPreference -DisableRealtimeMonitoring $true
+
+# Enable WinRM
+Invoke-WebRequest -Uri https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 -OutFile C:\ConfigureRemotingForAnsible.ps1
+C:\ConfigureRemotingForAnsible.ps1 -ForceNewSSLCert -EnableCredSSP
+
+# add ec2-user
+$Password = ConvertTo-SecureString {{ ansible_password }} -AsPlainText -Force
+New-LocalUser -Name "ec2-user" -Description "Ansible Service Account" -Password $Password
+Add-LocalGroupMember -Group "Administrators" -Member "ec2-user"
+
+Rename-Computer -NewName {{ aws_vm_name }} -Force -Restart
+</powershell>

collections/ansible_collections/demo/cloud/roles/aws/vars/snapshot_vm.yml

@@ -0,0 +1,11 @@
+---
+# Set stat_snapshots with model:
+# [
+#   {
+#     "snapshot_id": "snap-0e981f05704e19ffd",
+#     "vol_id": "vol-0bd55f313bb7bcdd8",
+#     "device": "/dev/sda1"
+#   },
+#   ...
+# ]
+aws_ec2_snapshot_query: "[].{snapshot_id: snapshot_id, vol_id: volume.id, device: volume.attachment_set[?instance_id=='{{ instance_id }}'].device | [0]}"

collections/ansible_collections/demo/compliance/roles/iosxeSTIG/callback_plugins/stig_xml.py

@@ -0,0 +1,105 @@
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+from ansible.plugins.callback import CallbackBase
+from time import gmtime, strftime
+import platform
+import tempfile
+import re
+import sys
+import os
+import json
+import xml.etree.ElementTree as ET
+import xml.dom.minidom
+
+role = "iosxeSTIG"
+
+
+class CallbackModule(CallbackBase):
+    CALLBACK_VERSION = 2.0
+    CALLBACK_TYPE = "xml"
+    CALLBACK_NAME = "stig_xml"
+
+    CALLBACK_NEEDS_WHITELIST = True
+
+    def __init__(self):
+        super(CallbackModule, self).__init__()
+        self.rules = {}
+        self.stig_path = os.environ.get("STIG_PATH")
+        self.XML_path = os.environ.get("XML_PATH")
+        if self.stig_path is None:
+            self.stig_path = os.path.join(os.getcwd(), "roles", role, "files")
+            self._display.display("Using STIG_PATH: {}".format(self.stig_path))
+        if self.XML_path is None:
+            self.XML_path = os.getcwd()
+            self._display.display("Using XML_PATH: {}".format(self.XML_path))
+
+        print("Writing: {}".format(self.XML_path))
+        STIG_name = os.path.basename(self.stig_path)
+        ET.register_namespace("cdf", "http://checklists.nist.gov/xccdf/1.2")
+        self.tr = ET.Element("{http://checklists.nist.gov/xccdf/1.2}TestResult")
+        self.tr.set(
+            "id",
+            "xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}".format(STIG_name),
+        )
+        endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
+        self.tr.set("end-time", endtime)
+        tg = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}target")
+        tg.text = platform.node()
+
+    def __get_rev(self, nid):
+        rev = "0"
+        # Check all files for the rule number.
+        for file in os.listdir(self.stig_path):
+            with open(os.path.join(self.stig_path, file), "r") as f:
+                r = "SV-{}r(?P<rev>\d)_rule".format(nid)
+                m = re.search(r, f.read())
+            if m:
+                rev = m.group("rev")
+                break
+        return rev
+
+    def v2_runner_on_ok(self, result):
+        name = result._task.get_name()
+        m = re.search("stigrule_(?P<id>\d+)", name)
+        if m:
+            nid = m.group("id")
+        else:
+            return
+        rev = self.__get_rev(nid)
+        key = "{}r{}".format(nid, rev)
+        if self.rules.get(key, "Unknown") != False:
+            self.rules[key] = result.is_changed()
+
+    def __set_duplicates(self):
+        with open(os.path.join(self.stig_path, "duplicates.json")) as f:
+            dups = json.load(f)
+        for d in dups:
+            dup_of = str(dups[d][0])
+            rev = self.__get_rev(d)
+            key = "{}r{}".format(d, rev)
+            dup_of_rev = self.__get_rev(dup_of)
+            dup_of_key = "{}r{}".format(dup_of, dup_of_rev)
+            if dup_of_key in self.rules:
+                self.rules[key] = self.rules[dup_of_key]
+
+    def v2_playbook_on_stats(self, stats):
+        self.__set_duplicates()
+        for rule, changed in self.rules.items():
+            state = "fail" if changed else "pass"
+            rr = ET.SubElement(
+                self.tr, "{http://checklists.nist.gov/xccdf/1.2}rule-result"
+            )
+            rr.set("idref", "xccdf_mil.disa.stig_rule_SV-{}_rule".format(rule))
+            rs = ET.SubElement(rr, "{http://checklists.nist.gov/xccdf/1.2}result")
+            rs.text = state
+        passing = len(self.rules) - sum(self.rules.values())
+        sc = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}score")
+        sc.set("maximum", str(len(self.rules)))
+        sc.set("system", "urn:xccdf:scoring:flat-unweighted")
+        sc.text = str(passing)
+        with open(os.path.join(self.XML_path, "xccdf-results.xml"), "w") as f:
+            out = ET.tostring(self.tr)
+            pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding="utf-8")
+            f.write(pretty)

collections/ansible_collections/demo/compliance/roles/iosxeSTIG/defaults/main.yml

@@ -0,0 +1,280 @@
+# R-215807 CISC-ND-000010
+iosxeSTIG_stigrule_215807_Manage: True
+iosxeSTIG_stigrule_215807_ip_http_max_connections_2_Lines:
+  - ip http max-connections 2
+iosxeSTIG_stigrule_215807_session_limit_for_all_line_vty_sections_Lines:
+  - session-limit 2
+# R-215808 CISC-ND-000090
+# A partial of 215815
+# duplicate of 215815
+# R-215809 CISC-ND-000100
+# A partial of 215815
+# duplicate of 215815
+# R-215810 CISC-ND-000110
+# A partial of 215815
+# duplicate of 215815
+# R-215811 CISC-ND-000120
+# A partial of 215815
+# duplicate of 215815
+# R-215813 CISC-ND-000150
+iosxeSTIG_stigrule_215813_Manage: True
+iosxeSTIG_stigrule_215813_login_block_for_900_attempts_3_within_120_Lines:
+  - login block-for 900 attempts 3 within 120
+# R-215814 CISC-ND-000160
+iosxeSTIG_stigrule_215814_Manage: True
+iosxeSTIG_stigrule_215814_login_Text: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and
+
+counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE, or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys,
+
+psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'
+# R-215815 CISC-ND-000210
+iosxeSTIG_stigrule_215815_Manage: True
+iosxeSTIG_stigrule_215815_login_logging_Lines:
+  - logging userinfo
+iosxeSTIG_stigrule_215815_logging_enable_Lines:
+  - logging enable
+iosxeSTIG_stigrule_215815_logging_enable_Parents:
+  - archive
+  - log config
+# R-215816 CISC-ND-000250
+iosxeSTIG_stigrule_215816_Manage: True
+iosxeSTIG_stigrule_215816_login_logging_Lines:
+  - login on-failure log
+  - login on-success log
+# R-215817 CISC-ND-000280
+iosxeSTIG_stigrule_215817_Manage: True
+iosxeSTIG_stigrule_215817_service_timestamps_log_datetime_localtime_Lines:
+  - service timestamps log datetime localtime
+# R-215819 CISC-ND-000330
+# A partial of 215815
+# duplicate of 215815
+# R-215820 CISC-ND-000380
+iosxeSTIG_stigrule_215820_Manage: True
+iosxeSTIG_stigrule_215820_file_privilege_Lines:
+  - file privilege 15
+# R-215821 CISC-ND-000390
+# A duplicate of 215820
+# duplicate of 215820
+# R-215822 CISC-ND-000460
+# A duplicate of 215820
+# duplicate of 215820
+# R-215823 CISC-ND-000470
+iosxeSTIG_stigrule_215823_Manage: True
+iosxeSTIG_stigrule_215823_disable_boot_network_Lines:
+  - no boot network
+iosxeSTIG_stigrule_215823_disable_boot_server_Lines:
+  - no ip boot server
+iosxeSTIG_stigrule_215823_disable_bootp_server_Lines:
+  - no ip bootp server
+iosxeSTIG_stigrule_215823_disable_dns_server_Lines:
+  - no ip dns server
+iosxeSTIG_stigrule_215823_disable_identd_Lines:
+  - no ip identd
+iosxeSTIG_stigrule_215823_disable_finger_Lines:
+  - no ip finger
+iosxeSTIG_stigrule_215823_disable_http_server_Lines:
+  - no ip http server
+iosxeSTIG_stigrule_215823_disable_rcmd_rcp_enable_Lines:
+  - no ip rcmd rcp-enable
+iosxeSTIG_stigrule_215823_disable_rcmd_rsh_enable_Lines:
+  - no ip rcmd rsh-enable
+iosxeSTIG_stigrule_215823_disable_tcp_small_servers_Lines:
+  - no service tcp-small-servers
+iosxeSTIG_stigrule_215823_disable_udp_small_servers_Lines:
+  - no service udp-small-servers
+iosxeSTIG_stigrule_215823_disable_service_finger_Lines:
+  - no service finger
+iosxeSTIG_stigrule_215823_disable_service_config_Lines:
+  - no service config
+iosxeSTIG_stigrule_215823_disable_service_pad_Lines:
+  - no service pad
+# R-215825 CISC-ND-000530
+# ip ssh server algorithm encryption is set in 215845.
+iosxeSTIG_stigrule_215825_Manage: True
+iosxeSTIG_stigrule_215825_ip_ssh_version_2_Lines:
+  - ip ssh version 2
+# R-215826 CISC-ND-000550
+iosxeSTIG_stigrule_215826_Manage: False
+iosxeSTIG_stigrule_215826_password_min_len_Lines:
+  - min-length 15
+iosxeSTIG_stigrule_215826_password_min_len_Parents:
+  - aaa common-criteria policy PASSWORD_POLICY
+# R-215827 CISC-ND-000570
+iosxeSTIG_stigrule_215827_Manage: False
+iosxeSTIG_stigrule_215827_password_upper_case_Lines:
+  - upper-case 1
+iosxeSTIG_stigrule_215827_password_upper_case_Parents:
+  - aaa common-criteria policy PASSWORD_POLICY
+# R-215828 CISC-ND-000580
+iosxeSTIG_stigrule_215828_Manage: False
+iosxeSTIG_stigrule_215828_password_lower_case_Lines:
+  - lower-case 1
+iosxeSTIG_stigrule_215828_password_lower_case_Parents:
+  - aaa common-criteria policy PASSWORD_POLICY
+# R-215829 CISC-ND-000590
+iosxeSTIG_stigrule_215829_Manage: False
+iosxeSTIG_stigrule_215829_password_numeric_count_Lines:
+  - numeric-count 1
+iosxeSTIG_stigrule_215829_password_numeric_count_Parents:
+  - aaa common-criteria policy PASSWORD_POLICY
+# R-215830 CISC-ND-000600
+iosxeSTIG_stigrule_215830_Manage: False
+iosxeSTIG_stigrule_215830_password_special_case_Lines:
+  - special-case 1
+iosxeSTIG_stigrule_215830_password_special_case_Parents:
+  - aaa common-criteria policy PASSWORD_POLICY
+# R-215831 CISC-ND-000610
+iosxeSTIG_stigrule_215831_Manage: False
+iosxeSTIG_stigrule_215831_password_upper_case_Lines:
+  - char-changes 8
+iosxeSTIG_stigrule_215831_password_upper_case_Parents:
+  - aaa common-criteria policy PASSWORD_POLICY
+# R-215832 CISC-ND-000620
+iosxeSTIG_stigrule_215832_Manage: True
+iosxeSTIG_stigrule_215832_service_password_encryption_Lines:
+  - service password-encryption
+# R-215833 CISC-ND-000720
+iosxeSTIG_stigrule_215833_Manage: True
+iosxeSTIG_stigrule_215833_exec_timeout_for_console_Lines:
+  - exec-timeout 10 0
+iosxeSTIG_stigrule_215833_exec_timeout_for_console_Parents:
+  - line con 0
+iosxeSTIG_stigrule_215833_exec_timeout_for_all_line_vty_sections_Lines:
+  - exec-timeout 10 0
+iosxeSTIG_stigrule_215833_ip_http_timeout_policy_idle_600_life_3600_requests_10_Lines:
+  - ip http timeout-policy idle 600 life 3600 requests 10
+# R-215834 CISC-ND-000880
+# A partial of 215815
+# duplicate of 215815
+# R-215835 CISC-ND-000940
+# A duplicate of 215815
+# duplicate of 215815
+# R-215836 CISC-ND-000980
+iosxeSTIG_stigrule_215836_Manage: True
+iosxeSTIG_stigrule_215836_logging_buffered_4096_informational_Lines:
+  - logging buffered 4096 informational
+# R-215837 CISC-ND-001000
+# Please configure name IP address to a valid one.
+iosxeSTIG_stigrule_215837_Manage: False
+iosxeSTIG_stigrule_215837_host_Name: '192.0.2.128'
+iosxeSTIG_stigrule_215837_logging_trap_critical_Lines:
+  - logging trap critical
+# R-215838 CISC-ND-001030
+# Replace ntp servers' IP address before enabling.
+iosxeSTIG_stigrule_215838_Manage: False
+iosxeSTIG_stigrule_215838_ntp_server_1_Server: '192.0.2.0'
+iosxeSTIG_stigrule_215838_ntp_server_2_Server: '192.0.2.1'
+# R-215839 CISC-ND-001040
+# A duplicate of 215817
+# duplicate of 215817
+# R-215840 CISC-ND-001050
+# service timestamps log datetime localtime is set in 215817.
+iosxeSTIG_stigrule_215840_Manage: True
+iosxeSTIG_stigrule_215840_service_timestamps_log_datetime_localtime_Lines:
+  - clock timezone EST -5 0
+# R-215844 CISC-ND-001200
+iosxeSTIG_stigrule_215844_Manage: True
+iosxeSTIG_stigrule_215844_ip_ssh_server_algorithm_mac_hmac_sha1_Lines:
+  - ip ssh server algorithm mac hmac-sha1
+iosxeSTIG_stigrule_215844_ip_http_secure_ciphersuite_aes_128_cbc_sha_Lines:
+  - ip http secure-ciphersuite aes-128-cbc-sha
+# R-215845 CISC-ND-001210
+# Option ip http secure-ciphersuite is set in 215844
+iosxeSTIG_stigrule_215845_Manage: True
+iosxeSTIG_stigrule_215845_ip_ssh_server_algorithm_encryption_aes128_cbc_aes128_ctr_aes192_cbc_aes192_ctr_Lines:
+  - ip ssh server algorithm encryption aes128-cbc aes128-ctr aes192-cbc aes192-ctr
+# R-215847 CISC-ND-001240
+# A duplicate of 215815
+# duplicate of 215815
+# R-215848 CISC-ND-001250
+# A partial of 215815
+# duplicate of 215815
+# R-215849 CISC-ND-001260
+# A subset of 215816
+# duplicate of 215816
+# R-215850 CISC-ND-001270
+# A partial of 215815
+# duplicate of 215815
+# R-215852 CISC-ND-001290
+# A subset of 215816
+# duplicate of 215816
+# R-215853 CISC-ND-001310
+# A duplicate of 215837
+# duplicate of 215837
+# R-215854 CISC-ND-001370
+# Configure the authentication server key before enabling.
+iosxeSTIG_stigrule_215854_Manage: False
+iosxeSTIG_stigrule_215854_radius_host_10_1_48_2_key_xxxxxx_Lines:
+  - radius host 10.1.48.2 key xxxxxx
+iosxeSTIG_stigrule_215854_aaa_authentication_login_LOGIN_AUTHENTICATION_group_radius_local_Lines:
+  - aaa authentication login LOGIN_AUTHENTICATION group radius local
+iosxeSTIG_stigrule_215854_ip_http_authentication_aaa_login_authentication_LOGIN_AUTHENTICATION_Lines:
+  - ip http authentication aaa login-authentication LOGIN_AUTHENTICATION
+iosxeSTIG_stigrule_215854_login_authentication_for_console_Lines:
+  - login authentication LOGIN_AUTHENTICATION
+iosxeSTIG_stigrule_215854_login_authentication_for_console_Parents:
+  - line con 0
+iosxeSTIG_stigrule_215854_login_authentication_for_all_line_vty_sections_Lines:
+  - login authentication LOGIN_AUTHENTICATION
+# R-215856 CISC-ND-001440
+# Insert an appropriate URL (including protocol and port)
+iosxeSTIG_stigrule_215856_Manage: False
+iosxeSTIG_stigrule_215856_enrollment_url_Lines:
+  - enrollment url http://trustpoint1.example.com:80
+iosxeSTIG_stigrule_215856_enrollment_url_Parents:
+  - crypto pki trustpoint CA_X
+# R-216647 CISC-RT-000070
+# A duplicate of 215823
+# duplicate of 215823
+# R-216661 CISC-RT-000230
+iosxeSTIG_stigrule_216661_Manage: False
+iosxeSTIG_stigrule_216661_Disable_the_auxiliary_port_Lines:
+  - no exec
+  - transport input none
+iosxeSTIG_stigrule_216661_Disable_the_auxiliary_port_Parents:
+  - line aux 0
+# R-216675 CISC-RT-000370
+iosxeSTIG_stigrule_216675_Manage: True
+iosxeSTIG_stigrule_216675_no_cdp_run_Lines:
+  - no cdp run
+# R-216700 CISC-RT-000620
+iosxeSTIG_stigrule_216700_Manage: True
+iosxeSTIG_stigrule_216700_no_mpls_ip_propagate_ttl_Lines:
+  - no mpls ip propagate-ttl
+# R-216723 CISC-RT-000850
+iosxeSTIG_stigrule_216723_Manage: False
+iosxeSTIG_stigrule_216723_ip_pim_register_rate_limit_10_Lines:
+  - ip pim register-rate-limit 10
+# R-216726 CISC-RT-000880
+iosxeSTIG_stigrule_216726_Manage: True
+iosxeSTIG_stigrule_216726_ip_igmp_limit_Lines:
+  - ip igmp limit 2
+# R-216727 CISC-RT-000890
+iosxeSTIG_stigrule_216727_Manage: True
+iosxeSTIG_stigrule_216727_ip_pim_spt_threshold_infinity_Lines:
+  - ip pim spt-threshold infinity
+# R-216996 CISC-RT-000080
+iosxeSTIG_stigrule_216996_Manage: True
+iosxeSTIG_stigrule_216996_no_call_home_Lines:
+  - no call-home
+# R-217001 CISC-RT-000750
+# Options drop or ignore are allowed.
+iosxeSTIG_stigrule_217001_Manage: True
+iosxeSTIG_stigrule_217001_ip_options_drop_Lines:
+  - ip options drop
+# R-220139 CISC-ND-001450
+# A duplicate of 215837
+# duplicate of 215837
+iosxeSTIG_save_configuration_Manage: False

collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/duplicates.json

@@ -0,0 +1,20 @@
+{
+  "215808":[ "215815" ],
+  "215809":[ "215815" ],
+  "215810":[ "215815" ],
+  "215811":[ "215815" ],
+  "215819":[ "215815" ],
+  "215821":[ "215820" ],
+  "215822":[ "215820" ],
+  "215834":[ "215815" ],
+  "215835":[ "215815" ],
+  "215839":[ "215817" ],
+  "215847":[ "215815" ],
+  "215848":[ "215815" ],
+  "215849":[ "215816" ],
+  "215850":[ "215815" ],
+  "215852":[ "215816" ],
+  "215853":[ "215837" ],
+  "216647":[ "215823" ],
+  "220139":[ "215837" ]
+}

collections/ansible_collections/demo/compliance/roles/iosxeSTIG/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: save configuration
+  ios_command:
+    commands: write memory
+  when: iosxeSTIG_save_configuration_Manage

collections/ansible_collections/demo/compliance/roles/iosxeSTIG/tasks/main.yml

@@ -0,0 +1,597 @@
+# R-215807 CISC-ND-000010
+- name : stigrule_215807_ip_http_max_connections_2
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215807_ip_http_max_connections_2_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215807_Manage
+# R-215807 CISC-ND-000010
+- name: get line vty sections
+  ios_command:
+    commands: show running-config all | include ^line vty
+  register: cmd_result
+- name : stigrule_215807_session_limit_for_all_line_vty_sections
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215807_session_limit_for_all_line_vty_sections_Lines }}"
+    parents: "{{ item }}"
+  loop: "{{ cmd_result.stdout_lines|flatten(levels=1) }}"
+  when:
+    - iosxeSTIG_stigrule_215807_Manage
+# R-215813 CISC-ND-000150
+- name : stigrule_215813_login_block_for_900_attempts_3_within_120
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215813_login_block_for_900_attempts_3_within_120_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215813_Manage
+# R-215814 CISC-ND-000160
+- name : stigrule_215814_login
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_banner:
+    banner: login
+    text: "{{ iosxeSTIG_stigrule_215814_login_Text }}"
+  when: iosxeSTIG_stigrule_215814_Manage
+# R-215815 CISC-ND-000210
+- name : stigrule_215815_login_logging
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215815_login_logging_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215815_Manage
+# R-215815 CISC-ND-000210
+- name : stigrule_215815_logging_enable
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215815_logging_enable_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_215815_logging_enable_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_215815_Manage
+# R-215816 CISC-ND-000250
+- name : stigrule_215816_login_logging
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215816_login_logging_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215816_Manage
+# R-215817 CISC-ND-000280
+- name : stigrule_215817_service_timestamps_log_datetime_localtime
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215817_service_timestamps_log_datetime_localtime_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215817_Manage
+# R-215820 CISC-ND-000380
+- name : stigrule_215820_file_privilege
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215820_file_privilege_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215820_Manage
+# R-215823 CISC-ND-000470
+- name: check for boot network
+  ios_command:
+    commands: show running-config all | include ^boot network
+  register: cmd_result
+- name : stigrule_215823_disable_boot_network
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_boot_network_Lines }}"
+  when:
+    - (cmd_result.stdout|join('\n')).find('boot network') != -1
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name: check for ip boot server
+  ios_command:
+    commands: show running-config all | include ^ip boot server
+  register: cmd_result
+- name : stigrule_215823_disable_boot_server
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_boot_server_Lines }}"
+  when:
+    - (cmd_result.stdout|join('\n')).find('ip boot server') != -1
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name : stigrule_215823_disable_bootp_server
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_bootp_server_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name: check for DNS server configuration
+  ios_command:
+    commands: show running-config all | include ^ip dns server
+  register: cmd_result
+- name : stigrule_215823_disable_dns_server
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_dns_server_Lines }}"
+  when:
+    - (cmd_result.stdout|join('\n')).find('ip dns server') != -1
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+# - name : stigrule_215823_disable_identd
+#   ignore_errors: "{{ ignore_all_errors }}"
+#   notify: "save configuration"
+#   ios_config:
+#     defaults: yes
+#     lines: "{{ iosxeSTIG_stigrule_215823_disable_identd_Lines }}"
+#   when:
+#     - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name : stigrule_215823_disable_finger
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_finger_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name : stigrule_215823_disable_http_server
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_http_server_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name: check for ip rcmd rcp-enable
+  ios_command:
+    commands: show running-config all | include ^ip rcmd rcp-enable
+  register: cmd_result
+- name : stigrule_215823_disable_rcmd_rcp_enable
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_rcmd_rcp_enable_Lines }}"
+  when:
+    - (cmd_result.stdout|join('\n')).find('ip rcmd rcp-enable') != -1
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name: check for ip rcmd rsh-enable
+  ios_command:
+    commands: show running-config all | include ^ip rcmd rsh-enable
+  register: cmd_result
+- name : stigrule_215823_disable_rcmd_rsh_enable
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_rcmd_rsh_enable_Lines }}"
+  when:
+    - (cmd_result.stdout|join('\n')).find('ip rcmd rsh-enable') != -1
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name: check for tcp-small-servers
+  ios_command:
+    commands: show running-config all | include ^service tcp-small-servers
+  register: cmd_result
+- name : stigrule_215823_disable_tcp_small_servers
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_tcp_small_servers_Lines }}"
+  when:
+    - (cmd_result.stdout|join('\n')).find('service tcp-small-servers') != -1
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name: check for udp-small-servers
+  ios_command:
+    commands: show running-config all | include ^service udp-small-servers
+  register: cmd_result
+- name : stigrule_215823_disable_udp_small_servers
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_udp_small_servers_Lines }}"
+  when:
+    - (cmd_result.stdout|join('\n')).find('service udp-small-servers') != -1
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name: check for service finger
+  ios_command:
+    commands: show running-config all | include ^service finger
+  register: cmd_result
+- name : stigrule_215823_disable_service_finger
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_service_finger_Lines }}"
+  when:
+    - (cmd_result.stdout|join('\n')).find('service finger') != -1
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name : stigrule_215823_disable_service_config
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_service_config_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215823 CISC-ND-000470
+- name : stigrule_215823_disable_service_pad
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215823_disable_service_pad_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215823_Manage
+# R-215825 CISC-ND-000530
+# ip ssh server algorithm encryption is set in 215845.
+- name : stigrule_215825_ip_ssh_version_2
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215825_ip_ssh_version_2_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215825_Manage
+# R-215826 CISC-ND-000550
+- name : stigrule_215826_password_min_len
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215826_password_min_len_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_215826_password_min_len_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_215826_Manage
+# R-215827 CISC-ND-000570
+- name : stigrule_215827_password_upper_case
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215827_password_upper_case_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_215827_password_upper_case_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_215827_Manage
+# R-215828 CISC-ND-000580
+- name : stigrule_215828_password_lower_case
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215828_password_lower_case_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_215828_password_lower_case_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_215828_Manage
+# R-215829 CISC-ND-000590
+- name : stigrule_215829_password_numeric_count
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215829_password_numeric_count_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_215829_password_numeric_count_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_215829_Manage
+# R-215830 CISC-ND-000600
+- name : stigrule_215830_password_special_case
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215830_password_special_case_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_215830_password_special_case_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_215830_Manage
+# R-215831 CISC-ND-000610
+- name : stigrule_215831_password_upper_case
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215831_password_upper_case_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_215831_password_upper_case_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_215831_Manage
+# R-215832 CISC-ND-000620
+- name : stigrule_215832_service_password_encryption
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215832_service_password_encryption_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215832_Manage
+# R-215833 CISC-ND-000720
+- name : stigrule_215833_exec_timeout_for_console
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215833_exec_timeout_for_console_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_215833_exec_timeout_for_console_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_215833_Manage
+# R-215833 CISC-ND-000720
+- name: get line vty sections
+  ios_command:
+    commands: show running-config all | include ^line vty
+  register: cmd_result
+- name : stigrule_215833_exec_timeout_for_all_line_vty_sections
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215833_exec_timeout_for_all_line_vty_sections_Lines }}"
+    parents: "{{ item }}"
+  loop: "{{ cmd_result.stdout_lines|flatten(levels=1) }}"
+  when:
+    - iosxeSTIG_stigrule_215833_Manage
+# R-215833 CISC-ND-000720
+- name : stigrule_215833_ip_http_timeout_policy_idle_600_life_3600_requests_10
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215833_ip_http_timeout_policy_idle_600_life_3600_requests_10_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215833_Manage
+# R-215836 CISC-ND-000980
+- name : stigrule_215836_logging_buffered_4096_informational
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215836_logging_buffered_4096_informational_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215836_Manage
+# R-215837 CISC-ND-001000
+# Please configure name IP address to a valid one.
+- name : stigrule_215837_host
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    lines:
+      - "logging {{ iosxeSTIG_stigrule_215837_host_Name }}"
+  when: iosxeSTIG_stigrule_215837_Manage
+# R-215837 CISC-ND-001000
+# Please configure name IP address to a valid one.
+- name : stigrule_215837_logging_trap_critical
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215837_logging_trap_critical_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215837_Manage
+# R-215838 CISC-ND-001030
+# Replace ntp servers' IP address before enabling.
+- name : stigrule_215838_ntp_server_1
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  cisco.ios.ios_config:
+    lines:
+      - "ntp server {{ iosxeSTIG_stigrule_215838_ntp_server_1_Server }}"
+  when: iosxeSTIG_stigrule_215838_Manage
+# R-215838 CISC-ND-001030
+# Replace ntp servers' IP address before enabling.
+- name : stigrule_215838_ntp_server_2
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  cisco.ios.ios_config:
+    lines:
+      - "ntp server {{ iosxeSTIG_stigrule_215838_ntp_server_2_Server }}"
+  when: iosxeSTIG_stigrule_215838_Manage
+# R-215840 CISC-ND-001050
+# service timestamps log datetime localtime is set in 215817.
+- name : stigrule_215840_service_timestamps_log_datetime_localtime
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215840_service_timestamps_log_datetime_localtime_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215840_Manage
+# R-215844 CISC-ND-001200
+- name : stigrule_215844_ip_ssh_server_algorithm_mac_hmac_sha1
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215844_ip_ssh_server_algorithm_mac_hmac_sha1_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215844_Manage
+# R-215844 CISC-ND-001200
+- name : stigrule_215844_ip_http_secure_ciphersuite_aes_128_cbc_sha
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215844_ip_http_secure_ciphersuite_aes_128_cbc_sha_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215844_Manage
+# R-215845 CISC-ND-001210
+# Option ip http secure-ciphersuite is set in 215844
+- name : stigrule_215845_ip_ssh_server_algorithm_encryption_aes128_cbc_aes128_ctr_aes192_cbc_aes192_ctr
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215845_ip_ssh_server_algorithm_encryption_aes128_cbc_aes128_ctr_aes192_cbc_aes192_ctr_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215845_Manage
+# R-215854 CISC-ND-001370
+# Configure the authentication server key before enabling.
+- name : stigrule_215854_radius_host_10_1_48_2_key_xxxxxx
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215854_radius_host_10_1_48_2_key_xxxxxx_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215854_Manage
+# R-215854 CISC-ND-001370
+# Configure the authentication server key before enabling.
+- name : stigrule_215854_aaa_authentication_login_LOGIN_AUTHENTICATION_group_radius_local
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215854_aaa_authentication_login_LOGIN_AUTHENTICATION_group_radius_local_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215854_Manage
+# R-215854 CISC-ND-001370
+# Configure the authentication server key before enabling.
+- name : stigrule_215854_ip_http_authentication_aaa_login_authentication_LOGIN_AUTHENTICATION
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215854_ip_http_authentication_aaa_login_authentication_LOGIN_AUTHENTICATION_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_215854_Manage
+# R-215854 CISC-ND-001370
+# Configure the authentication server key before enabling.
+- name : stigrule_215854_login_authentication_for_console
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215854_login_authentication_for_console_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_215854_login_authentication_for_console_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_215854_Manage
+# R-215854 CISC-ND-001370
+# Configure the authentication server key before enabling.
+- name: get line vty sections
+  ios_command:
+    commands: show running-config all | include ^line vty
+  register: cmd_result
+- name : stigrule_215854_login_authentication_for_all_line_vty_sections
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215854_login_authentication_for_all_line_vty_sections_Lines }}"
+    parents: "{{ item }}"
+  loop: "{{ cmd_result.stdout_lines|flatten(levels=1) }}"
+  when:
+    - iosxeSTIG_stigrule_215854_Manage
+# R-215856 CISC-ND-001440
+# Insert an appropriate URL (including protocol and port)
+- name : stigrule_215856_enrollment_url
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_215856_enrollment_url_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_215856_enrollment_url_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_215856_Manage
+# R-216661 CISC-RT-000230
+- name : stigrule_216661_Disable_the_auxiliary_port
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_216661_Disable_the_auxiliary_port_Lines }}"
+    parents: "{{ iosxeSTIG_stigrule_216661_Disable_the_auxiliary_port_Parents }}"
+  when:
+    - iosxeSTIG_stigrule_216661_Manage
+# R-216675 CISC-RT-000370
+- name : stigrule_216675_no_cdp_run
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_216675_no_cdp_run_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_216675_Manage
+# R-216700 CISC-RT-000620
+- name : stigrule_216700_no_mpls_ip_propagate_ttl
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_216700_no_mpls_ip_propagate_ttl_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_216700_Manage
+# R-216723 CISC-RT-000850
+- name : stigrule_216723_ip_pim_register_rate_limit_10
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_216723_ip_pim_register_rate_limit_10_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_216723_Manage
+# R-216726 CISC-RT-000880
+- name : stigrule_216726_ip_igmp_limit
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_216726_ip_igmp_limit_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_216726_Manage
+# R-216727 CISC-RT-000890
+- name : stigrule_216727_ip_pim_spt_threshold_infinity
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_216727_ip_pim_spt_threshold_infinity_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_216727_Manage
+# R-216996 CISC-RT-000080
+- name: check for call-home
+  ios_command:
+    commands: show running-config | include ^call-home
+  register: cmd_result
+- name : stigrule_216996_no_call_home
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_216996_no_call_home_Lines }}"
+  when:
+    - (cmd_result.stdout|join('\n')).find('call-home') != -1
+    - iosxeSTIG_stigrule_216996_Manage
+# R-217001 CISC-RT-000750
+# Options drop or ignore are allowed.
+- name : stigrule_217001_ip_options_drop
+  ignore_errors: "{{ ignore_all_errors }}"
+  notify: "save configuration"
+  ios_config:
+    defaults: yes
+    lines: "{{ iosxeSTIG_stigrule_217001_ip_options_drop_Lines }}"
+  when:
+    - iosxeSTIG_stigrule_217001_Manage

collections/ansible_collections/demo/compliance/roles/rhel7STIG/callback_plugins/stig_xml.py

@@ -0,0 +1,93 @@
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+from ansible.plugins.callback import CallbackBase
+from time import gmtime, strftime
+import platform
+import tempfile
+import re
+import sys
+import os
+import xml.etree.ElementTree as ET
+import xml.dom.minidom
+
+
+class CallbackModule(CallbackBase):
+    CALLBACK_VERSION = 2.0
+    CALLBACK_TYPE = "xml"
+    CALLBACK_NAME = "stig_xml"
+
+    CALLBACK_NEEDS_WHITELIST = True
+
+    def _get_STIG_path(self):
+        cwd = os.path.abspath(".")
+        for dirpath, dirs, files in os.walk(cwd):
+            if os.path.sep + "files" in dirpath and ".xml" in files[0]:
+                return os.path.join(cwd, dirpath, files[0])
+
+    def __init__(self):
+        super(CallbackModule, self).__init__()
+        self.rules = {}
+        self.stig_path = os.environ.get("STIG_PATH")
+        self.XML_path = os.environ.get("XML_PATH")
+        if self.stig_path is None:
+            self.stig_path = self._get_STIG_path()
+        self._display.display("Using STIG_PATH: {}".format(self.stig_path))
+        if self.XML_path is None:
+            self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml"
+        self._display.display("Using XML_PATH: {}".format(self.XML_path))
+
+        print("Writing: {}".format(self.XML_path))
+        STIG_name = os.path.basename(self.stig_path)
+        ET.register_namespace("cdf", "http://checklists.nist.gov/xccdf/1.2")
+        self.tr = ET.Element("{http://checklists.nist.gov/xccdf/1.2}TestResult")
+        self.tr.set(
+            "id",
+            "xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}".format(STIG_name),
+        )
+        endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
+        self.tr.set("end-time", endtime)
+        tg = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}target")
+        tg.text = platform.node()
+
+    def _get_rev(self, nid):
+        with open(self.stig_path, "r") as f:
+            r = "SV-{}r(?P<rev>\d+)_rule".format(nid)
+            m = re.search(r, f.read())
+        if m:
+            rev = m.group("rev")
+        else:
+            rev = "0"
+        return rev
+
+    def v2_runner_on_ok(self, result):
+        name = result._task.get_name()
+        m = re.search("stigrule_(?P<id>\d+)", name)
+        if m:
+            nid = m.group("id")
+        else:
+            return
+        rev = self._get_rev(nid)
+        key = "{}r{}".format(nid, rev)
+        if self.rules.get(key, "Unknown") != False:
+            self.rules[key] = result.is_changed()
+
+    def v2_playbook_on_stats(self, stats):
+        for rule, changed in self.rules.items():
+            state = "fail" if changed else "pass"
+            rr = ET.SubElement(
+                self.tr, "{http://checklists.nist.gov/xccdf/1.2}rule-result"
+            )
+            rr.set("idref", "xccdf_mil.disa.stig_rule_SV-{}_rule".format(rule))
+            rs = ET.SubElement(rr, "{http://checklists.nist.gov/xccdf/1.2}result")
+            rs.text = state
+        passing = len(self.rules) - sum(self.rules.values())
+        sc = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}score")
+        sc.set("maximum", str(len(self.rules)))
+        sc.set("system", "urn:xccdf:scoring:flat-unweighted")
+        sc.text = str(passing)
+        with open(self.XML_path, "wb") as f:
+            out = ET.tostring(self.tr)
+            pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding="utf-8")
+            f.write(pretty)

collections/ansible_collections/demo/compliance/roles/rhel7STIG/defaults/main.yml

@@ -0,0 +1,503 @@
+# R-204393 RHEL-07-010030
+rhel7STIG_stigrule_204393_Manage: True
+rhel7STIG_stigrule_204393__etc_dconf_db_local_d_01_banner_message_Value: 'true'
+# R-204394 RHEL-07-010040
+rhel7STIG_stigrule_204394_Manage: True
+rhel7STIG_stigrule_204394__etc_dconf_db_local_d_01_banner_message_Value: '''You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'''
+# R-204395 RHEL-07-010050
+rhel7STIG_stigrule_204395_Manage: True
+rhel7STIG_stigrule_204395__etc_issue_Dest: /etc/issue
+rhel7STIG_stigrule_204395__etc_issue_Content: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
+
+'
+# R-204396 RHEL-07-010060
+rhel7STIG_stigrule_204396_Manage: True
+rhel7STIG_stigrule_204396__etc_dconf_db_local_d_00_screensaver_Value: 'true'
+# R-204397 RHEL-07-010061
+rhel7STIG_stigrule_204397_Manage: True
+rhel7STIG_stigrule_204397__etc_dconf_db_local_d_00_defaults_Value: 'true'
+# R-204398 RHEL-07-010070
+rhel7STIG_stigrule_204398_Manage: True
+rhel7STIG_stigrule_204398__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 900'
+# R-204399 RHEL-07-010081
+rhel7STIG_stigrule_204399_Manage: True
+rhel7STIG_stigrule_204399__etc_dconf_db_local_d_locks_session_Line: '/org/gnome/desktop/screensaver/lock-delay'
+# R-204400 RHEL-07-010082
+rhel7STIG_stigrule_204400_Manage: True
+rhel7STIG_stigrule_204400__etc_dconf_db_local_d_locks_session_Line: '/org/gnome/desktop/session/idle-delay'
+# R-204402 RHEL-07-010100
+rhel7STIG_stigrule_204402_Manage: True
+rhel7STIG_stigrule_204402__etc_dconf_db_local_d_00_screensaver_Value: 'true'
+# R-204403 RHEL-07-010101
+rhel7STIG_stigrule_204403_Manage: True
+rhel7STIG_stigrule_204403__etc_dconf_db_local_d_locks_session_Line: '/org/gnome/desktop/screensaver/idle-activation-enabled'
+# R-204404 RHEL-07-010110
+rhel7STIG_stigrule_204404_Manage: True
+rhel7STIG_stigrule_204404__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 5'
+# R-204407 RHEL-07-010120
+rhel7STIG_stigrule_204407_Manage: True
+rhel7STIG_stigrule_204407__etc_security_pwquality_conf_Line: 'ucredit = -1'
+# R-204408 RHEL-07-010130
+rhel7STIG_stigrule_204408_Manage: True
+rhel7STIG_stigrule_204408__etc_security_pwquality_conf_Line: 'lcredit = -1'
+# R-204409 RHEL-07-010140
+rhel7STIG_stigrule_204409_Manage: True
+rhel7STIG_stigrule_204409__etc_security_pwquality_conf_Line: 'dcredit = -1'
+# R-204410 RHEL-07-010150
+rhel7STIG_stigrule_204410_Manage: True
+rhel7STIG_stigrule_204410__etc_security_pwquality_conf_Line: 'ocredit = -1'
+# R-204411 RHEL-07-010160
+rhel7STIG_stigrule_204411_Manage: True
+rhel7STIG_stigrule_204411__etc_security_pwquality_conf_Line: 'difok = 8'
+# R-204412 RHEL-07-010170
+rhel7STIG_stigrule_204412_Manage: True
+rhel7STIG_stigrule_204412__etc_security_pwquality_conf_Line: 'minclass = 4'
+# R-204413 RHEL-07-010180
+rhel7STIG_stigrule_204413_Manage: True
+rhel7STIG_stigrule_204413__etc_security_pwquality_conf_Line: 'maxrepeat = 3'
+# R-204414 RHEL-07-010190
+rhel7STIG_stigrule_204414_Manage: True
+rhel7STIG_stigrule_204414__etc_security_pwquality_conf_Line: 'maxclassrepeat = 4'
+# R-204416 RHEL-07-010210
+rhel7STIG_stigrule_204416_Manage: True
+rhel7STIG_stigrule_204416__etc_login_defs_Line: 'ENCRYPT_METHOD SHA512'
+# R-204417 RHEL-07-010220
+rhel7STIG_stigrule_204417_Manage: True
+rhel7STIG_stigrule_204417__etc_libuser_conf_Value: 'sha512'
+# R-204418 RHEL-07-010230
+rhel7STIG_stigrule_204418_Manage: True
+rhel7STIG_stigrule_204418__etc_login_defs_Line: 'PASS_MIN_DAYS 1'
+# R-204419 RHEL-07-010240
+rhel7STIG_stigrule_204419_Manage: True
+rhel7STIG_stigrule_204419_chage__m_1_user_Command: chage -m 1
+# R-204420 RHEL-07-010250
+rhel7STIG_stigrule_204420_Manage: True
+rhel7STIG_stigrule_204420__etc_login_defs_Line: 'PASS_MAX_DAYS 60'
+# R-204421 RHEL-07-010260
+rhel7STIG_stigrule_204421_Manage: True
+rhel7STIG_stigrule_204421_chage__M_60_user_Command: chage -M 60
+# R-204423 RHEL-07-010280
+rhel7STIG_stigrule_204423_Manage: True
+rhel7STIG_stigrule_204423__etc_security_pwquality_conf_Line: 'minlen = 15'
+# R-204425 RHEL-07-010300
+rhel7STIG_stigrule_204425_Manage: True
+rhel7STIG_stigrule_204425_PermitEmptyPasswords_Line: PermitEmptyPasswords no
+# R-204426 RHEL-07-010310
+rhel7STIG_stigrule_204426_Manage: True
+rhel7STIG_stigrule_204426__etc_default_useradd_Line: 'INACTIVE=0'
+# R-204431 RHEL-07-010430
+rhel7STIG_stigrule_204431_Manage: True
+rhel7STIG_stigrule_204431__etc_login_defs_Line: 'FAIL_DELAY 4'
+# R-204432 RHEL-07-010440
+rhel7STIG_stigrule_204432_Manage: True
+rhel7STIG_stigrule_204432__etc_gdm_custom_conf_Value: 'false'
+# R-204433 RHEL-07-010450
+rhel7STIG_stigrule_204433_Manage: True
+rhel7STIG_stigrule_204433__etc_gdm_custom_conf_Value: 'false'
+# R-204434 RHEL-07-010460
+rhel7STIG_stigrule_204434_Manage: True
+rhel7STIG_stigrule_204434_PermitUserEnvironment_Line: PermitUserEnvironment no
+# R-204435 RHEL-07-010470
+rhel7STIG_stigrule_204435_Manage: True
+rhel7STIG_stigrule_204435_HostbasedAuthentication_Line: HostbasedAuthentication no
+# R-204442 RHEL-07-020000
+rhel7STIG_stigrule_204442_Manage: True
+rhel7STIG_stigrule_204442_rsh_server_State: removed
+# R-204443 RHEL-07-020010
+rhel7STIG_stigrule_204443_Manage: True
+rhel7STIG_stigrule_204443_ypserv_State: removed
+# R-204445 RHEL-07-020030
+# Edit email address.
+rhel7STIG_stigrule_204445_Manage: True
+rhel7STIG_stigrule_204445__etc_cron_daily_aide_Dest: /etc/cron.daily/aide
+rhel7STIG_stigrule_204445__etc_cron_daily_aide_Content: '#!/bin/bash
+
+
+
+/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root'
+rhel7STIG_stigrule_204445__etc_cron_daily_aide_Mode: '700'
+rhel7STIG_stigrule_204445_aide_State: installed
+# R-204446 RHEL-07-020040
+# Edit email address.
+rhel7STIG_stigrule_204446_Manage: True
+rhel7STIG_stigrule_204446__etc_cron_daily_aide_notify_Dest: /etc/cron.daily/aide
+rhel7STIG_stigrule_204446__etc_cron_daily_aide_notify_Content: '#!/bin/bash
+
+
+
+/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root'
+rhel7STIG_stigrule_204446__etc_cron_daily_aide_notify_Mode: '700'
+rhel7STIG_stigrule_204446_aide_notify_State: installed
+# R-204447 RHEL-07-020050
+rhel7STIG_stigrule_204447_Manage: True
+rhel7STIG_stigrule_204447__etc_yum_conf_Value: '1'
+# R-204448 RHEL-07-020060
+rhel7STIG_stigrule_204448_Manage: True
+rhel7STIG_stigrule_204448__etc_yum_conf_Value: '1'
+# R-204449 RHEL-07-020100
+rhel7STIG_stigrule_204449_Manage: True
+rhel7STIG_stigrule_204449__etc_modprobe_d_blacklist_conf_Line: 'blacklist usb-storage'
+rhel7STIG_stigrule_204449__etc_modprobe_d_usb_storage_conf_Line: 'install usb-storage /bin/true'
+# R-204450 RHEL-07-020101
+rhel7STIG_stigrule_204450_Manage: True
+rhel7STIG_stigrule_204450__etc_modprobe_d_dccp_conf_Dest: /etc/modprobe.d/dccp.conf
+rhel7STIG_stigrule_204450__etc_modprobe_d_dccp_conf_Content: 'install dccp /bin/true'
+rhel7STIG_stigrule_204450__etc_modprobe_d_blacklist_conf_Line: 'blacklist dccp'
+# R-204451 RHEL-07-020110
+rhel7STIG_stigrule_204451_Manage: True
+rhel7STIG_stigrule_204451_autofs_disable_Enabled: no
+rhel7STIG_stigrule_204451_autofs_stop_State: stopped
+# R-204452 RHEL-07-020200
+rhel7STIG_stigrule_204452_Manage: True
+rhel7STIG_stigrule_204452__etc_yum_conf_Value: '1'
+# R-204453 RHEL-07-020210
+rhel7STIG_stigrule_204453_Manage: True
+rhel7STIG_stigrule_204453__etc_selinux_config_Line: 'SELINUX=enforcing'
+# R-204454 RHEL-07-020220
+rhel7STIG_stigrule_204454_Manage: True
+rhel7STIG_stigrule_204454__etc_selinux_config_Line: 'SELINUXTYPE=targeted'
+# R-204455 RHEL-07-020230
+rhel7STIG_stigrule_204455_Manage: True
+rhel7STIG_stigrule_204455_systemctl_mask_ctrl_alt_del_target_Command: systemctl mask ctrl-alt-del.target
+# R-204457 RHEL-07-020240
+rhel7STIG_stigrule_204457_Manage: True
+rhel7STIG_stigrule_204457__etc_login_defs_Line: 'UMASK 077'
+# R-204466 RHEL-07-020610
+rhel7STIG_stigrule_204466_Manage: True
+rhel7STIG_stigrule_204466__etc_login_defs_Line: 'CREATE_HOME yes'
+# R-204489 RHEL-07-021100
+rhel7STIG_stigrule_204489_Manage: True
+rhel7STIG_stigrule_204489__etc_rsyslog_conf_Line: 'cron.* /var/log/cron.log'
+# R-204490 RHEL-07-021110
+rhel7STIG_stigrule_204490_Manage: True
+rhel7STIG_stigrule_204490__etc_cron_allow_Dest: /etc/cron.allow
+rhel7STIG_stigrule_204490__etc_cron_allow_Owner: root
+# R-204491 RHEL-07-021120
+rhel7STIG_stigrule_204491_Manage: True
+rhel7STIG_stigrule_204491__etc_cron_allow_Dest: /etc/cron.allow
+rhel7STIG_stigrule_204491__etc_cron_allow_Group: root
+# R-204492 RHEL-07-021300
+# If kernel core dumps are required, document the need with the ISSO.
+rhel7STIG_stigrule_204492_Manage: True
+rhel7STIG_stigrule_204492_kdump_disable_Enabled: no
+rhel7STIG_stigrule_204492_kdump_stop_State: stopped
+# R-204496 RHEL-07-021340
+rhel7STIG_stigrule_204496_Manage: True
+rhel7STIG_stigrule_204496_tmp_mount_Enabled: yes
+# R-204502 RHEL-07-021710
+rhel7STIG_stigrule_204502_Manage: True
+rhel7STIG_stigrule_204502_telnet_server_State: removed
+# R-204503 RHEL-07-030000
+rhel7STIG_stigrule_204503_Manage: True
+rhel7STIG_stigrule_204503_auditd_enable_Enabled: yes
+rhel7STIG_stigrule_204503_auditd_start_State: started
+# R-204504 RHEL-07-030010
+rhel7STIG_stigrule_204504_Manage: True
+rhel7STIG_stigrule_204504__etc_audit_rules_d_audit_rules_critical_error_Line: '-f 2'
+# R-204506 RHEL-07-030201
+rhel7STIG_stigrule_204506_Manage: True
+rhel7STIG_stigrule_204506__etc_audisp_plugins_d_au_remote_conf_direction_Line: 'direction = out'
+rhel7STIG_stigrule_204506__etc_audisp_plugins_d_au_remote_conf_path_Line: 'path = /sbin/audisp-remote'
+rhel7STIG_stigrule_204506__etc_audisp_plugins_d_au_remote_conf_type_Line: 'type = always'
+# R-204507 RHEL-07-030210
+rhel7STIG_stigrule_204507_Manage: True
+rhel7STIG_stigrule_204507__etc_audisp_audispd_conf_Line: 'overflow_action = syslog'
+# R-204508 RHEL-07-030211
+rhel7STIG_stigrule_204508_Manage: True
+rhel7STIG_stigrule_204508__etc_audisp_audispd_conf_Line: 'name_format = hostname'
+# R-204509 RHEL-07-030300
+# Ensure to set the IP address of the log aggregation server.
+rhel7STIG_stigrule_204509_Manage: False
+rhel7STIG_stigrule_204509__etc_audisp_audisp_remote_conf_Line: 'remote_server = 192.0.2.255'
+# R-204510 RHEL-07-030310
+# Ensure to set the IP address of the log aggregation server.
+rhel7STIG_stigrule_204510_Manage: True
+rhel7STIG_stigrule_204510__etc_audisp_audisp_remote_conf_Line: 'enable_krb5 = yes'
+# R-204511 RHEL-07-030320
+rhel7STIG_stigrule_204511_Manage: True
+rhel7STIG_stigrule_204511__etc_audisp_audisp_remote_conf_Line: 'disk_full_action = single'
+# R-204512 RHEL-07-030321
+rhel7STIG_stigrule_204512_Manage: True
+rhel7STIG_stigrule_204512__etc_audisp_audisp_remote_conf_Line: 'network_failure_action = syslog'
+# R-204514 RHEL-07-030340
+rhel7STIG_stigrule_204514_Manage: True
+rhel7STIG_stigrule_204514__etc_audit_auditd_conf_Line: 'space_left_action = email'
+# R-204515 RHEL-07-030350
+rhel7STIG_stigrule_204515_Manage: True
+rhel7STIG_stigrule_204515__etc_audit_auditd_conf_Line: 'action_mail_acct = root'
+# R-204516 RHEL-07-030360
+rhel7STIG_stigrule_204516_Manage: True
+rhel7STIG_stigrule_204516__etc_audit_rules_d_audit_rules_euid_b32_Line: '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid'
+rhel7STIG_stigrule_204516__etc_audit_rules_d_audit_rules_euid_b64_Line: '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid'
+rhel7STIG_stigrule_204516__etc_audit_rules_d_audit_rules_egid_b32_Line: '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid'
+rhel7STIG_stigrule_204516__etc_audit_rules_d_audit_rules_egid_b64_Line: '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid'
+# R-204517 RHEL-07-030370
+rhel7STIG_stigrule_204517_Manage: True
+rhel7STIG_stigrule_204517__etc_audit_rules_d_audit_rules_b32_Line: '-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod'
+rhel7STIG_stigrule_204517__etc_audit_rules_d_audit_rules_b64_Line: '-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod'
+# R-204521 RHEL-07-030410
+rhel7STIG_stigrule_204521_Manage: True
+rhel7STIG_stigrule_204521__etc_audit_rules_d_audit_rules_b32_Line: '-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod'
+rhel7STIG_stigrule_204521__etc_audit_rules_d_audit_rules_b64_Line: '-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod'
+# R-204524 RHEL-07-030440
+rhel7STIG_stigrule_204524_Manage: True
+rhel7STIG_stigrule_204524__etc_audit_rules_d_audit_rules_b32_Line: '-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod'
+rhel7STIG_stigrule_204524__etc_audit_rules_d_audit_rules_b64_Line: '-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod'
+# R-204531 RHEL-07-030510
+rhel7STIG_stigrule_204531_Manage: True
+rhel7STIG_stigrule_204531__etc_audit_rules_d_audit_rules_EPERM_b32_Line: '-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access'
+rhel7STIG_stigrule_204531__etc_audit_rules_d_audit_rules_EPERM_b64_Line: '-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access'
+rhel7STIG_stigrule_204531__etc_audit_rules_d_audit_rules_EACCES_b32_Line: '-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access'
+rhel7STIG_stigrule_204531__etc_audit_rules_d_audit_rules_EACCES_b64_Line: '-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access'
+# R-204536 RHEL-07-030560
+rhel7STIG_stigrule_204536_Manage: True
+rhel7STIG_stigrule_204536__etc_audit_rules_d_audit_rules_Line: '-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
+# R-204537 RHEL-07-030570
+rhel7STIG_stigrule_204537_Manage: True
+rhel7STIG_stigrule_204537__etc_audit_rules_d_audit_rules_Line: '-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
+# R-204538 RHEL-07-030580
+rhel7STIG_stigrule_204538_Manage: True
+rhel7STIG_stigrule_204538__etc_audit_rules_d_audit_rules_Line: '-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
+# R-204539 RHEL-07-030590
+rhel7STIG_stigrule_204539_Manage: True
+rhel7STIG_stigrule_204539__etc_audit_rules_d_audit_rules_Line: '-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
+# R-204540 RHEL-07-030610
+rhel7STIG_stigrule_204540_Manage: True
+rhel7STIG_stigrule_204540__etc_audit_rules_d_audit_rules_Line: '-w /var/run/faillock -p wa -k logins'
+# R-204541 RHEL-07-030620
+rhel7STIG_stigrule_204541_Manage: True
+rhel7STIG_stigrule_204541__etc_audit_rules_d_audit_rules_Line: '-w /var/log/lastlog -p wa -k logins'
+# R-204542 RHEL-07-030630
+rhel7STIG_stigrule_204542_Manage: True
+rhel7STIG_stigrule_204542__etc_audit_rules_d_audit_rules_Line: '-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'
+# R-204543 RHEL-07-030640
+rhel7STIG_stigrule_204543_Manage: True
+rhel7STIG_stigrule_204543__etc_audit_rules_d_audit_rules_Line: '-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'
+# R-204544 RHEL-07-030650
+rhel7STIG_stigrule_204544_Manage: True
+rhel7STIG_stigrule_204544__etc_audit_rules_d_audit_rules_Line: '-a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'
+# R-204545 RHEL-07-030660
+rhel7STIG_stigrule_204545_Manage: True
+rhel7STIG_stigrule_204545__etc_audit_rules_d_audit_rules_Line: '-a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'
+# R-204546 RHEL-07-030670
+rhel7STIG_stigrule_204546_Manage: True
+rhel7STIG_stigrule_204546__etc_audit_rules_d_audit_rules_Line: '-a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'
+# R-204547 RHEL-07-030680
+rhel7STIG_stigrule_204547_Manage: True
+rhel7STIG_stigrule_204547__etc_audit_rules_d_audit_rules_Line: '-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
+# R-204548 RHEL-07-030690
+rhel7STIG_stigrule_204548_Manage: True
+rhel7STIG_stigrule_204548__etc_audit_rules_d_audit_rules_Line: '-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
+# R-204549 RHEL-07-030700
+rhel7STIG_stigrule_204549_Manage: True
+rhel7STIG_stigrule_204549__etc_audit_rules_d_audit_rules_sudoers_Line: '-w /etc/sudoers -p wa -k privileged-actions'
+rhel7STIG_stigrule_204549__etc_audit_rules_d_audit_rules_sudoers_d_Line: '-w /etc/sudoers.d/ -p wa -k privileged-actions'
+# R-204550 RHEL-07-030710
+rhel7STIG_stigrule_204550_Manage: True
+rhel7STIG_stigrule_204550__etc_audit_rules_d_audit_rules_Line: '-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
+# R-204551 RHEL-07-030720
+rhel7STIG_stigrule_204551_Manage: True
+rhel7STIG_stigrule_204551__etc_audit_rules_d_audit_rules_Line: '-a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
+# R-204552 RHEL-07-030740
+rhel7STIG_stigrule_204552_Manage: True
+rhel7STIG_stigrule_204552__etc_audit_rules_d_audit_rules_mount_b32_Line: '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount'
+rhel7STIG_stigrule_204552__etc_audit_rules_d_audit_rules_mount_b64_Line: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount'
+rhel7STIG_stigrule_204552__etc_audit_rules_d_audit_rules__usr_bin_mount_Line: '-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount'
+# R-204553 RHEL-07-030750
+rhel7STIG_stigrule_204553_Manage: True
+rhel7STIG_stigrule_204553__etc_audit_rules_d_audit_rules_Line: '-a always,exit -F path=/bin/umount -F auid>=1000 -F auid!=4294967295 -k privileged-mount'
+# R-204554 RHEL-07-030760
+rhel7STIG_stigrule_204554_Manage: True
+rhel7STIG_stigrule_204554__etc_audit_rules_d_audit_rules_Line: '-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
+# R-204555 RHEL-07-030770
+rhel7STIG_stigrule_204555_Manage: True
+rhel7STIG_stigrule_204555__etc_audit_rules_d_audit_rules_Line: '-a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
+# R-204556 RHEL-07-030780
+rhel7STIG_stigrule_204556_Manage: True
+rhel7STIG_stigrule_204556__etc_audit_rules_d_audit_rules_Line: '-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=4294967295 -k privileged-ssh'
+# R-204557 RHEL-07-030800
+rhel7STIG_stigrule_204557_Manage: True
+rhel7STIG_stigrule_204557__etc_audit_rules_d_audit_rules_Line: '-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
+# R-204558 RHEL-07-030810
+rhel7STIG_stigrule_204558_Manage: True
+rhel7STIG_stigrule_204558__etc_audit_rules_d_audit_rules_Line: '-a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
+# R-204559 RHEL-07-030819
+rhel7STIG_stigrule_204559_Manage: True
+rhel7STIG_stigrule_204559__etc_audit_audit_rules_b32_Line: '-a always,exit -F arch=b32 -S create_module -k module-change'
+rhel7STIG_stigrule_204559__etc_audit_audit_rules_b64_Line: '-a always,exit -F arch=b64 -S create_module -k module-change'
+# R-204560 RHEL-07-030820
+rhel7STIG_stigrule_204560_Manage: True
+rhel7STIG_stigrule_204560__etc_audit_rules_d_audit_rules_b32_Line: '-a always,exit -F arch=b32 -S init_module,finit_module -k modulechange'
+rhel7STIG_stigrule_204560__etc_audit_rules_d_audit_rules_b64_Line: '-a always,exit -F arch=b64 -S init_module,finit_module -k modulechange'
+# R-204562 RHEL-07-030830
+rhel7STIG_stigrule_204562_Manage: True
+rhel7STIG_stigrule_204562__etc_audit_rules_d_audit_rules_b32_Line: '-a always,exit -F arch=b32 -S delete_module -k module-change'
+rhel7STIG_stigrule_204562__etc_audit_rules_d_audit_rules_b64_Line: '-a always,exit -F arch=b64 -S delete_module -k module-change'
+# R-204563 RHEL-07-030840
+rhel7STIG_stigrule_204563_Manage: True
+rhel7STIG_stigrule_204563__etc_audit_rules_d_audit_rules_Line: '-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules'
+# R-204564 RHEL-07-030870
+rhel7STIG_stigrule_204564_Manage: True
+rhel7STIG_stigrule_204564__etc_audit_rules_d_audit_rules_Line: '-w /etc/passwd -p wa -k identity'
+# R-204565 RHEL-07-030871
+rhel7STIG_stigrule_204565_Manage: True
+rhel7STIG_stigrule_204565__etc_audit_audit_rules_Line: '-w /etc/group -p wa -k identity'
+# R-204566 RHEL-07-030872
+rhel7STIG_stigrule_204566_Manage: True
+rhel7STIG_stigrule_204566__etc_audit_audit_rules_Line: '-w /etc/gshadow -p wa -k identity'
+# R-204567 RHEL-07-030873
+rhel7STIG_stigrule_204567_Manage: True
+rhel7STIG_stigrule_204567__etc_audit_audit_rules_Line: '-w /etc/shadow -p wa -k identity'
+# R-204568 RHEL-07-030874
+rhel7STIG_stigrule_204568_Manage: True
+rhel7STIG_stigrule_204568__etc_audit_audit_rules_Line: '-w /etc/security/opasswd -p wa -k identity'
+# R-204572 RHEL-07-030910
+rhel7STIG_stigrule_204572_Manage: True
+rhel7STIG_stigrule_204572__etc_audit_rules_d_audit_rules_b32_Line: '-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete'
+rhel7STIG_stigrule_204572__etc_audit_rules_d_audit_rules_b64_Line: '-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete'
+# R-204576 RHEL-07-040000
+rhel7STIG_stigrule_204576_Manage: True
+rhel7STIG_stigrule_204576__etc_security_limits_conf_Line: '* hard maxlogins 10'
+# R-204578 RHEL-07-040110
+rhel7STIG_stigrule_204578_Manage: True
+rhel7STIG_stigrule_204578_Ciphers_Line: Ciphers aes256-ctr,aes192-ctr,aes128-ctr
+# R-204579 RHEL-07-040160
+rhel7STIG_stigrule_204579_Manage: True
+rhel7STIG_stigrule_204579__etc_profile_d_tmout_sh_Dest: /etc/profile.d/tmout.sh
+rhel7STIG_stigrule_204579__etc_profile_d_tmout_sh_Content: '#!/bin/bash
+
+
+
+declare -xr TMOUT=900'
+# R-204580 RHEL-07-040170
+rhel7STIG_stigrule_204580_Manage: True
+rhel7STIG_stigrule_204580_banner_Line: banner /etc/issue
+# R-204584 RHEL-07-040201
+rhel7STIG_stigrule_204584_Manage: True
+rhel7STIG_stigrule_204584_kernel_randomize_va_space_Value: 2
+# R-204585 RHEL-07-040300
+rhel7STIG_stigrule_204585_Manage: True
+rhel7STIG_stigrule_204585_openssh_clients_x86_64_State: installed
+rhel7STIG_stigrule_204585_openssh_server_x86_64_State: installed
+# R-204586 RHEL-07-040310
+rhel7STIG_stigrule_204586_Manage: True
+rhel7STIG_stigrule_204586_sshd_enable_Enabled: yes
+rhel7STIG_stigrule_204586_sshd_start_State: started
+# R-204587 RHEL-07-040320
+rhel7STIG_stigrule_204587_Manage: True
+rhel7STIG_stigrule_204587_ClientAliveInterval_Line: ClientAliveInterval 600
+# R-204588 RHEL-07-040330
+rhel7STIG_stigrule_204588_Manage: True
+rhel7STIG_stigrule_204588_RhostsRSAAuthentication_Line: RhostsRSAAuthentication no
+# R-204589 RHEL-07-040340
+rhel7STIG_stigrule_204589_Manage: True
+rhel7STIG_stigrule_204589_ClientAliveCountMax_Line: ClientAliveCountMax 0
+# R-204590 RHEL-07-040350
+rhel7STIG_stigrule_204590_Manage: True
+rhel7STIG_stigrule_204590_IgnoreRhosts_Line: IgnoreRhosts yes
+# R-204591 RHEL-07-040360
+rhel7STIG_stigrule_204591_Manage: True
+rhel7STIG_stigrule_204591_PrintLastLog_Line: PrintLastLog yes
+# R-204592 RHEL-07-040370
+rhel7STIG_stigrule_204592_Manage: True
+rhel7STIG_stigrule_204592_PermitRootLogin_Line: PermitRootLogin no
+# R-204593 RHEL-07-040380
+rhel7STIG_stigrule_204593_Manage: True
+rhel7STIG_stigrule_204593_IgnoreUserKnownHosts_Line: IgnoreUserKnownHosts yes
+# R-204594 RHEL-07-040390
+rhel7STIG_stigrule_204594_Manage: True
+rhel7STIG_stigrule_204594_Protocol_Line: Protocol 2
+# R-204595 RHEL-07-040400
+rhel7STIG_stigrule_204595_Manage: True
+rhel7STIG_stigrule_204595_MACs_Line: MACs hmac-sha2-512,hmac-sha2-256
+# R-204598 RHEL-07-040430
+rhel7STIG_stigrule_204598_Manage: True
+rhel7STIG_stigrule_204598_GSSAPIAuthentication_Line: GSSAPIAuthentication no
+# R-204599 RHEL-07-040440
+rhel7STIG_stigrule_204599_Manage: True
+rhel7STIG_stigrule_204599_KerberosAuthentication_Line: KerberosAuthentication no
+# R-204600 RHEL-07-040450
+rhel7STIG_stigrule_204600_Manage: True
+rhel7STIG_stigrule_204600_StrictModes_Line: StrictModes yes
+# R-204601 RHEL-07-040460
+rhel7STIG_stigrule_204601_Manage: True
+rhel7STIG_stigrule_204601_UsePrivilegeSeparation_Line: UsePrivilegeSeparation sandbox
+# R-204602 RHEL-07-040470
+rhel7STIG_stigrule_204602_Manage: True
+rhel7STIG_stigrule_204602_Compression_Line: Compression no
+# R-204604 RHEL-07-040520
+rhel7STIG_stigrule_204604_Manage: True
+rhel7STIG_stigrule_204604_firewalld_service_State: installed
+rhel7STIG_stigrule_204604_firewalld_active_Enabled: yes
+rhel7STIG_stigrule_204604_firewalld_start_State: started
+# R-204609 RHEL-07-040610
+rhel7STIG_stigrule_204609_Manage: True
+rhel7STIG_stigrule_204609_net_ipv4_conf_all_accept_source_route_Value: 0
+# R-204610 RHEL-07-040611
+rhel7STIG_stigrule_204610_Manage: True
+rhel7STIG_stigrule_204610_net_ipv4_conf_all_rp_filter_Value: 1
+rhel7STIG_stigrule_204610_net_ipv4_conf_default_rp_filter_Value: 1
+# R-204612 RHEL-07-040620
+rhel7STIG_stigrule_204612_Manage: True
+rhel7STIG_stigrule_204612_net_ipv4_conf_default_accept_source_route_Value: 0
+# R-204613 RHEL-07-040630
+rhel7STIG_stigrule_204613_Manage: True
+rhel7STIG_stigrule_204613_net_ipv4_icmp_echo_ignore_broadcasts_Value: 1
+# R-204614 RHEL-07-040640
+rhel7STIG_stigrule_204614_Manage: True
+rhel7STIG_stigrule_204614_net_ipv4_conf_default_accept_redirects_Value: 0
+# R-204615 RHEL-07-040641
+rhel7STIG_stigrule_204615_Manage: True
+rhel7STIG_stigrule_204615_net_ipv4_conf_all_accept_redirects_Value: 0
+# R-204616 RHEL-07-040650
+rhel7STIG_stigrule_204616_Manage: True
+rhel7STIG_stigrule_204616_net_ipv4_conf_default_send_redirects_Value: 0
+# R-204617 RHEL-07-040660
+rhel7STIG_stigrule_204617_Manage: True
+rhel7STIG_stigrule_204617_net_ipv4_conf_all_send_redirects_Value: 0
+# R-204619 RHEL-07-040680
+rhel7STIG_stigrule_204619_Manage: True
+rhel7STIG_stigrule_204619_postconf__e__smtpd_client_restrictions___permit_mynetworks_reject__Command: postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
+# R-204620 RHEL-07-040690
+rhel7STIG_stigrule_204620_Manage: True
+rhel7STIG_stigrule_204620_vsftpd_State: removed
+# R-204621 RHEL-07-040700
+rhel7STIG_stigrule_204621_Manage: True
+rhel7STIG_stigrule_204621_tftp_server_State: removed
+# R-204622 RHEL-07-040710
+rhel7STIG_stigrule_204622_Manage: True
+rhel7STIG_stigrule_204622_X11Forwarding_Line: X11Forwarding no
+# R-204624 RHEL-07-040730
+# Document the requirement for an X Windows server with the ISSO or remove.
+rhel7STIG_stigrule_204624_Manage: False
+rhel7STIG_stigrule_204624_xorg_x11_server_common_State: removed
+# R-204625 RHEL-07-040740
+rhel7STIG_stigrule_204625_Manage: True
+rhel7STIG_stigrule_204625_net_ipv4_ip_forward_Value: 0
+# R-204630 RHEL-07-040830
+rhel7STIG_stigrule_204630_Manage: True
+rhel7STIG_stigrule_204630_net_ipv6_conf_all_accept_source_route_Value: 0
+# R-204631 RHEL-07-041001
+rhel7STIG_stigrule_204631_Manage: True
+rhel7STIG_stigrule_204631_pam_pkcs11_State: installed
+# R-204634 RHEL-07-041010
+rhel7STIG_stigrule_204634_Manage: True
+rhel7STIG_stigrule_204634_nmcli_radio_wifi_off_Command: nmcli radio wifi off
+# R-214937 RHEL-07-010062
+rhel7STIG_stigrule_214937_Manage: True
+rhel7STIG_stigrule_214937__etc_dconf_db_local_d_locks_session_Line: '/org/gnome/desktop/screensaver/lock-enabled'
+# R-233307 RHEL-07-040711
+rhel7STIG_stigrule_233307_Manage: True
+rhel7STIG_stigrule_233307_X11UseLocalhost_Line: X11UseLocalhost yes

collections/ansible_collections/demo/compliance/roles/rhel7STIG/handlers/main.yml

@@ -0,0 +1,11 @@
+- name: dconf_update
+  command: dconf update
+- name: auditd_restart
+  command: /usr/sbin/service auditd restart
+- name: ssh_restart
+  service:
+    name: sshd
+    state: restarted
+- name: do_reboot
+  reboot:
+    pre_reboot_delay: 60

collections/ansible_collections/demo/compliance/roles/rhel8STIG/callback_plugins/stig_xml.py

@@ -0,0 +1,86 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+from ansible.plugins.callback import CallbackBase
+from time import gmtime, strftime
+import platform
+import tempfile
+import re
+import sys
+import os
+import xml.etree.ElementTree as ET
+import xml.dom.minidom
+
+class CallbackModule(CallbackBase):
+    CALLBACK_VERSION = 2.0
+    CALLBACK_TYPE = 'xml'
+    CALLBACK_NAME = 'stig_xml'
+
+    CALLBACK_NEEDS_WHITELIST = True
+
+    def _get_STIG_path(self):
+        cwd = os.path.abspath('.')
+        for dirpath, dirs, files in os.walk(cwd):
+            if os.path.sep + 'files' in dirpath and '.xml' in files[0]:
+                return os.path.join(cwd, dirpath, files[0])
+
+    def __init__(self):
+        super(CallbackModule, self).__init__()
+        self.rules = {}
+        self.stig_path = os.environ.get('STIG_PATH')
+        self.XML_path = os.environ.get('XML_PATH')
+        if self.stig_path is None:
+            self.stig_path = self._get_STIG_path()
+        self._display.display('Using STIG_PATH: {}'.format(self.stig_path))
+        if self.XML_path is None:
+            self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml"
+        self._display.display('Using XML_PATH: {}'.format(self.XML_path))
+
+        print("Writing: {}".format(self.XML_path))
+        STIG_name = os.path.basename(self.stig_path)
+        ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2')
+        self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult')
+        self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name))
+        endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
+        self.tr.set('end-time', endtime)
+        tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target')
+        tg.text = platform.node()
+
+    def _get_rev(self, nid):
+        with open(self.stig_path, 'r') as f:
+            r = 'SV-{}r(?P<rev>\d+)_rule'.format(nid)
+            m = re.search(r, f.read())
+        if m:
+            rev = m.group('rev')
+        else:
+            rev = '0'
+        return rev
+
+    def v2_runner_on_ok(self, result):
+        name = result._task.get_name()
+        m = re.search('stigrule_(?P<id>\d+)', name)
+        if m:
+            nid = m.group('id')
+        else:
+            return
+        rev = self._get_rev(nid)
+        key = "{}r{}".format(nid, rev)
+        if self.rules.get(key, 'Unknown') != False:
+            self.rules[key] = result.is_changed()
+
+    def v2_playbook_on_stats(self, stats):
+        for rule, changed in self.rules.items():
+            state = 'fail' if changed else 'pass'
+            rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result')
+            rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule))
+            rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result')
+            rs.text = state
+        passing = len(self.rules) - sum(self.rules.values())
+        sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score')
+        sc.set('maximum', str(len(self.rules)))
+        sc.set('system', 'urn:xccdf:scoring:flat-unweighted')
+        sc.text = str(passing)
+        with open(self.XML_path, 'wb') as f:
+            out = ET.tostring(self.tr)
+            pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8')
+            f.write(pretty)

collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml

@@ -0,0 +1,559 @@
+# R-230225 RHEL-08-010040
+rhel8STIG_stigrule_230225_Manage: True
+rhel8STIG_stigrule_230225_banner_Line: banner /etc/issue
+# R-230226 RHEL-08-010050
+rhel8STIG_stigrule_230226_Manage: True
+rhel8STIG_stigrule_230226__etc_dconf_db_local_d_01_banner_message_Value: "''You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.''"
+# R-230227 RHEL-08-010060
+rhel8STIG_stigrule_230227_Manage: True
+rhel8STIG_stigrule_230227__etc_issue_Dest: /etc/issue
+rhel8STIG_stigrule_230227__etc_issue_Content: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
+
+'
+# R-230228 RHEL-08-010070
+rhel8STIG_stigrule_230228_Manage: True
+rhel8STIG_stigrule_230228__etc_rsyslog_conf_Line: 'auth.*;authpriv.*;daemon.* /var/log/secure'
+# R-230231 RHEL-08-010110
+rhel8STIG_stigrule_230231_Manage: True
+rhel8STIG_stigrule_230231__etc_login_defs_Line: 'ENCRYPT_METHOD SHA512'
+# R-230236 RHEL-08-010151
+rhel8STIG_stigrule_230236_Manage: True
+rhel8STIG_stigrule_230236__usr_lib_systemd_system_rescue_service_Value: '-/usr/lib/systemd/systemd-sulogin-shell rescue'
+# R-230239 RHEL-08-010162
+rhel8STIG_stigrule_230239_Manage: True
+rhel8STIG_stigrule_230239_krb5_workstation_State: removed
+# R-230240 RHEL-08-010170
+rhel8STIG_stigrule_230240_Manage: True
+rhel8STIG_stigrule_230240__etc_selinux_config_Line: 'SELINUX=enforcing'
+# R-230241 RHEL-08-010171
+rhel8STIG_stigrule_230241_Manage: True
+rhel8STIG_stigrule_230241_policycoreutils_State: installed
+# R-230244 RHEL-08-010200
+rhel8STIG_stigrule_230244_Manage: True
+rhel8STIG_stigrule_230244_ClientAliveCountMax_Line: ClientAliveCountMax 1
+# R-230255 RHEL-08-010294
+rhel8STIG_stigrule_230255_Manage: True
+rhel8STIG_stigrule_230255__etc_crypto_policies_back_ends_opensslcnf_config_Line: 'MinProtocol = TLSv1.2'
+# R-230256 RHEL-08-010295
+rhel8STIG_stigrule_230256_Manage: True
+rhel8STIG_stigrule_230256__etc_crypto_policies_back_ends_gnutls_config_Line: '+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0'
+# R-230265 RHEL-08-010371
+rhel8STIG_stigrule_230265_Manage: True
+rhel8STIG_stigrule_230265__etc_dnf_dnf_conf_Value: '1'
+# R-230266 RHEL-08-010372
+rhel8STIG_stigrule_230266_Manage: True
+rhel8STIG_stigrule_230266__etc_sysctl_d_99_sysctl_conf_Line: 'kernel.kexec_load_disabled = 1'
+# R-230267 RHEL-08-010373
+rhel8STIG_stigrule_230267_Manage: True
+rhel8STIG_stigrule_230267__etc_sysctl_d_99_sysctl_conf_Line: 'fs.protected_symlinks = 1'
+# R-230268 RHEL-08-010374
+rhel8STIG_stigrule_230268_Manage: True
+rhel8STIG_stigrule_230268__etc_sysctl_d_99_sysctl_conf_Line: 'fs.protected_hardlinks = 1'
+# R-230269 RHEL-08-010375
+rhel8STIG_stigrule_230269_Manage: True
+rhel8STIG_stigrule_230269__etc_sysctl_d_99_sysctl_conf_Line: 'kernel.dmesg_restrict = 1'
+# R-230270 RHEL-08-010376
+rhel8STIG_stigrule_230270_Manage: True
+rhel8STIG_stigrule_230270__etc_sysctl_d_99_sysctl_conf_Line: 'kernel.perf_event_paranoid = 2'
+# R-230273 RHEL-08-010390
+rhel8STIG_stigrule_230273_Manage: True
+rhel8STIG_stigrule_230273_esc_State: installed
+rhel8STIG_stigrule_230273_openssl_pkcs11_State: installed
+# R-230275 RHEL-08-010410
+rhel8STIG_stigrule_230275_Manage: True
+rhel8STIG_stigrule_230275_opensc_State: installed
+# R-230280 RHEL-08-010430
+rhel8STIG_stigrule_230280_Manage: True
+rhel8STIG_stigrule_230280__etc_sysctl_d_99_sysctl_conf_Line: 'kernel.randomize_va_space = 2'
+# R-230281 RHEL-08-010440
+rhel8STIG_stigrule_230281_Manage: True
+rhel8STIG_stigrule_230281__etc_dnf_dnf_conf_Value: 'True'
+# R-230282 RHEL-08-010450
+rhel8STIG_stigrule_230282_Manage: True
+rhel8STIG_stigrule_230282__etc_selinux_config_Line: 'SELINUXTYPE=targeted'
+# R-230285 RHEL-08-010471
+rhel8STIG_stigrule_230285_Manage: True
+rhel8STIG_stigrule_230285_rngd_enable_Enabled: yes
+rhel8STIG_stigrule_230285_rngd_start_State: started
+# R-230288 RHEL-08-010500
+rhel8STIG_stigrule_230288_Manage: True
+rhel8STIG_stigrule_230288_StrictModes_Line: StrictModes yes
+# R-230290 RHEL-08-010520
+rhel8STIG_stigrule_230290_Manage: True
+rhel8STIG_stigrule_230290_IgnoreUserKnownHosts_Line: IgnoreUserKnownHosts yes
+# R-230291 RHEL-08-010521
+rhel8STIG_stigrule_230291_Manage: True
+rhel8STIG_stigrule_230291_KerberosAuthentication_Line: KerberosAuthentication no
+# R-230296 RHEL-08-010550
+rhel8STIG_stigrule_230296_Manage: True
+rhel8STIG_stigrule_230296_PermitRootLogin_Line: PermitRootLogin no
+# R-230298 RHEL-08-010561
+rhel8STIG_stigrule_230298_Manage: True
+rhel8STIG_stigrule_230298_rsyslog_enable_Enabled: yes
+rhel8STIG_stigrule_230298_rsyslog_start_State: started
+# R-230310 RHEL-08-010670
+# If kernel core dumps are required, document the need with the ISSO.
+rhel8STIG_stigrule_230310_Manage: True
+rhel8STIG_stigrule_230310_kdump_disable_Enabled: no
+# R-230311 RHEL-08-010671
+rhel8STIG_stigrule_230311_Manage: True
+rhel8STIG_stigrule_230311__etc_sysctl_d_99_sysctl_conf_Line: 'kernel.core_pattern=|/bin/false'
+rhel8STIG_stigrule_230311_kernel_core_pattern_Value: '|/bin/false'
+# R-230313 RHEL-08-010673
+rhel8STIG_stigrule_230313_Manage: True
+rhel8STIG_stigrule_230313__etc_security_limits_conf_Line: '* hard core 0'
+# R-230314 RHEL-08-010674
+rhel8STIG_stigrule_230314_Manage: True
+rhel8STIG_stigrule_230314__etc_systemd_coredump_conf_Line: 'Storage=none'
+# R-230315 RHEL-08-010675
+rhel8STIG_stigrule_230315_Manage: True
+rhel8STIG_stigrule_230315__etc_systemd_coredump_conf_Line: 'ProcessSizeMax=0'
+# R-230324 RHEL-08-010760
+rhel8STIG_stigrule_230324_Manage: True
+rhel8STIG_stigrule_230324__etc_login_defs_Line: 'CREATE_HOME yes'
+# R-230329 RHEL-08-010820
+rhel8STIG_stigrule_230329_Manage: True
+rhel8STIG_stigrule_230329__etc_gdm_custom_conf_Value: 'false'
+# R-230330 RHEL-08-010830
+rhel8STIG_stigrule_230330_Manage: True
+rhel8STIG_stigrule_230330_PermitUserEnvironment_Line: PermitUserEnvironment no
+# R-230346 RHEL-08-020024
+rhel8STIG_stigrule_230346_Manage: True
+rhel8STIG_stigrule_230346__etc_security_limits_conf_Line: '* hard maxlogins 10'
+# R-230347 RHEL-08-020030
+rhel8STIG_stigrule_230347_Manage: True
+rhel8STIG_stigrule_230347__etc_dconf_db_local_d_00_screensaver_Value: 'true'
+# R-230352 RHEL-08-020060
+rhel8STIG_stigrule_230352_Manage: True
+rhel8STIG_stigrule_230352__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 900'
+# R-230354 RHEL-08-020080
+rhel8STIG_stigrule_230354_Manage: True
+rhel8STIG_stigrule_230354__etc_dconf_db_local_d_locks_session_Line: '/org/gnome/desktop/screensaver/lock-delay'
+# R-230357 RHEL-08-020110
+rhel8STIG_stigrule_230357_Manage: True
+rhel8STIG_stigrule_230357__etc_security_pwquality_conf_Line: 'ucredit = -1'
+# R-230358 RHEL-08-020120
+rhel8STIG_stigrule_230358_Manage: True
+rhel8STIG_stigrule_230358__etc_security_pwquality_conf_Line: 'lcredit = -1'
+# R-230359 RHEL-08-020130
+rhel8STIG_stigrule_230359_Manage: True
+rhel8STIG_stigrule_230359__etc_security_pwquality_conf_Line: 'dcredit = -1'
+# R-230360 RHEL-08-020140
+rhel8STIG_stigrule_230360_Manage: True
+rhel8STIG_stigrule_230360__etc_security_pwquality_conf_Line: 'maxclassrepeat = 4'
+# R-230361 RHEL-08-020150
+rhel8STIG_stigrule_230361_Manage: True
+rhel8STIG_stigrule_230361__etc_security_pwquality_conf_Line: 'maxrepeat = 3'
+# R-230362 RHEL-08-020160
+rhel8STIG_stigrule_230362_Manage: True
+rhel8STIG_stigrule_230362__etc_security_pwquality_conf_Line: 'minclass = 4'
+# R-230363 RHEL-08-020170
+rhel8STIG_stigrule_230363_Manage: True
+rhel8STIG_stigrule_230363__etc_security_pwquality_conf_Line: 'difok = 8'
+# R-230365 RHEL-08-020190
+rhel8STIG_stigrule_230365_Manage: True
+rhel8STIG_stigrule_230365__etc_login_defs_Line: 'PASS_MIN_DAYS 1'
+# R-230366 RHEL-08-020200
+rhel8STIG_stigrule_230366_Manage: True
+rhel8STIG_stigrule_230366__etc_login_defs_Line: 'PASS_MAX_DAYS 60'
+# R-230369 RHEL-08-020230
+rhel8STIG_stigrule_230369_Manage: True
+rhel8STIG_stigrule_230369__etc_security_pwquality_conf_Line: 'minlen = 15'
+# R-230370 RHEL-08-020231
+rhel8STIG_stigrule_230370_Manage: True
+rhel8STIG_stigrule_230370__etc_login_defs_Line: 'PASS_MIN_LEN 15'
+# R-230375 RHEL-08-020280
+rhel8STIG_stigrule_230375_Manage: True
+rhel8STIG_stigrule_230375__etc_security_pwquality_conf_Line: 'ocredit = -1'
+# R-230377 RHEL-08-020300
+rhel8STIG_stigrule_230377_Manage: True
+rhel8STIG_stigrule_230377__etc_security_pwquality_conf_Line: 'dictcheck = 1'
+# R-230378 RHEL-08-020310
+rhel8STIG_stigrule_230378_Manage: True
+rhel8STIG_stigrule_230378__etc_login_defs_Line: 'FAIL_DELAY 4'
+# R-230382 RHEL-08-020350
+rhel8STIG_stigrule_230382_Manage: True
+rhel8STIG_stigrule_230382_PrintLastLog_Line: PrintLastLog yes
+# R-230383 RHEL-08-020351
+rhel8STIG_stigrule_230383_Manage: True
+rhel8STIG_stigrule_230383__etc_login_defs_Line: 'UMASK 077'
+# R-230386 RHEL-08-030000
+rhel8STIG_stigrule_230386_Manage: True
+rhel8STIG_stigrule_230386__etc_audit_rules_d_audit_rules_execve_euid_b32_Line: '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv'
+rhel8STIG_stigrule_230386__etc_audit_rules_d_audit_rules_execve_euid_b64_Line: '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv'
+rhel8STIG_stigrule_230386__etc_audit_rules_d_audit_rules_execve_egid_b32_Line: '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv'
+rhel8STIG_stigrule_230386__etc_audit_rules_d_audit_rules_execve_egid_b64_Line: '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv'
+# R-230387 RHEL-08-030010
+rhel8STIG_stigrule_230387_Manage: True
+rhel8STIG_stigrule_230387__etc_rsyslog_conf_Line: 'cron.* /var/log/cron'
+# R-230388 RHEL-08-030020
+rhel8STIG_stigrule_230388_Manage: True
+rhel8STIG_stigrule_230388__etc_audit_auditd_conf_Line: 'action_mail_acct = root'
+# R-230389 RHEL-08-030030
+rhel8STIG_stigrule_230389_Manage: True
+rhel8STIG_stigrule_230389__etc_aliases_Line: 'postmaster: root'
+# R-230390 RHEL-08-030040
+rhel8STIG_stigrule_230390_Manage: True
+rhel8STIG_stigrule_230390__etc_audit_auditd_conf_Line: 'disk_error_action = HALT'
+# R-230392 RHEL-08-030060
+rhel8STIG_stigrule_230392_Manage: True
+rhel8STIG_stigrule_230392__etc_audit_auditd_conf_Line: 'disk_full_action = HALT'
+# R-230393 RHEL-08-030061
+rhel8STIG_stigrule_230393_Manage: True
+rhel8STIG_stigrule_230393__etc_audit_auditd_conf_Line: 'local_events = yes'
+# R-230394 RHEL-08-030062
+rhel8STIG_stigrule_230394_Manage: True
+rhel8STIG_stigrule_230394__etc_audit_auditd_conf_Line: 'name_format = hostname'
+# R-230395 RHEL-08-030063
+rhel8STIG_stigrule_230395_Manage: True
+rhel8STIG_stigrule_230395__etc_audit_auditd_conf_Line: 'log_format = ENRICHED'
+# R-230398 RHEL-08-030090
+# A duplicate of 230396
+# duplicate of 230396
+# R-230402 RHEL-08-030121
+rhel8STIG_stigrule_230402_Manage: True
+rhel8STIG_stigrule_230402__etc_audit_rules_d_audit_rules_e2_Line: '-e 2'
+# R-230403 RHEL-08-030122
+rhel8STIG_stigrule_230403_Manage: True
+rhel8STIG_stigrule_230403__etc_audit_rules_d_audit_rules_loginuid_immutable_Line: '--loginuid-immutable'
+# R-230404 RHEL-08-030130
+rhel8STIG_stigrule_230404_Manage: True
+rhel8STIG_stigrule_230404__etc_audit_rules_d_audit_rules__etc_shadow_Line: '-w /etc/shadow -p wa -k identity'
+# R-230405 RHEL-08-030140
+rhel8STIG_stigrule_230405_Manage: True
+rhel8STIG_stigrule_230405__etc_audit_rules_d_audit_rules__etc_security_opasswd_Line: '-w /etc/security/opasswd -p wa -k identity'
+# R-230406 RHEL-08-030150
+rhel8STIG_stigrule_230406_Manage: True
+rhel8STIG_stigrule_230406__etc_audit_rules_d_audit_rules__etc_passwd_Line: '-w /etc/passwd -p wa -k identity'
+# R-230407 RHEL-08-030160
+rhel8STIG_stigrule_230407_Manage: True
+rhel8STIG_stigrule_230407__etc_audit_rules_d_audit_rules__etc_gshadow_Line: '-w /etc/gshadow -p wa -k identity'
+# R-230408 RHEL-08-030170
+rhel8STIG_stigrule_230408_Manage: True
+rhel8STIG_stigrule_230408__etc_audit_rules_d_audit_rules__etc_group_Line: '-w /etc/group -p wa -k identity'
+# R-230409 RHEL-08-030171
+rhel8STIG_stigrule_230409_Manage: True
+rhel8STIG_stigrule_230409__etc_audit_rules_d_audit_rules__etc_sudoers_Line: '-w /etc/sudoers -p wa -k identity'
+# R-230410 RHEL-08-030172
+rhel8STIG_stigrule_230410_Manage: True
+rhel8STIG_stigrule_230410__etc_audit_rules_d_audit_rules__etc_sudoers_d__Line: '-w /etc/sudoers.d/ -p wa -k identity'
+# R-230411 RHEL-08-030180
+rhel8STIG_stigrule_230411_Manage: True
+rhel8STIG_stigrule_230411_audit_State: installed
+# R-230412 RHEL-08-030190
+rhel8STIG_stigrule_230412_Manage: True
+rhel8STIG_stigrule_230412__etc_audit_rules_d_audit_rules__usr_bin_su_Line: '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change'
+# R-230413 RHEL-08-030200
+rhel8STIG_stigrule_230413_Manage: True
+rhel8STIG_stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b32_unset_Line: '-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod'
+rhel8STIG_stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b64_unset_Line: '-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod'
+rhel8STIG_stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b32_Line: '-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod'
+rhel8STIG_stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b64_Line: '-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod'
+# R-230418 RHEL-08-030250
+rhel8STIG_stigrule_230418_Manage: True
+rhel8STIG_stigrule_230418__etc_audit_rules_d_audit_rules__usr_bin_chage_Line: '-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage'
+# R-230419 RHEL-08-030260
+rhel8STIG_stigrule_230419_Manage: True
+rhel8STIG_stigrule_230419__etc_audit_rules_d_audit_rules__usr_bin_chcon_Line: '-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod'
+# R-230421 RHEL-08-030280
+rhel8STIG_stigrule_230421_Manage: True
+rhel8STIG_stigrule_230421__etc_audit_rules_d_audit_rules__usr_bin_ssh_agent_Line: '-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh'
+# R-230422 RHEL-08-030290
+rhel8STIG_stigrule_230422_Manage: True
+rhel8STIG_stigrule_230422__etc_audit_rules_d_audit_rules__usr_bin_passwd_Line: '-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd'
+# R-230423 RHEL-08-030300
+rhel8STIG_stigrule_230423_Manage: True
+rhel8STIG_stigrule_230423__etc_audit_rules_d_audit_rules__usr_bin_mount_Line: '-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount'
+# R-230424 RHEL-08-030301
+rhel8STIG_stigrule_230424_Manage: True
+rhel8STIG_stigrule_230424__etc_audit_rules_d_audit_rules__usr_bin_umount_Line: '-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount'
+# R-230425 RHEL-08-030302
+rhel8STIG_stigrule_230425_Manage: True
+rhel8STIG_stigrule_230425__etc_audit_rules_d_audit_rules_mount_b32_Line: '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount'
+rhel8STIG_stigrule_230425__etc_audit_rules_d_audit_rules_mount_b64_Line: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount'
+# R-230426 RHEL-08-030310
+rhel8STIG_stigrule_230426_Manage: True
+rhel8STIG_stigrule_230426__etc_audit_rules_d_audit_rules__usr_sbin_unix_update_Line: '-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
+# R-230427 RHEL-08-030311
+rhel8STIG_stigrule_230427_Manage: True
+rhel8STIG_stigrule_230427__etc_audit_rules_d_audit_rules__usr_sbin_postdrop_Line: '-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
+# R-230428 RHEL-08-030312
+rhel8STIG_stigrule_230428_Manage: True
+rhel8STIG_stigrule_230428__etc_audit_rules_d_audit_rules__usr_sbin_postqueue_Line: '-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
+# R-230429 RHEL-08-030313
+rhel8STIG_stigrule_230429_Manage: True
+rhel8STIG_stigrule_230429__etc_audit_rules_d_audit_rules__usr_sbin_semanage_Line: '-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
+# R-230430 RHEL-08-030314
+rhel8STIG_stigrule_230430_Manage: True
+rhel8STIG_stigrule_230430__etc_audit_rules_d_audit_rules__usr_sbin_setfiles_Line: '-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
+# R-230431 RHEL-08-030315
+rhel8STIG_stigrule_230431_Manage: True
+rhel8STIG_stigrule_230431__etc_audit_rules_d_audit_rules__usr_sbin_userhelper_Line: '-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
+# R-230432 RHEL-08-030316
+rhel8STIG_stigrule_230432_Manage: True
+rhel8STIG_stigrule_230432__etc_audit_rules_d_audit_rules__usr_sbin_setsebool_Line: '-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
+# R-230433 RHEL-08-030317
+rhel8STIG_stigrule_230433_Manage: True
+rhel8STIG_stigrule_230433__etc_audit_rules_d_audit_rules__usr_sbin_unix_chkpwd_Line: '-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
+# R-230434 RHEL-08-030320
+rhel8STIG_stigrule_230434_Manage: True
+rhel8STIG_stigrule_230434__etc_audit_rules_d_audit_rules__usr_libexec_openssh_ssh_keysign_Line: '-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh'
+# R-230435 RHEL-08-030330
+rhel8STIG_stigrule_230435_Manage: True
+rhel8STIG_stigrule_230435__etc_audit_rules_d_audit_rules__usr_bin_setfacl_Line: '-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod'
+# R-230436 RHEL-08-030340
+rhel8STIG_stigrule_230436_Manage: True
+rhel8STIG_stigrule_230436__etc_audit_rules_d_audit_rules__usr_sbin_pam_timestamp_check_Line: '-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check'
+# R-230437 RHEL-08-030350
+rhel8STIG_stigrule_230437_Manage: True
+rhel8STIG_stigrule_230437__etc_audit_rules_d_audit_rules__usr_bin_newgrp_Line: '-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd'
+# R-230438 RHEL-08-030360
+rhel8STIG_stigrule_230438_Manage: True
+rhel8STIG_stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b32_Line: '-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng'
+rhel8STIG_stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b64_Line: '-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng'
+# R-230439 RHEL-08-030361
+rhel8STIG_stigrule_230439_Manage: True
+rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32_Line: '-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete'
+rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64_Line: '-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete'
+# R-230444 RHEL-08-030370
+rhel8STIG_stigrule_230444_Manage: True
+rhel8STIG_stigrule_230444__etc_audit_rules_d_audit_rules__usr_bin_gpasswd_Line: '-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd'
+# R-230446 RHEL-08-030390
+rhel8STIG_stigrule_230446_Manage: True
+rhel8STIG_stigrule_230446__etc_audit_rules_d_audit_rules_delete_module_b32_Line: '-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng'
+rhel8STIG_stigrule_230446__etc_audit_rules_d_audit_rules_delete_module_b64_Line: '-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng'
+# R-230447 RHEL-08-030400
+rhel8STIG_stigrule_230447_Manage: True
+rhel8STIG_stigrule_230447__etc_audit_rules_d_audit_rules__usr_bin_crontab_Line: '-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab'
+# R-230448 RHEL-08-030410
+rhel8STIG_stigrule_230448_Manage: True
+rhel8STIG_stigrule_230448__etc_audit_rules_d_audit_rules__usr_bin_chsh_Line: '-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd'
+# R-230449 RHEL-08-030420
+rhel8STIG_stigrule_230449_Manage: True
+rhel8STIG_stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EPERM_b32_Line: '-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access'
+rhel8STIG_stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EPERM_b64_Line: '-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access'
+rhel8STIG_stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EACCES_b32_Line: '-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access'
+rhel8STIG_stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EACCES_b64_Line: '-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access'
+# R-230455 RHEL-08-030480
+rhel8STIG_stigrule_230455_Manage: True
+rhel8STIG_stigrule_230455__etc_audit_rules_d_audit_rules_chown_b32_Line: '-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod'
+rhel8STIG_stigrule_230455__etc_audit_rules_d_audit_rules_chown_b64_Line: '-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod'
+# R-230456 RHEL-08-030490
+rhel8STIG_stigrule_230456_Manage: True
+rhel8STIG_stigrule_230456__etc_audit_rules_d_audit_rules_chmod_b32_Line: '-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod'
+rhel8STIG_stigrule_230456__etc_audit_rules_d_audit_rules_chmod_b64_Line: '-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod'
+# R-230462 RHEL-08-030550
+rhel8STIG_stigrule_230462_Manage: True
+rhel8STIG_stigrule_230462__etc_audit_rules_d_audit_rules__usr_bin_sudo_Line: '-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd'
+# R-230463 RHEL-08-030560
+rhel8STIG_stigrule_230463_Manage: True
+rhel8STIG_stigrule_230463__etc_audit_rules_d_audit_rules__usr_sbin_usermod_Line: '-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod'
+# R-230464 RHEL-08-030570
+rhel8STIG_stigrule_230464_Manage: True
+rhel8STIG_stigrule_230464__etc_audit_rules_d_audit_rules__usr_bin_chacl_Line: '-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod'
+# R-230465 RHEL-08-030580
+rhel8STIG_stigrule_230465_Manage: True
+rhel8STIG_stigrule_230465__etc_audit_rules_d_audit_rules__usr_bin_kmod_Line: '-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules'
+# R-230466 RHEL-08-030590
+rhel8STIG_stigrule_230466_Manage: True
+rhel8STIG_stigrule_230466__etc_audit_rules_d_audit_rules__var_log_faillock_Line: '-w /var/log/faillock -p wa -k logins'
+# R-230467 RHEL-08-030600
+rhel8STIG_stigrule_230467_Manage: True
+rhel8STIG_stigrule_230467__etc_audit_rules_d_audit_rules__var_log_lastlog_Line: '-w /var/log/lastlog -p wa -k logins'
+# R-230477 RHEL-08-030670
+rhel8STIG_stigrule_230477_Manage: True
+rhel8STIG_stigrule_230477_rsyslog_State: installed
+# R-230478 RHEL-08-030680
+rhel8STIG_stigrule_230478_Manage: True
+rhel8STIG_stigrule_230478_rsyslog_gnutls_State: installed
+# R-230480 RHEL-08-030700
+rhel8STIG_stigrule_230480_Manage: True
+rhel8STIG_stigrule_230480__etc_audit_auditd_conf_Line: 'overflow_action = syslog'
+# R-230481 RHEL-08-030710
+rhel8STIG_stigrule_230481_Manage: True
+rhel8STIG_stigrule_230481__etc_rsyslog_conf_DefaultNetstreamDriver_Line: '$DefaultNetstreamDriver gtls'
+rhel8STIG_stigrule_230481__etc_rsyslog_conf_ActionSendStreamDriverMode_Line: '$ActionSendStreamDriverMode 1'
+# R-230482 RHEL-08-030720
+rhel8STIG_stigrule_230482_Manage: True
+rhel8STIG_stigrule_230482__etc_rsyslog_conf_DefaultNetstreamDriver_Line: '$ActionSendStreamDriverAuthMode x509/name'
+# R-230483 RHEL-08-030730
+rhel8STIG_stigrule_230483_Manage: True
+rhel8STIG_stigrule_230483__etc_audit_auditd_conf_space_left_Line: 'space_left = 25%'
+# R-230487 RHEL-08-040000
+rhel8STIG_stigrule_230487_Manage: True
+rhel8STIG_stigrule_230487_telnet_server_State: removed
+# R-230488 RHEL-08-040001
+rhel8STIG_stigrule_230488_Manage: True
+rhel8STIG_stigrule_230488_abrt__State: removed
+# R-230489 RHEL-08-040002
+rhel8STIG_stigrule_230489_Manage: True
+rhel8STIG_stigrule_230489_sendmail_State: removed
+# R-230492 RHEL-08-040010
+rhel8STIG_stigrule_230492_Manage: True
+rhel8STIG_stigrule_230492_rsh_server_State: removed
+# R-230502 RHEL-08-040070
+rhel8STIG_stigrule_230502_Manage: True
+rhel8STIG_stigrule_230502_autofs_stop_State: stopped
+rhel8STIG_stigrule_230502_autofs_disable_Enabled: no
+# R-230505 RHEL-08-040100
+rhel8STIG_stigrule_230505_Manage: True
+rhel8STIG_stigrule_230505_firewalld_noarch_State: installed
+# R-230506 RHEL-08-040110
+rhel8STIG_stigrule_230506_Manage: True
+rhel8STIG_stigrule_230506_nmcli_radio_wifi_off_Command: nmcli radio wifi off
+# R-230526 RHEL-08-040160
+rhel8STIG_stigrule_230526_Manage: True
+rhel8STIG_stigrule_230526_ensure_openssh_server_x86_64_is_installed_State: installed
+rhel8STIG_stigrule_230526_sshd_enable_Enabled: yes
+# R-230527 RHEL-08-040161
+rhel8STIG_stigrule_230527_Manage: True
+rhel8STIG_stigrule_230527_RekeyLimit_Line: RekeyLimit 1G 1h
+# R-230529 RHEL-08-040170
+rhel8STIG_stigrule_230529_Manage: True
+rhel8STIG_stigrule_230529_ctrl_alt_del_target_disable_Enabled: false
+rhel8STIG_stigrule_230529_ctrl_alt_del_target_mask_Masked: true
+# R-230531 RHEL-08-040172
+rhel8STIG_stigrule_230531_Manage: True
+rhel8STIG_stigrule_230531__etc_systemd_system_conf_Value: 'none'
+# R-230533 RHEL-08-040190
+rhel8STIG_stigrule_230533_Manage: True
+rhel8STIG_stigrule_230533_tftp_server_State: removed
+# R-230535 RHEL-08-040210
+rhel8STIG_stigrule_230535_Manage: True
+rhel8STIG_stigrule_230535_net_ipv6_conf_default_accept_redirects_Value: 0
+# R-230536 RHEL-08-040220
+rhel8STIG_stigrule_230536_Manage: True
+rhel8STIG_stigrule_230536_net_ipv4_conf_all_send_redirects_Value: 0
+# R-230537 RHEL-08-040230
+rhel8STIG_stigrule_230537_Manage: True
+rhel8STIG_stigrule_230537_net_ipv4_icmp_echo_ignore_broadcasts_Value: 1
+# R-230538 RHEL-08-040240
+rhel8STIG_stigrule_230538_Manage: True
+rhel8STIG_stigrule_230538_net_ipv6_conf_all_accept_source_route_Value: 0
+# R-230539 RHEL-08-040250
+rhel8STIG_stigrule_230539_Manage: True
+rhel8STIG_stigrule_230539_net_ipv6_conf_default_accept_source_route_Value: 0
+# R-230540 RHEL-08-040260
+rhel8STIG_stigrule_230540_Manage: True
+rhel8STIG_stigrule_230540_net_ipv4_ip_forward_Value: 0
+rhel8STIG_stigrule_230540_net_ipv6_conf_all_forwarding_Value: 0
+# R-230541 RHEL-08-040261
+rhel8STIG_stigrule_230541_Manage: True
+rhel8STIG_stigrule_230541_net_ipv6_conf_all_accept_ra_Value: 0
+# R-230542 RHEL-08-040262
+rhel8STIG_stigrule_230542_Manage: True
+rhel8STIG_stigrule_230542_net_ipv6_conf_default_accept_ra_Value: 0
+# R-230543 RHEL-08-040270
+rhel8STIG_stigrule_230543_Manage: True
+rhel8STIG_stigrule_230543_net_ipv4_conf_default_send_redirects_Value: 0
+# R-230544 RHEL-08-040280
+rhel8STIG_stigrule_230544_Manage: True
+rhel8STIG_stigrule_230544_net_ipv6_conf_all_accept_redirects_Value: 0
+# R-230545 RHEL-08-040281
+rhel8STIG_stigrule_230545_Manage: True
+rhel8STIG_stigrule_230545__etc_sysctl_d_99_sysctl_conf_Line: 'kernel.unprivileged_bpf_disabled = 1'
+# R-230546 RHEL-08-040282
+rhel8STIG_stigrule_230546_Manage: True
+rhel8STIG_stigrule_230546__etc_sysctl_d_99_sysctl_conf_Line: 'kernel.yama.ptrace_scope = 1'
+rhel8STIG_stigrule_230546_kernel_yama_ptrace_scope_Value: 1
+# R-230547 RHEL-08-040283
+rhel8STIG_stigrule_230547_Manage: True
+rhel8STIG_stigrule_230547__etc_sysctl_d_99_sysctl_conf_Line: 'kernel.kptr_restrict = 1'
+# R-230548 RHEL-08-040284
+rhel8STIG_stigrule_230548_Manage: True
+rhel8STIG_stigrule_230548__etc_sysctl_d_99_sysctl_conf_Line: 'user.max_user_namespaces = 0'
+rhel8STIG_stigrule_230548_user_max_user_namespaces_Value: 0
+# R-230549 RHEL-08-040285
+rhel8STIG_stigrule_230549_Manage: True
+rhel8STIG_stigrule_230549__etc_sysctl_d_99_sysctl_conf_Line: 'net.ipv4.conf.all.rp_filter = 1'
+# R-230555 RHEL-08-040340
+rhel8STIG_stigrule_230555_Manage: True
+rhel8STIG_stigrule_230555_X11Forwarding_Line: X11Forwarding no
+# R-230556 RHEL-08-040341
+rhel8STIG_stigrule_230556_Manage: True
+rhel8STIG_stigrule_230556_X11UseLocalhost_Line: X11UseLocalhost yes
+# R-230558 RHEL-08-040360
+rhel8STIG_stigrule_230558_Manage: True
+rhel8STIG_stigrule_230558_vsftpd_State: removed
+# R-230559 RHEL-08-040370
+rhel8STIG_stigrule_230559_Manage: True
+rhel8STIG_stigrule_230559_gssproxy_State: removed
+# R-230560 RHEL-08-040380
+rhel8STIG_stigrule_230560_Manage: True
+rhel8STIG_stigrule_230560_iprutils_State: removed
+# R-230561 RHEL-08-040390
+rhel8STIG_stigrule_230561_Manage: True
+rhel8STIG_stigrule_230561_tuned_State: removed
+# R-244519 RHEL-08-010049
+rhel8STIG_stigrule_244519_Manage: True
+rhel8STIG_stigrule_244519__etc_dconf_db_local_d_01_banner_message_Value: 'true'
+# R-244523 RHEL-08-010152
+rhel8STIG_stigrule_244523_Manage: True
+rhel8STIG_stigrule_244523__usr_lib_systemd_system_emergency_service_Value: '-/usr/lib/systemd/systemd-sulogin-shell emergency'
+# R-244525 RHEL-08-010201
+rhel8STIG_stigrule_244525_Manage: True
+rhel8STIG_stigrule_244525_ClientAliveInterval_Line: ClientAliveInterval 600
+# R-244526 RHEL-08-010287
+rhel8STIG_stigrule_244526_Manage: True
+rhel8STIG_stigrule_244526__etc_sysconfig_sshd_Line: '# CRYPTO_POLICY='
+# R-244527 RHEL-08-010472
+rhel8STIG_stigrule_244527_Manage: True
+rhel8STIG_stigrule_244527_rng_tools_State: installed
+# R-244528 RHEL-08-010522
+rhel8STIG_stigrule_244528_Manage: True
+rhel8STIG_stigrule_244528_GSSAPIAuthentication_Line: GSSAPIAuthentication no
+# R-244535 RHEL-08-020031
+rhel8STIG_stigrule_244535_Manage: True
+rhel8STIG_stigrule_244535__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 5'
+# R-244536 RHEL-08-020032
+rhel8STIG_stigrule_244536_Manage: True
+rhel8STIG_stigrule_244536__etc_dconf_db_local_d_02_login_screen_Value: 'true'
+# R-244538 RHEL-08-020081
+rhel8STIG_stigrule_244538_Manage: True
+rhel8STIG_stigrule_244538__etc_dconf_db_local_d_locks_session_idle_delay_Line: '/org/gnome/desktop/session/idle-delay'
+# R-244539 RHEL-08-020082
+rhel8STIG_stigrule_244539_Manage: True
+rhel8STIG_stigrule_244539__etc_dconf_db_local_d_locks_session_lock_enabled_Line: '/org/gnome/desktop/screensaver/lock-enabled'
+# R-244542 RHEL-08-030181
+rhel8STIG_stigrule_244542_Manage: True
+rhel8STIG_stigrule_244542_auditd_enable_Enabled: yes
+rhel8STIG_stigrule_244542_auditd_start_State: started
+# R-244543 RHEL-08-030731
+rhel8STIG_stigrule_244543_Manage: True
+rhel8STIG_stigrule_244543__etc_audit_auditd_conf_space_left_action_Line: 'space_left_action = email'
+# R-244544 RHEL-08-040101
+rhel8STIG_stigrule_244544_Manage: True
+rhel8STIG_stigrule_244544_firewalld_enable_Enabled: yes
+# R-244549 RHEL-08-040159
+rhel8STIG_stigrule_244549_Manage: True
+rhel8STIG_stigrule_244549_openssh_server_x86_64_State: installed
+# R-244550 RHEL-08-040209
+rhel8STIG_stigrule_244550_Manage: True
+rhel8STIG_stigrule_244550_net_ipv4_conf_default_accept_redirects_Value: 0
+# R-244551 RHEL-08-040239
+rhel8STIG_stigrule_244551_Manage: True
+rhel8STIG_stigrule_244551_net_ipv4_conf_all_accept_source_route_Value: 0
+# R-244552 RHEL-08-040249
+rhel8STIG_stigrule_244552_Manage: True
+rhel8STIG_stigrule_244552_net_ipv4_conf_default_accept_source_route_Value: 0
+# R-244553 RHEL-08-040279
+rhel8STIG_stigrule_244553_Manage: True
+rhel8STIG_stigrule_244553_net_ipv4_conf_all_accept_redirects_Value: 0
+# R-244554 RHEL-08-040286
+rhel8STIG_stigrule_244554_Manage: True
+rhel8STIG_stigrule_244554__etc_sysctl_d_99_sysctl_conf_Line: 'net.core.bpf_jit_harden = 2'
+# R-256974 RHEL-08-010358
+rhel8STIG_stigrule_256974_Manage: True
+rhel8STIG_stigrule_256974_mailx_State: installed

collections/ansible_collections/demo/compliance/roles/rhel8STIG/handlers/main.yml

@@ -0,0 +1,30 @@
+- name: dconf_update
+  command: dconf update
+- name: auditd_restart
+  command: /usr/sbin/service auditd restart
+- name: ssh_restart
+  service:
+    name: sshd
+    state: restarted
+- name: rsyslog_restart
+  service:
+    name: rsyslog
+    state: restarted
+- name: sysctl_load_settings
+  command: sysctl --system
+- name: daemon_reload
+  systemd:
+    daemon_reload: true
+- name: networkmanager_reload
+  service:
+    name: NetworkManager
+    state: reloaded
+- name: logind_restart
+  service:
+    name: systemd-logind
+    state: restarted
+- name: with_faillock_enable
+  command: authselect enable-feature with-faillock
+- name: do_reboot
+  reboot:
+    pre_reboot_delay: 60

collections/ansible_collections/demo/compliance/roles/rhel9STIG/callback_plugins/stig_xml.py

@@ -0,0 +1,86 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+from ansible.plugins.callback import CallbackBase
+from time import gmtime, strftime
+import platform
+import tempfile
+import re
+import sys
+import os
+import xml.etree.ElementTree as ET
+import xml.dom.minidom
+
+class CallbackModule(CallbackBase):
+    CALLBACK_VERSION = 2.0
+    CALLBACK_TYPE = 'xml'
+    CALLBACK_NAME = 'stig_xml'
+
+    CALLBACK_NEEDS_WHITELIST = True
+
+    def _get_STIG_path(self):
+        cwd = os.path.abspath('.')
+        for dirpath, dirs, files in os.walk(cwd):
+            if os.path.sep + 'files' in dirpath and '.xml' in files[0]:
+                return os.path.join(cwd, dirpath, files[0])
+
+    def __init__(self):
+        super(CallbackModule, self).__init__()
+        self.rules = {}
+        self.stig_path = os.environ.get('STIG_PATH')
+        self.XML_path = os.environ.get('XML_PATH')
+        if self.stig_path is None:
+            self.stig_path = self._get_STIG_path()
+        self._display.display('Using STIG_PATH: {}'.format(self.stig_path))
+        if self.XML_path is None:
+            self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml"
+        self._display.display('Using XML_PATH: {}'.format(self.XML_path))
+
+        print("Writing: {}".format(self.XML_path))
+        STIG_name = os.path.basename(self.stig_path)
+        ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2')
+        self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult')
+        self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name))
+        endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
+        self.tr.set('end-time', endtime)
+        tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target')
+        tg.text = platform.node()
+
+    def _get_rev(self, nid):
+        with open(self.stig_path, 'r') as f:
+            r = 'SV-{}r(?P<rev>\d+)_rule'.format(nid)
+            m = re.search(r, f.read())
+        if m:
+            rev = m.group('rev')
+        else:
+            rev = '0'
+        return rev
+
+    def v2_runner_on_ok(self, result):
+        name = result._task.get_name()
+        m = re.search('stigrule_(?P<id>\d+)', name)
+        if m:
+            nid = m.group('id')
+        else:
+            return
+        rev = self._get_rev(nid)
+        key = "{}r{}".format(nid, rev)
+        if self.rules.get(key, 'Unknown') != False:
+            self.rules[key] = result.is_changed()
+
+    def v2_playbook_on_stats(self, stats):
+        for rule, changed in self.rules.items():
+            state = 'fail' if changed else 'pass'
+            rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result')
+            rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule))
+            rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result')
+            rs.text = state
+        passing = len(self.rules) - sum(self.rules.values())
+        sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score')
+        sc.set('maximum', str(len(self.rules)))
+        sc.set('system', 'urn:xccdf:scoring:flat-unweighted')
+        sc.text = str(passing)
+        with open(self.XML_path, 'wb') as f:
+            out = ET.tostring(self.tr)
+            pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8')
+            f.write(pretty)

collections/ansible_collections/demo/compliance/roles/rhel9STIG/defaults/main.yml

@@ -0,0 +1,984 @@
+# R-257779 RHEL-09-211020
+rhel9STIG_stigrule_257779_Manage: True
+rhel9STIG_stigrule_257779__etc_issue_Dest: /etc/issue
+rhel9STIG_stigrule_257779__etc_issue_Content: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
+
+'
+# R-257783 RHEL-09-211040
+rhel9STIG_stigrule_257783_Manage: True
+rhel9STIG_stigrule_257783_systemd_journald_enable_Enabled: yes
+rhel9STIG_stigrule_257783_systemd_journald_start_State: started
+# R-257784 RHEL-09-211045
+rhel9STIG_stigrule_257784_Manage: True
+rhel9STIG_stigrule_257784__etc_systemd_system_conf_Value: 'none'
+# R-257785 RHEL-09-211050
+rhel9STIG_stigrule_257785_Manage: True
+rhel9STIG_stigrule_257785_ctrl_alt_del_target_disable_Enabled: false
+rhel9STIG_stigrule_257785_ctrl_alt_del_target_mask_Masked: true
+# R-257786 RHEL-09-211055
+rhel9STIG_stigrule_257786_Manage: True
+rhel9STIG_stigrule_257786_debug_shell_service_disable_Enabled: false
+rhel9STIG_stigrule_257786_debug_shell_service_mask_Masked: true
+# R-257790 RHEL-09-212025
+rhel9STIG_stigrule_257790_Manage: True
+rhel9STIG_stigrule_257790__boot_grub2_grub_cfg_group_owner_Dest: /boot/grub2/grub.cfg
+rhel9STIG_stigrule_257790__boot_grub2_grub_cfg_group_owner_Group: root
+# R-257791 RHEL-09-212030
+rhel9STIG_stigrule_257791_Manage: True
+rhel9STIG_stigrule_257791__boot_grub2_grub_cfg_owner_Dest: /boot/grub2/grub.cfg
+rhel9STIG_stigrule_257791__boot_grub2_grub_cfg_owner_Owner: root
+# R-257797 RHEL-09-213010
+rhel9STIG_stigrule_257797_Manage: True
+rhel9STIG_stigrule_257797_kernel_dmesg_restrict_Value: 1
+rhel9STIG_stigrule_257797_kernel_dmesg_restrict_File: /etc/sysctl.d/99-sysctl.conf
+# R-257798 RHEL-09-213015
+rhel9STIG_stigrule_257798_Manage: True
+rhel9STIG_stigrule_257798_kernel_perf_event_paranoid_Value: 2
+rhel9STIG_stigrule_257798_kernel_perf_event_paranoid_File: /etc/sysctl.d/99-sysctl.conf
+# R-257799 RHEL-09-213020
+rhel9STIG_stigrule_257799_Manage: True
+rhel9STIG_stigrule_257799_kernel_kexec_load_disabled_Value: 1
+rhel9STIG_stigrule_257799_kernel_kexec_load_disabled_File: /etc/sysctl.d/99-sysctl.conf
+# R-257800 RHEL-09-213025
+rhel9STIG_stigrule_257800_Manage: True
+rhel9STIG_stigrule_257800_kernel_kptr_restrict_Value: 1
+rhel9STIG_stigrule_257800_kernel_kptr_restrict_File: /etc/sysctl.d/99-sysctl.conf
+# R-257801 RHEL-09-213030
+rhel9STIG_stigrule_257801_Manage: True
+rhel9STIG_stigrule_257801_fs_protected_hardlinks_Value: 1
+rhel9STIG_stigrule_257801_fs_protected_hardlinks_File: /etc/sysctl.d/99-sysctl.conf
+# R-257802 RHEL-09-213035
+rhel9STIG_stigrule_257802_Manage: True
+rhel9STIG_stigrule_257802_fs_protected_symlinks_Value: 1
+rhel9STIG_stigrule_257802_fs_protected_symlinks_File: /etc/sysctl.d/99-sysctl.conf
+# R-257803 RHEL-09-213040
+rhel9STIG_stigrule_257803_Manage: True
+rhel9STIG_stigrule_257803_kernel_core_pattern_Value: '|/bin/false'
+rhel9STIG_stigrule_257803_kernel_core_pattern_File: /etc/sysctl.d/99-sysctl.conf
+# R-257804 RHEL-09-213045
+rhel9STIG_stigrule_257804_Manage: True
+rhel9STIG_stigrule_257804__etc_modprobe_d_atm_conf_install_atm__bin_false_Line: 'install atm /bin/false'
+rhel9STIG_stigrule_257804__etc_modprobe_d_atm_conf_blacklist_atm_Line: 'blacklist atm'
+# R-257805 RHEL-09-213050
+rhel9STIG_stigrule_257805_Manage: True
+rhel9STIG_stigrule_257805__etc_modprobe_d_can_conf_install_can__bin_false_Line: 'install can /bin/false'
+rhel9STIG_stigrule_257805__etc_modprobe_d_can_conf_blacklist_can_Line: 'blacklist can'
+# R-257806 RHEL-09-213055
+rhel9STIG_stigrule_257806_Manage: True
+rhel9STIG_stigrule_257806__etc_modprobe_d_firewire_core_conf_install_firewire_core__bin_false_Line: 'install firewire-core /bin/false'
+rhel9STIG_stigrule_257806__etc_modprobe_d_firewire_core_conf_blacklist_firewire_core_Line: 'blacklist firewire-core'
+# R-257807 RHEL-09-213060
+rhel9STIG_stigrule_257807_Manage: True
+rhel9STIG_stigrule_257807__etc_modprobe_d_sctp_conf_install_sctp__bin_false_Line: 'install sctp /bin/false'
+rhel9STIG_stigrule_257807__etc_modprobe_d_sctp_conf_blacklist_sctp_Line: 'blacklist sctp'
+# R-257808 RHEL-09-213065
+rhel9STIG_stigrule_257808_Manage: True
+rhel9STIG_stigrule_257808__etc_modprobe_d_tipc_conf_install_tipc__bin_false_Line: 'install tipc /bin/false'
+rhel9STIG_stigrule_257808__etc_modprobe_d_tipc_conf_blacklist_tipc_Line: 'blacklist tipc'
+# R-257809 RHEL-09-213070
+rhel9STIG_stigrule_257809_Manage: True
+rhel9STIG_stigrule_257809_kernel_randomize_va_space_Value: 2
+rhel9STIG_stigrule_257809_kernel_randomize_va_space_File: /etc/sysctl.d/99-sysctl.conf
+# R-257810 RHEL-09-213075
+rhel9STIG_stigrule_257810_Manage: True
+rhel9STIG_stigrule_257810_kernel_unprivileged_bpf_disabled_Value: 1
+rhel9STIG_stigrule_257810_kernel_unprivileged_bpf_disabled_File: /etc/sysctl.d/99-sysctl.conf
+# R-257811 RHEL-09-213080
+rhel9STIG_stigrule_257811_Manage: True
+rhel9STIG_stigrule_257811_kernel_yama_ptrace_scope_Value: 1
+rhel9STIG_stigrule_257811_kernel_yama_ptrace_scope_File: /etc/sysctl.d/99-sysctl.conf
+# R-257812 RHEL-09-213085
+rhel9STIG_stigrule_257812_Manage: True
+rhel9STIG_stigrule_257812__etc_systemd_coredump_conf_Line: 'ProcessSizeMax=0'
+# R-257813 RHEL-09-213090
+rhel9STIG_stigrule_257813_Manage: True
+rhel9STIG_stigrule_257813__etc_systemd_coredump_conf_Line: 'Storage=none'
+# R-257814 RHEL-09-213095
+rhel9STIG_stigrule_257814_Manage: True
+rhel9STIG_stigrule_257814__etc_security_limits_conf_Line: '* hard core 0'
+# R-257815 RHEL-09-213100
+rhel9STIG_stigrule_257815_Manage: True
+rhel9STIG_stigrule_257815_systemd_coredump_socket_disable_Enabled: false
+rhel9STIG_stigrule_257815_systemd_coredump_socket_mask_Daemon_Reload: true
+rhel9STIG_stigrule_257815_systemd_coredump_socket_mask_Masked: true
+# R-257816 RHEL-09-213105
+rhel9STIG_stigrule_257816_Manage: True
+rhel9STIG_stigrule_257816_user_max_user_namespaces_Value: 0
+rhel9STIG_stigrule_257816_user_max_user_namespaces_File: /etc/sysctl.d/99-sysctl.conf
+# R-257818 RHEL-09-213115
+rhel9STIG_stigrule_257818_Manage: True
+rhel9STIG_stigrule_257818_kdump_disable_Enabled: false
+rhel9STIG_stigrule_257818_kdump_mask_Masked: true
+# R-257820 RHEL-09-214015
+rhel9STIG_stigrule_257820_Manage: True
+rhel9STIG_stigrule_257820__etc_dnf_dnf_conf_Value: '1'
+# R-257821 RHEL-09-214020
+rhel9STIG_stigrule_257821_Manage: True
+rhel9STIG_stigrule_257821__etc_dnf_dnf_conf_Value: '1'
+# R-257824 RHEL-09-214035
+rhel9STIG_stigrule_257824_Manage: True
+rhel9STIG_stigrule_257824__etc_dnf_dnf_conf_Value: '1'
+# R-257825 RHEL-09-215010
+rhel9STIG_stigrule_257825_Manage: True
+rhel9STIG_stigrule_257825_subscription_manager_State: installed
+# R-257827 RHEL-09-215020
+rhel9STIG_stigrule_257827_Manage: True
+rhel9STIG_stigrule_257827_sendmail_State: removed
+# R-257828 RHEL-09-215025
+rhel9STIG_stigrule_257828_Manage: True
+rhel9STIG_stigrule_257828_nfs_utils_State: removed
+# R-257829 RHEL-09-215030
+rhel9STIG_stigrule_257829_Manage: True
+rhel9STIG_stigrule_257829_ypserv_State: removed
+# R-257830 RHEL-09-215035
+rhel9STIG_stigrule_257830_Manage: True
+rhel9STIG_stigrule_257830_rsh_server_State: removed
+# R-257831 RHEL-09-215040
+rhel9STIG_stigrule_257831_Manage: True
+rhel9STIG_stigrule_257831_telnet_server_State: removed
+# R-257832 RHEL-09-215045
+rhel9STIG_stigrule_257832_Manage: True
+rhel9STIG_stigrule_257832_gssproxy_State: removed
+# R-257833 RHEL-09-215050
+rhel9STIG_stigrule_257833_Manage: True
+rhel9STIG_stigrule_257833_iprutils_State: removed
+# R-257834 RHEL-09-215055
+rhel9STIG_stigrule_257834_Manage: True
+rhel9STIG_stigrule_257834_tuned_State: removed
+# R-257835 RHEL-09-215060
+rhel9STIG_stigrule_257835_Manage: True
+rhel9STIG_stigrule_257835_tftp_server_State: removed
+# R-257836 RHEL-09-215065
+rhel9STIG_stigrule_257836_Manage: True
+rhel9STIG_stigrule_257836_quagga_State: removed
+# R-257838 RHEL-09-215075
+rhel9STIG_stigrule_257838_Manage: True
+rhel9STIG_stigrule_257838_openssl_pkcs11_State: installed
+# R-257839 RHEL-09-215080
+rhel9STIG_stigrule_257839_Manage: True
+rhel9STIG_stigrule_257839_gnutls_utils_State: installed
+# R-257840 RHEL-09-215085
+rhel9STIG_stigrule_257840_Manage: True
+rhel9STIG_stigrule_257840_nss_tools_State: installed
+# R-257841 RHEL-09-215090
+rhel9STIG_stigrule_257841_Manage: True
+rhel9STIG_stigrule_257841_rng_tools_State: installed
+# R-257842 RHEL-09-215095
+rhel9STIG_stigrule_257842_Manage: True
+rhel9STIG_stigrule_257842_s_nail_State: installed
+# R-257849 RHEL-09-231040
+rhel9STIG_stigrule_257849_Manage: True
+rhel9STIG_stigrule_257849_autofs_service_disable_Enabled: false
+rhel9STIG_stigrule_257849_autofs_service_mask_Masked: true
+# R-257880 RHEL-09-231195
+rhel9STIG_stigrule_257880_Manage: True
+rhel9STIG_stigrule_257880__etc_modprobe_d_cramfs_conf_install_cramfs__bin_false_Line: 'install cramfs /bin/false'
+rhel9STIG_stigrule_257880__etc_modprobe_d_cramfs_conf_blacklist_cramfs_Line: 'blacklist cramfs'
+# R-257885 RHEL-09-232025
+rhel9STIG_stigrule_257885_Manage: True
+rhel9STIG_stigrule_257885__var_log_mode_Dest: /var/log
+rhel9STIG_stigrule_257885__var_log_mode_Mode: '0755'
+# R-257886 RHEL-09-232030
+rhel9STIG_stigrule_257886_Manage: True
+rhel9STIG_stigrule_257886__var_log_messages_mode_Dest: /var/log/messages
+rhel9STIG_stigrule_257886__var_log_messages_mode_Mode: '0640'
+# R-257891 RHEL-09-232055
+rhel9STIG_stigrule_257891_Manage: True
+rhel9STIG_stigrule_257891__etc_group_mode_Dest: /etc/group
+rhel9STIG_stigrule_257891__etc_group_mode_Mode: '0644'
+# R-257892 RHEL-09-232060
+rhel9STIG_stigrule_257892_Manage: True
+rhel9STIG_stigrule_257892__etc_group__mode_Dest: /etc/group-
+rhel9STIG_stigrule_257892__etc_group__mode_Mode: '0644'
+# R-257893 RHEL-09-232065
+rhel9STIG_stigrule_257893_Manage: True
+rhel9STIG_stigrule_257893__etc_gshadow_mode_Dest: /etc/gshadow
+rhel9STIG_stigrule_257893__etc_gshadow_mode_Mode: '0000'
+# R-257894 RHEL-09-232070
+rhel9STIG_stigrule_257894_Manage: True
+rhel9STIG_stigrule_257894__etc_gshadow__mode_Dest: /etc/gshadow-
+rhel9STIG_stigrule_257894__etc_gshadow__mode_Mode: '0000'
+# R-257895 RHEL-09-232075
+rhel9STIG_stigrule_257895_Manage: True
+rhel9STIG_stigrule_257895__etc_passwd_mode_Dest: /etc/passwd
+rhel9STIG_stigrule_257895__etc_passwd_mode_Mode: '0644'
+# R-257896 RHEL-09-232080
+rhel9STIG_stigrule_257896_Manage: True
+rhel9STIG_stigrule_257896__etc_passwd__mode_Dest: /etc/passwd-
+rhel9STIG_stigrule_257896__etc_passwd__mode_Mode: '0644'
+# R-257897 RHEL-09-232085
+rhel9STIG_stigrule_257897_Manage: True
+rhel9STIG_stigrule_257897__etc_shadow__mode_Dest: /etc/shadow-
+rhel9STIG_stigrule_257897__etc_shadow__mode_Mode: '0000'
+# R-257898 RHEL-09-232090
+rhel9STIG_stigrule_257898_Manage: True
+rhel9STIG_stigrule_257898__etc_group_owner_Dest: /etc/group
+rhel9STIG_stigrule_257898__etc_group_owner_Owner: root
+# R-257899 RHEL-09-232095
+rhel9STIG_stigrule_257899_Manage: True
+rhel9STIG_stigrule_257899__etc_group_group_owner_Dest: /etc/group
+rhel9STIG_stigrule_257899__etc_group_group_owner_Group: root
+# R-257900 RHEL-09-232100
+rhel9STIG_stigrule_257900_Manage: True
+rhel9STIG_stigrule_257900__etc_group__owner_Dest: /etc/group-
+rhel9STIG_stigrule_257900__etc_group__owner_Owner: root
+# R-257901 RHEL-09-232105
+rhel9STIG_stigrule_257901_Manage: True
+rhel9STIG_stigrule_257901__etc_group__group_owner_Dest: /etc/group-
+rhel9STIG_stigrule_257901__etc_group__group_owner_Group: root
+# R-257902 RHEL-09-232110
+rhel9STIG_stigrule_257902_Manage: True
+rhel9STIG_stigrule_257902__etc_gshadow_owner_Dest: /etc/gshadow
+rhel9STIG_stigrule_257902__etc_gshadow_owner_Owner: root
+# R-257903 RHEL-09-232115
+rhel9STIG_stigrule_257903_Manage: True
+rhel9STIG_stigrule_257903__etc_gshadow_group_owner_Dest: /etc/gshadow
+rhel9STIG_stigrule_257903__etc_gshadow_group_owner_Group: root
+# R-257904 RHEL-09-232120
+rhel9STIG_stigrule_257904_Manage: True
+rhel9STIG_stigrule_257904__etc_gshadow__owner_Dest: /etc/gshadow-
+rhel9STIG_stigrule_257904__etc_gshadow__owner_Owner: root
+# R-257905 RHEL-09-232125
+rhel9STIG_stigrule_257905_Manage: True
+rhel9STIG_stigrule_257905__etc_gshadow__group_owner_Dest: /etc/gshadow-
+rhel9STIG_stigrule_257905__etc_gshadow__group_owner_Group: root
+# R-257906 RHEL-09-232130
+rhel9STIG_stigrule_257906_Manage: True
+rhel9STIG_stigrule_257906__etc_passwd_owner_Dest: /etc/passwd
+rhel9STIG_stigrule_257906__etc_passwd_owner_Owner: root
+# R-257907 RHEL-09-232135
+rhel9STIG_stigrule_257907_Manage: True
+rhel9STIG_stigrule_257907__etc_passwd_group_owner_Dest: /etc/passwd
+rhel9STIG_stigrule_257907__etc_passwd_group_owner_Group: root
+# R-257908 RHEL-09-232140
+rhel9STIG_stigrule_257908_Manage: True
+rhel9STIG_stigrule_257908__etc_passwd__owner_Dest: /etc/passwd-
+rhel9STIG_stigrule_257908__etc_passwd__owner_Owner: root
+# R-257909 RHEL-09-232145
+rhel9STIG_stigrule_257909_Manage: True
+rhel9STIG_stigrule_257909__etc_passwd__group_owner_Dest: /etc/passwd-
+rhel9STIG_stigrule_257909__etc_passwd__group_owner_Group: root
+# R-257910 RHEL-09-232150
+rhel9STIG_stigrule_257910_Manage: True
+rhel9STIG_stigrule_257910__etc_shadow_owner_Dest: /etc/shadow
+rhel9STIG_stigrule_257910__etc_shadow_owner_Owner: root
+# R-257911 RHEL-09-232155
+rhel9STIG_stigrule_257911_Manage: True
+rhel9STIG_stigrule_257911__etc_shadow_group_owner_Dest: /etc/shadow
+rhel9STIG_stigrule_257911__etc_shadow_group_owner_Group: root
+# R-257912 RHEL-09-232160
+rhel9STIG_stigrule_257912_Manage: True
+rhel9STIG_stigrule_257912__etc_shadow__owner_Dest: /etc/shadow-
+rhel9STIG_stigrule_257912__etc_shadow__owner_Owner: root
+# R-257913 RHEL-09-232165
+rhel9STIG_stigrule_257913_Manage: True
+rhel9STIG_stigrule_257913__etc_shadow__group_owner_Dest: /etc/shadow-
+rhel9STIG_stigrule_257913__etc_shadow__group_owner_Group: root
+# R-257914 RHEL-09-232170
+rhel9STIG_stigrule_257914_Manage: True
+rhel9STIG_stigrule_257914__var_log_owner_Dest: /var/log
+rhel9STIG_stigrule_257914__var_log_owner_Owner: root
+# R-257915 RHEL-09-232175
+rhel9STIG_stigrule_257915_Manage: True
+rhel9STIG_stigrule_257915__var_log_group_owner_Dest: /var/log
+rhel9STIG_stigrule_257915__var_log_group_owner_Group: root
+# R-257916 RHEL-09-232180
+rhel9STIG_stigrule_257916_Manage: True
+rhel9STIG_stigrule_257916__var_log_messages_owner_Dest: /var/log/messages
+rhel9STIG_stigrule_257916__var_log_messages_owner_Owner: root
+# R-257917 RHEL-09-232185
+rhel9STIG_stigrule_257917_Manage: True
+rhel9STIG_stigrule_257917__var_log_messages_group_owner_Dest: /var/log/messages
+rhel9STIG_stigrule_257917__var_log_messages_group_owner_Group: root
+# R-257934 RHEL-09-232270
+rhel9STIG_stigrule_257934_Manage: True
+rhel9STIG_stigrule_257934__etc_shadow_mode_Dest: /etc/shadow
+rhel9STIG_stigrule_257934__etc_shadow_mode_Mode: '0000'
+# R-257935 RHEL-09-251010
+rhel9STIG_stigrule_257935_Manage: True
+rhel9STIG_stigrule_257935_firewalld_State: installed
+# R-257936 RHEL-09-251015
+rhel9STIG_stigrule_257936_Manage: True
+rhel9STIG_stigrule_257936_firewalld_enable_Enabled: yes
+rhel9STIG_stigrule_257936_firewalld_start_State: started
+# R-257939 RHEL-09-251030
+rhel9STIG_stigrule_257939_Manage: True
+rhel9STIG_stigrule_257939__etc_firewalld_firewalld_conf_Line: 'FirewallBackend=nftables'
+# R-257942 RHEL-09-251045
+rhel9STIG_stigrule_257942_Manage: True
+rhel9STIG_stigrule_257942_net_core_bpf_jit_harden_Value: 2
+rhel9STIG_stigrule_257942_net_core_bpf_jit_harden_File: /etc/sysctl.d/99-sysctl.conf
+# R-257943 RHEL-09-252010
+rhel9STIG_stigrule_257943_Manage: True
+rhel9STIG_stigrule_257943_chrony_State: installed
+# R-257944 RHEL-09-252015
+rhel9STIG_stigrule_257944_Manage: True
+rhel9STIG_stigrule_257944_chronyd_enable_Enabled: yes
+rhel9STIG_stigrule_257944_chronyd_start_State: started
+# R-257946 RHEL-09-252025
+rhel9STIG_stigrule_257946_Manage: True
+rhel9STIG_stigrule_257946__etc_chrony_conf_Line: 'port 0'
+# R-257947 RHEL-09-252030
+rhel9STIG_stigrule_257947_Manage: True
+rhel9STIG_stigrule_257947__etc_chrony_conf_Line: 'cmdport 0'
+# R-257949 RHEL-09-252040
+rhel9STIG_stigrule_257949_Manage: True
+rhel9STIG_stigrule_257949__etc_NetworkManager_NetworkManager_conf_Value: 'none'
+# R-257954 RHEL-09-252065
+rhel9STIG_stigrule_257954_Manage: True
+rhel9STIG_stigrule_257954_libreswan_State: installed
+# R-257957 RHEL-09-253010
+rhel9STIG_stigrule_257957_Manage: True
+rhel9STIG_stigrule_257957_net_ipv4_tcp_syncookies_Value: 1
+rhel9STIG_stigrule_257957_net_ipv4_tcp_syncookies_File: /etc/sysctl.d/99-sysctl.conf
+# R-257958 RHEL-09-253015
+rhel9STIG_stigrule_257958_Manage: True
+rhel9STIG_stigrule_257958_net_ipv4_conf_all_accept_redirects_Value: 0
+rhel9STIG_stigrule_257958_net_ipv4_conf_all_accept_redirects_File: /etc/sysctl.d/99-sysctl.conf
+# R-257959 RHEL-09-253020
+rhel9STIG_stigrule_257959_Manage: True
+rhel9STIG_stigrule_257959_net_ipv4_conf_all_accept_source_route_Value: 0
+rhel9STIG_stigrule_257959_net_ipv4_conf_all_accept_source_route_File: /etc/sysctl.d/99-sysctl.conf
+# R-257960 RHEL-09-253025
+rhel9STIG_stigrule_257960_Manage: True
+rhel9STIG_stigrule_257960_net_ipv4_conf_all_log_martians_Value: 1
+rhel9STIG_stigrule_257960_net_ipv4_conf_all_log_martians_File: /etc/sysctl.d/99-sysctl.conf
+# R-257961 RHEL-09-253030
+rhel9STIG_stigrule_257961_Manage: True
+rhel9STIG_stigrule_257961_net_ipv4_conf_default_log_martians_Value: 1
+rhel9STIG_stigrule_257961_net_ipv4_conf_default_log_martians_File: /etc/sysctl.d/99-sysctl.conf
+# R-257962 RHEL-09-253035
+rhel9STIG_stigrule_257962_Manage: True
+rhel9STIG_stigrule_257962_net_ipv4_conf_all_rp_filter_Value: 1
+rhel9STIG_stigrule_257962_net_ipv4_conf_all_rp_filter_File: /etc/sysctl.d/99-sysctl.conf
+# R-257963 RHEL-09-253040
+rhel9STIG_stigrule_257963_Manage: True
+rhel9STIG_stigrule_257963_net_ipv4_conf_default_accept_redirects_Value: 0
+rhel9STIG_stigrule_257963_net_ipv4_conf_default_accept_redirects_File: /etc/sysctl.d/99-sysctl.conf
+# R-257964 RHEL-09-253045
+rhel9STIG_stigrule_257964_Manage: True
+rhel9STIG_stigrule_257964_net_ipv4_conf_default_accept_source_route_Value: 0
+rhel9STIG_stigrule_257964_net_ipv4_conf_default_accept_source_route_File: /etc/sysctl.d/99-sysctl.conf
+# R-257965 RHEL-09-253050
+rhel9STIG_stigrule_257965_Manage: True
+rhel9STIG_stigrule_257965_net_ipv4_conf_default_rp_filter_Value: 1
+rhel9STIG_stigrule_257965_net_ipv4_conf_default_rp_filter_File: /etc/sysctl.d/99-sysctl.conf
+# R-257966 RHEL-09-253055
+rhel9STIG_stigrule_257966_Manage: True
+rhel9STIG_stigrule_257966_net_ipv4_icmp_echo_ignore_broadcasts_Value: 1
+rhel9STIG_stigrule_257966_net_ipv4_icmp_echo_ignore_broadcasts_File: /etc/sysctl.d/99-sysctl.conf
+# R-257967 RHEL-09-253060
+rhel9STIG_stigrule_257967_Manage: True
+rhel9STIG_stigrule_257967_net_ipv4_icmp_ignore_bogus_error_responses_Value: 1
+rhel9STIG_stigrule_257967_net_ipv4_icmp_ignore_bogus_error_responses_File: /etc/sysctl.d/99-sysctl.conf
+# R-257968 RHEL-09-253065
+rhel9STIG_stigrule_257968_Manage: True
+rhel9STIG_stigrule_257968_net_ipv4_conf_all_send_redirects_Value: 0
+rhel9STIG_stigrule_257968_net_ipv4_conf_all_send_redirects_File: /etc/sysctl.d/99-sysctl.conf
+# R-257969 RHEL-09-253070
+rhel9STIG_stigrule_257969_Manage: True
+rhel9STIG_stigrule_257969_net_ipv4_conf_default_send_redirects_Value: 0
+rhel9STIG_stigrule_257969_net_ipv4_conf_default_send_redirects_File: /etc/sysctl.d/99-sysctl.conf
+# R-257970 RHEL-09-253075
+rhel9STIG_stigrule_257970_Manage: True
+rhel9STIG_stigrule_257970_net_ipv4_conf_all_forwarding_Value: 0
+rhel9STIG_stigrule_257970_net_ipv4_conf_all_forwarding_File: /etc/sysctl.d/99-sysctl.conf
+# R-257971 RHEL-09-254010
+rhel9STIG_stigrule_257971_Manage: True
+rhel9STIG_stigrule_257971_net_ipv6_conf_all_accept_ra_Value: 0
+rhel9STIG_stigrule_257971_net_ipv6_conf_all_accept_ra_File: /etc/sysctl.d/99-sysctl.conf
+# R-257972 RHEL-09-254015
+rhel9STIG_stigrule_257972_Manage: True
+rhel9STIG_stigrule_257972_net_ipv6_conf_all_accept_redirects_Value: 0
+rhel9STIG_stigrule_257972_net_ipv6_conf_all_accept_redirects_File: /etc/sysctl.d/99-sysctl.conf
+# R-257973 RHEL-09-254020
+rhel9STIG_stigrule_257973_Manage: True
+rhel9STIG_stigrule_257973_net_ipv6_conf_all_accept_source_route_Value: 0
+rhel9STIG_stigrule_257973_net_ipv6_conf_all_accept_source_route_File: /etc/sysctl.d/99-sysctl.conf
+# R-257974 RHEL-09-254025
+rhel9STIG_stigrule_257974_Manage: True
+rhel9STIG_stigrule_257974_net_ipv6_conf_all_forwarding_Value: 0
+rhel9STIG_stigrule_257974_net_ipv6_conf_all_forwarding_File: /etc/sysctl.d/99-sysctl.conf
+# R-257975 RHEL-09-254030
+rhel9STIG_stigrule_257975_Manage: True
+rhel9STIG_stigrule_257975_net_ipv6_conf_default_accept_ra_Value: 0
+rhel9STIG_stigrule_257975_net_ipv6_conf_default_accept_ra_File: /etc/sysctl.d/99-sysctl.conf
+# R-257976 RHEL-09-254035
+rhel9STIG_stigrule_257976_Manage: True
+rhel9STIG_stigrule_257976_net_ipv6_conf_default_accept_redirects_Value: 0
+rhel9STIG_stigrule_257976_net_ipv6_conf_default_accept_redirects_File: /etc/sysctl.d/99-sysctl.conf
+# R-257977 RHEL-09-254040
+rhel9STIG_stigrule_257977_Manage: True
+rhel9STIG_stigrule_257977_net_ipv6_conf_default_accept_source_route_Value: 0
+rhel9STIG_stigrule_257977_net_ipv6_conf_default_accept_source_route_File: /etc/sysctl.d/99-sysctl.conf
+# R-257978 RHEL-09-255010
+rhel9STIG_stigrule_257978_Manage: True
+rhel9STIG_stigrule_257978_openssh_server_State: installed
+# R-257979 RHEL-09-255015
+rhel9STIG_stigrule_257979_Manage: True
+rhel9STIG_stigrule_257979_sshd_enable_Enabled: yes
+rhel9STIG_stigrule_257979_sshd_start_State: started
+# R-257980 RHEL-09-255020
+rhel9STIG_stigrule_257980_Manage: True
+rhel9STIG_stigrule_257980_openssh_clients_State: installed
+# R-257981 RHEL-09-255025
+rhel9STIG_stigrule_257981_Manage: True
+rhel9STIG_stigrule_257981_Banner_Line: Banner /etc/issue
+# R-257982 RHEL-09-255030
+rhel9STIG_stigrule_257982_Manage: True
+rhel9STIG_stigrule_257982_LogLevel_Line: LogLevel VERBOSE
+# R-257983 RHEL-09-255035
+rhel9STIG_stigrule_257983_Manage: True
+rhel9STIG_stigrule_257983_PubkeyAuthentication_Line: PubkeyAuthentication yes
+# R-257984 RHEL-09-255040
+rhel9STIG_stigrule_257984_Manage: True
+rhel9STIG_stigrule_257984_PermitEmptyPasswords_Line: PermitEmptyPasswords no
+# R-257985 RHEL-09-255045
+rhel9STIG_stigrule_257985_Manage: True
+rhel9STIG_stigrule_257985_PermitRootLogin_Line: PermitRootLogin no
+# R-257986 RHEL-09-255050
+rhel9STIG_stigrule_257986_Manage: True
+rhel9STIG_stigrule_257986_UsePAM_Line: UsePAM yes
+# R-257992 RHEL-09-255080
+rhel9STIG_stigrule_257992_Manage: True
+rhel9STIG_stigrule_257992_HostbasedAuthentication_Line: HostbasedAuthentication no
+# R-257993 RHEL-09-255085
+rhel9STIG_stigrule_257993_Manage: True
+rhel9STIG_stigrule_257993_PermitUserEnvironment_Line: PermitUserEnvironment no
+# R-257994 RHEL-09-255090
+rhel9STIG_stigrule_257994_Manage: True
+rhel9STIG_stigrule_257994_RekeyLimit_Line: RekeyLimit 1G 1h
+# R-257995 RHEL-09-255095
+rhel9STIG_stigrule_257995_Manage: True
+rhel9STIG_stigrule_257995_ClientAliveCountMax_Line: ClientAliveCountMax 1
+# R-257996 RHEL-09-255100
+rhel9STIG_stigrule_257996_Manage: True
+rhel9STIG_stigrule_257996_ClientAliveInterval_Line: ClientAliveInterval 600
+# R-257997 RHEL-09-255105
+rhel9STIG_stigrule_257997_Manage: True
+rhel9STIG_stigrule_257997__etc_ssh_sshd_config_group_owner_Dest: /etc/ssh/sshd_config
+rhel9STIG_stigrule_257997__etc_ssh_sshd_config_group_owner_Group: root
+# R-257998 RHEL-09-255110
+rhel9STIG_stigrule_257998_Manage: True
+rhel9STIG_stigrule_257998__etc_ssh_sshd_config_owner_Dest: /etc/ssh/sshd_config
+rhel9STIG_stigrule_257998__etc_ssh_sshd_config_owner_Owner: root
+# R-257999 RHEL-09-255115
+rhel9STIG_stigrule_257999_Manage: True
+rhel9STIG_stigrule_257999__etc_ssh_sshd_config_mode_Dest: /etc/ssh/sshd_config
+rhel9STIG_stigrule_257999__etc_ssh_sshd_config_mode_Mode: '0600'
+# R-258002 RHEL-09-255130
+rhel9STIG_stigrule_258002_Manage: True
+rhel9STIG_stigrule_258002_Compression_Line: Compression no
+# R-258003 RHEL-09-255135
+rhel9STIG_stigrule_258003_Manage: True
+rhel9STIG_stigrule_258003_GSSAPIAuthentication_Line: GSSAPIAuthentication no
+# R-258004 RHEL-09-255140
+rhel9STIG_stigrule_258004_Manage: True
+rhel9STIG_stigrule_258004_KerberosAuthentication_Line: KerberosAuthentication no
+# R-258005 RHEL-09-255145
+rhel9STIG_stigrule_258005_Manage: True
+rhel9STIG_stigrule_258005_IgnoreRhosts_Line: IgnoreRhosts yes
+# R-258006 RHEL-09-255150
+rhel9STIG_stigrule_258006_Manage: True
+rhel9STIG_stigrule_258006_IgnoreUserKnownHosts_Line: IgnoreUserKnownHosts yes
+# R-258007 RHEL-09-255155
+rhel9STIG_stigrule_258007_Manage: True
+rhel9STIG_stigrule_258007_X11Forwarding_Line: X11Forwarding no
+# R-258008 RHEL-09-255160
+rhel9STIG_stigrule_258008_Manage: True
+rhel9STIG_stigrule_258008_StrictModes_Line: StrictModes yes
+# R-258009 RHEL-09-255165
+rhel9STIG_stigrule_258009_Manage: True
+rhel9STIG_stigrule_258009_PrintLastLog_Line: PrintLastLog yes
+# R-258011 RHEL-09-255175
+rhel9STIG_stigrule_258011_Manage: True
+rhel9STIG_stigrule_258011_X11UseLocalhost_Line: X11UseLocalhost yes
+# R-258012 RHEL-09-271010
+rhel9STIG_stigrule_258012_Manage: True
+rhel9STIG_stigrule_258012__etc_dconf_db_local_d_01_banner_message_Value: 'true'
+# R-258013 RHEL-09-271015
+rhel9STIG_stigrule_258013_Manage: True
+rhel9STIG_stigrule_258013__etc_dconf_db_local_d_locks_session_banner_message_enable_Line: '/org/gnome/login-screen/banner-message-enable'
+# R-258014 RHEL-09-271020
+rhel9STIG_stigrule_258014_Manage: True
+rhel9STIG_stigrule_258014__etc_dconf_db_local_d_00_security_settings_Value: 'false'
+# R-258015 RHEL-09-271025
+rhel9STIG_stigrule_258015_Manage: True
+rhel9STIG_stigrule_258015__etc_dconf_db_local_d_locks_00_security_settings_lock_automount_open_Line: '/org/gnome/desktop/media-handling/automount-open'
+# R-258016 RHEL-09-271030
+rhel9STIG_stigrule_258016_Manage: True
+rhel9STIG_stigrule_258016__etc_dconf_db_local_d_00_security_settings_Value: 'true'
+# R-258017 RHEL-09-271035
+rhel9STIG_stigrule_258017_Manage: True
+rhel9STIG_stigrule_258017__etc_dconf_db_local_d_locks_00_security_settings_lock_autorun_never_Line: '/org/gnome/desktop/media-handling/autorun-never'
+# R-258019 RHEL-09-271045
+rhel9STIG_stigrule_258019_Manage: True
+rhel9STIG_stigrule_258019__etc_dconf_db_local_d_00_security_settings_Value: "'lock-screen'"
+# R-258020 RHEL-09-271050
+rhel9STIG_stigrule_258020_Manage: True
+rhel9STIG_stigrule_258020__etc_dconf_db_local_d_locks_00_security_settings_lock_removal_action_Line: '/org/gnome/settings-daemon/peripherals/smartcard/removal-action'
+# R-258021 RHEL-09-271055
+rhel9STIG_stigrule_258021_Manage: True
+rhel9STIG_stigrule_258021__etc_dconf_db_local_d_00_screensaver_Value: 'true'
+# R-258022 RHEL-09-271060
+rhel9STIG_stigrule_258022_Manage: True
+rhel9STIG_stigrule_258022__etc_dconf_db_local_d_locks_session_lock_enabled_Line: '/org/gnome/desktop/screensaver/lock-enabled'
+# R-258023 RHEL-09-271065
+rhel9STIG_stigrule_258023_Manage: True
+rhel9STIG_stigrule_258023__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 900'
+# R-258024 RHEL-09-271070
+rhel9STIG_stigrule_258024_Manage: True
+rhel9STIG_stigrule_258024__etc_dconf_db_local_d_locks_session_idle_delay_Line: '/org/gnome/desktop/session/idle-delay'
+# R-258025 RHEL-09-271075
+rhel9STIG_stigrule_258025_Manage: True
+rhel9STIG_stigrule_258025__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 5'
+# R-258026 RHEL-09-271080
+rhel9STIG_stigrule_258026_Manage: True
+rhel9STIG_stigrule_258026__etc_dconf_db_local_d_locks_session_lock_delay_Line: '/org/gnome/desktop/screensaver/lock-delay'
+# R-258027 RHEL-09-271085
+rhel9STIG_stigrule_258027_Manage: True
+rhel9STIG_stigrule_258027__etc_dconf_db_local_d_00_security_settings_Value: "''"
+# R-258027 RHEL-09-271085
+rhel9STIG_stigrule_258027_Manage: True
+rhel9STIG_stigrule_258027__etc_dconf_db_local_d_locks_00_security_settings_lock_picture_uri_Line: '/org/gnome/desktop/screensaver/picture-uri'
+# R-258030 RHEL-09-271100
+rhel9STIG_stigrule_258030_Manage: True
+rhel9STIG_stigrule_258030__etc_dconf_db_local_d_locks_session_disable_restart_buttons_Line: '/org/gnome/login-screen/disable-restart-buttons'
+# R-258031 RHEL-09-271105
+rhel9STIG_stigrule_258031_Manage: True
+rhel9STIG_stigrule_258031__etc_dconf_db_local_d_00_security_settings_Value: "['']"
+# R-258032 RHEL-09-271110
+rhel9STIG_stigrule_258032_Manage: True
+rhel9STIG_stigrule_258032__etc_dconf_db_local_d_locks_session_logout_Line: '/org/gnome/settings-daemon/plugins/media-keys/logout'
+# R-258033 RHEL-09-271115
+rhel9STIG_stigrule_258033_Manage: True
+rhel9STIG_stigrule_258033__etc_dconf_db_local_d_02_login_screen_Value: 'true'
+# R-258034 RHEL-09-291010
+rhel9STIG_stigrule_258034_Manage: True
+rhel9STIG_stigrule_258034__etc_modprobe_d_usb_storage_conf_install_usb_storage__bin_false_Line: 'install usb-storage /bin/false'
+rhel9STIG_stigrule_258034__etc_modprobe_d_usb_storage_conf_blacklist_usb_storage_Line: 'blacklist usb-storage'
+# R-258035 RHEL-09-291015
+rhel9STIG_stigrule_258035_Manage: True
+rhel9STIG_stigrule_258035_usbguard_State: installed
+rhel9STIG_stigrule_258035_usbguard_enable_Enabled: yes
+rhel9STIG_stigrule_258035_usbguard_start_State: started
+# R-258036 RHEL-09-291020
+rhel9STIG_stigrule_258036_Manage: True
+rhel9STIG_stigrule_258036_usbguard_enable_Enabled: yes
+rhel9STIG_stigrule_258036_usbguard_start_State: started
+# R-258037 RHEL-09-291025
+rhel9STIG_stigrule_258037_Manage: True
+rhel9STIG_stigrule_258037__etc_usbguard_usbguard_daemon_conf_Line: 'AuditBackend=LinuxAudit'
+# R-258039 RHEL-09-291035
+rhel9STIG_stigrule_258039_Manage: True
+rhel9STIG_stigrule_258039__etc_modprobe_d_bluetooth_conf_install_bluetooth__bin_false_Line: 'install bluetooth /bin/false'
+rhel9STIG_stigrule_258039__etc_modprobe_d_bluetooth_conf_blacklist_bluetooth_Line: 'blacklist bluetooth'
+# R-258040 RHEL-09-291040
+rhel9STIG_stigrule_258040_Manage: True
+rhel9STIG_stigrule_258040_nmcli_radio_wifi_off_Command: nmcli radio wifi off
+# R-258041 RHEL-09-411010
+rhel9STIG_stigrule_258041_Manage: True
+rhel9STIG_stigrule_258041__etc_login_defs_Line: 'PASS_MAX_DAYS 60'
+# R-258043 RHEL-09-411020
+rhel9STIG_stigrule_258043_Manage: True
+rhel9STIG_stigrule_258043__etc_login_defs_Line: 'CREATE_HOME yes'
+# R-258049 RHEL-09-411050
+rhel9STIG_stigrule_258049_Manage: True
+rhel9STIG_stigrule_258049_sudo_useradd__D__f_35_Command: sudo useradd -D -f 35
+# R-258054 RHEL-09-411075
+rhel9STIG_stigrule_258054_Manage: True
+rhel9STIG_stigrule_258054__etc_security_faillock_conf_Line: 'deny = 3'
+# R-258055 RHEL-09-411080
+rhel9STIG_stigrule_258055_Manage: True
+rhel9STIG_stigrule_258055__etc_security_faillock_conf_Line: 'even_deny_root'
+# R-258056 RHEL-09-411085
+rhel9STIG_stigrule_258056_Manage: True
+rhel9STIG_stigrule_258056__etc_security_faillock_conf_Line: 'fail_interval = 900'
+# R-258057 RHEL-09-411090
+rhel9STIG_stigrule_258057_Manage: True
+rhel9STIG_stigrule_258057__etc_security_faillock_conf_Line: 'unlock_time = 0'
+# R-258060 RHEL-09-411105
+rhel9STIG_stigrule_258060_Manage: True
+rhel9STIG_stigrule_258060__etc_security_faillock_conf_Line: 'dir = /var/log/faillock'
+# R-258069 RHEL-09-412040
+rhel9STIG_stigrule_258069_Manage: True
+rhel9STIG_stigrule_258069__etc_security_limits_conf_Line: '* hard maxlogins 10'
+# R-258070 RHEL-09-412045
+rhel9STIG_stigrule_258070_Manage: True
+rhel9STIG_stigrule_258070__etc_security_faillock_conf_Line: 'audit'
+# R-258071 RHEL-09-412050
+rhel9STIG_stigrule_258071_Manage: True
+rhel9STIG_stigrule_258071__etc_login_defs_Line: 'FAIL_DELAY 4'
+# R-258072 RHEL-09-412055
+rhel9STIG_stigrule_258072_Manage: True
+rhel9STIG_stigrule_258072__etc_bashrc_Line: 'umask 077'
+# R-258073 RHEL-09-412060
+rhel9STIG_stigrule_258073_Manage: True
+rhel9STIG_stigrule_258073__etc_csh_cshrc_Line: 'umask 077'
+# R-258074 RHEL-09-412065
+rhel9STIG_stigrule_258074_Manage: True
+rhel9STIG_stigrule_258074__etc_login_defs_Line: 'UMASK 077'
+# R-258075 RHEL-09-412070
+rhel9STIG_stigrule_258075_Manage: True
+rhel9STIG_stigrule_258075__etc_profile_Line: 'umask 077'
+# R-258078 RHEL-09-431010
+rhel9STIG_stigrule_258078_Manage: True
+rhel9STIG_stigrule_258078__etc_selinux_config_Line: 'SELINUX=enforcing'
+# R-258079 RHEL-09-431015
+rhel9STIG_stigrule_258079_Manage: True
+rhel9STIG_stigrule_258079__etc_selinux_config_Line: 'SELINUXTYPE=targeted'
+# R-258081 RHEL-09-431025
+rhel9STIG_stigrule_258081_Manage: True
+rhel9STIG_stigrule_258081_policycoreutils_State: installed
+# R-258082 RHEL-09-431030
+rhel9STIG_stigrule_258082_Manage: True
+rhel9STIG_stigrule_258082_policycoreutils_python_utils_State: installed
+# R-258083 RHEL-09-432010
+rhel9STIG_stigrule_258083_Manage: True
+rhel9STIG_stigrule_258083_sudo_State: installed
+# R-258084 RHEL-09-432015
+rhel9STIG_stigrule_258084_Manage: True
+rhel9STIG_stigrule_258084__etc_sudoers_Line: 'Defaults timestamp_timeout=0'
+# R-258089 RHEL-09-433010
+rhel9STIG_stigrule_258089_Manage: True
+rhel9STIG_stigrule_258089_fapolicyd_State: installed
+# R-258090 RHEL-09-433015
+rhel9STIG_stigrule_258090_Manage: True
+rhel9STIG_stigrule_258090_fapolicyd_enable_Enabled: yes
+rhel9STIG_stigrule_258090_fapolicyd_start_State: started
+# R-258101 RHEL-09-611060
+rhel9STIG_stigrule_258101_Manage: True
+rhel9STIG_stigrule_258101__etc_security_pwquality_conf_Line: 'enforce_for_root'
+# R-258102 RHEL-09-611065
+rhel9STIG_stigrule_258102_Manage: True
+rhel9STIG_stigrule_258102__etc_security_pwquality_conf_Line: 'lcredit = -1'
+# R-258103 RHEL-09-611070
+rhel9STIG_stigrule_258103_Manage: True
+rhel9STIG_stigrule_258103__etc_security_pwquality_conf_Line: 'dcredit = -1'
+# R-258104 RHEL-09-611075
+rhel9STIG_stigrule_258104_Manage: True
+rhel9STIG_stigrule_258104__etc_login_defs_Line: 'PASS_MIN_DAYS 1'
+# R-258107 RHEL-09-611090
+rhel9STIG_stigrule_258107_Manage: True
+rhel9STIG_stigrule_258107__etc_security_pwquality_conf_Line: 'minlen = 15'
+# R-258109 RHEL-09-611100
+rhel9STIG_stigrule_258109_Manage: True
+rhel9STIG_stigrule_258109__etc_security_pwquality_conf_Line: 'ocredit = -1'
+# R-258110 RHEL-09-611105
+rhel9STIG_stigrule_258110_Manage: True
+rhel9STIG_stigrule_258110__etc_security_pwquality_conf_Line: 'dictcheck = 1'
+# R-258111 RHEL-09-611110
+rhel9STIG_stigrule_258111_Manage: True
+rhel9STIG_stigrule_258111__etc_security_pwquality_conf_Line: 'ucredit = -1'
+# R-258112 RHEL-09-611115
+rhel9STIG_stigrule_258112_Manage: True
+rhel9STIG_stigrule_258112__etc_security_pwquality_conf_Line: 'difok = 8'
+# R-258113 RHEL-09-611120
+rhel9STIG_stigrule_258113_Manage: True
+rhel9STIG_stigrule_258113__etc_security_pwquality_conf_Line: 'maxclassrepeat = 4'
+# R-258114 RHEL-09-611125
+rhel9STIG_stigrule_258114_Manage: True
+rhel9STIG_stigrule_258114__etc_security_pwquality_conf_Line: 'maxrepeat = 3'
+# R-258115 RHEL-09-611130
+rhel9STIG_stigrule_258115_Manage: True
+rhel9STIG_stigrule_258115__etc_security_pwquality_conf_Line: 'minclass = 4'
+# R-258116 RHEL-09-611135
+rhel9STIG_stigrule_258116_Manage: True
+rhel9STIG_stigrule_258116__etc_libuser_conf_Value: 'sha512'
+# R-258117 RHEL-09-611140
+rhel9STIG_stigrule_258117_Manage: True
+rhel9STIG_stigrule_258117__etc_login_defs_Line: 'ENCRYPT_METHOD SHA512'
+# R-258121 RHEL-09-611160
+rhel9STIG_stigrule_258121_Manage: True
+rhel9STIG_stigrule_258121__etc_opensc_conf_Line: 'card_drivers = cac;'
+# R-258122 RHEL-09-611165
+rhel9STIG_stigrule_258122_Manage: True
+rhel9STIG_stigrule_258122__etc_sssd_sssd_conf_Value: 'True'
+# R-258124 RHEL-09-611175
+rhel9STIG_stigrule_258124_Manage: True
+rhel9STIG_stigrule_258124_pcsc_lite_State: installed
+# R-258125 RHEL-09-611180
+rhel9STIG_stigrule_258125_Manage: True
+rhel9STIG_stigrule_258125_pcscd_enable_Enabled: yes
+rhel9STIG_stigrule_258125_pcscd_start_State: started
+# R-258126 RHEL-09-611185
+rhel9STIG_stigrule_258126_Manage: True
+rhel9STIG_stigrule_258126_opensc_State: installed
+# R-258128 RHEL-09-611195
+rhel9STIG_stigrule_258128_Manage: True
+rhel9STIG_stigrule_258128__usr_lib_systemd_system_emergency_service_Value: '-/usr/lib/systemd/systemd-sulogin-shell emergency'
+# R-258129 RHEL-09-611200
+rhel9STIG_stigrule_258129_Manage: True
+rhel9STIG_stigrule_258129__usr_lib_systemd_system_rescue_service_Value: '-/usr/lib/systemd/systemd-sulogin-shell rescue'
+# R-258133 RHEL-09-631020
+rhel9STIG_stigrule_258133_Manage: True
+rhel9STIG_stigrule_258133__etc_sssd_sssd_conf_Value: '1'
+# R-258140 RHEL-09-652010
+rhel9STIG_stigrule_258140_Manage: True
+rhel9STIG_stigrule_258140_rsyslog_State: installed
+# R-258141 RHEL-09-652015
+rhel9STIG_stigrule_258141_Manage: True
+rhel9STIG_stigrule_258141_rsyslog_gnutls_State: installed
+# R-258142 RHEL-09-652020
+rhel9STIG_stigrule_258142_Manage: True
+rhel9STIG_stigrule_258142_rsyslog_enable_Enabled: yes
+rhel9STIG_stigrule_258142_rsyslog_start_State: started
+# R-258144 RHEL-09-652030
+rhel9STIG_stigrule_258144_Manage: True
+rhel9STIG_stigrule_258144__etc_rsyslog_conf_Line: 'auth.*;authpriv.*;daemon.*                              /var/log/secure'
+# R-258146 RHEL-09-652040
+rhel9STIG_stigrule_258146_Manage: True
+rhel9STIG_stigrule_258146__etc_rsyslog_conf_Line: '$ActionSendStreamDriverAuthMode x509/name'
+# R-258147 RHEL-09-652045
+rhel9STIG_stigrule_258147_Manage: True
+rhel9STIG_stigrule_258147__etc_rsyslog_conf_Line: '$ActionSendStreamDriverMode 1'
+# R-258148 RHEL-09-652050
+rhel9STIG_stigrule_258148_Manage: True
+rhel9STIG_stigrule_258148__etc_rsyslog_conf_Line: '$DefaultNetstreamDriver gtls'
+# R-258150 RHEL-09-652060
+rhel9STIG_stigrule_258150_Manage: True
+rhel9STIG_stigrule_258150__etc_rsyslog_conf_Line: 'cron.*                                                  /var/log/cron'
+# R-258151 RHEL-09-653010
+rhel9STIG_stigrule_258151_Manage: True
+rhel9STIG_stigrule_258151_audit_State: installed
+# R-258152 RHEL-09-653015
+rhel9STIG_stigrule_258152_Manage: True
+rhel9STIG_stigrule_258152_auditd_enable_Enabled: yes
+rhel9STIG_stigrule_258152_auditd_start_State: started
+# R-258153 RHEL-09-653020
+rhel9STIG_stigrule_258153_Manage: True
+rhel9STIG_stigrule_258153__etc_audit_auditd_conf_Line: 'disk_error_action = HALT'
+# R-258154 RHEL-09-653025
+rhel9STIG_stigrule_258154_Manage: True
+rhel9STIG_stigrule_258154__etc_audit_auditd_conf_Line: 'disk_full_action = HALT'
+# R-258156 RHEL-09-653035
+rhel9STIG_stigrule_258156_Manage: True
+rhel9STIG_stigrule_258156__etc_audit_auditd_conf_Line: 'space_left = 25%'
+# R-258157 RHEL-09-653040
+rhel9STIG_stigrule_258157_Manage: True
+rhel9STIG_stigrule_258157__etc_audit_auditd_conf_Line: 'space_left_action = email'
+# R-258158 RHEL-09-653045
+rhel9STIG_stigrule_258158_Manage: True
+rhel9STIG_stigrule_258158__etc_audit_auditd_conf_Line: 'admin_space_left = 5%'
+# R-258159 RHEL-09-653050
+rhel9STIG_stigrule_258159_Manage: True
+rhel9STIG_stigrule_258159__etc_audit_auditd_conf_Line: 'admin_space_left_action = single'
+# R-258160 RHEL-09-653055
+rhel9STIG_stigrule_258160_Manage: True
+rhel9STIG_stigrule_258160__etc_audit_auditd_conf_Line: 'max_log_file_action = ROTATE'
+# R-258161 RHEL-09-653060
+rhel9STIG_stigrule_258161_Manage: True
+rhel9STIG_stigrule_258161__etc_audit_auditd_conf_Line: 'name_format = hostname'
+# R-258162 RHEL-09-653065
+rhel9STIG_stigrule_258162_Manage: True
+rhel9STIG_stigrule_258162__etc_audit_auditd_conf_Line: 'overflow_action = syslog'
+# R-258163 RHEL-09-653070
+rhel9STIG_stigrule_258163_Manage: True
+rhel9STIG_stigrule_258163__etc_audit_auditd_conf_Line: 'action_mail_acct = root'
+# R-258164 RHEL-09-653075
+rhel9STIG_stigrule_258164_Manage: True
+rhel9STIG_stigrule_258164__etc_audit_auditd_conf_Line: 'local_events = yes'
+# R-258168 RHEL-09-653095
+rhel9STIG_stigrule_258168_Manage: True
+rhel9STIG_stigrule_258168__etc_audit_auditd_conf_Line: 'freq = 100'
+# R-258169 RHEL-09-653100
+rhel9STIG_stigrule_258169_Manage: True
+rhel9STIG_stigrule_258169__etc_audit_auditd_conf_Line: 'log_format = ENRICHED'
+# R-258170 RHEL-09-653105
+rhel9STIG_stigrule_258170_Manage: True
+rhel9STIG_stigrule_258170__etc_audit_auditd_conf_Line: 'write_logs = yes'
+# R-258172 RHEL-09-653115
+rhel9STIG_stigrule_258172_Manage: True
+rhel9STIG_stigrule_258172__etc_audit_auditd_conf_mode_Dest: /etc/audit/auditd.conf
+rhel9STIG_stigrule_258172__etc_audit_auditd_conf_mode_Mode: '0640'
+# R-258175 RHEL-09-653130
+rhel9STIG_stigrule_258175_Manage: True
+rhel9STIG_stigrule_258175_audispd_plugins_State: installed
+# R-258176 RHEL-09-654010
+rhel9STIG_stigrule_258176_Manage: True
+rhel9STIG_stigrule_258176__etc_audit_rules_d_audit_rules_execve_euid_b32_Line: '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv'
+rhel9STIG_stigrule_258176__etc_audit_rules_d_audit_rules_execve_euid_b64_Line: '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv'
+rhel9STIG_stigrule_258176__etc_audit_rules_d_audit_rules_execve_egid_b32_Line: '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv'
+rhel9STIG_stigrule_258176__etc_audit_rules_d_audit_rules_execve_egid_b64_Line: '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv'
+# R-258177 RHEL-09-654015
+rhel9STIG_stigrule_258177_Manage: True
+rhel9STIG_stigrule_258177__etc_audit_rules_d_audit_rules_chmod_b32_Line: '-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod'
+rhel9STIG_stigrule_258177__etc_audit_rules_d_audit_rules_chmod_b64_Line: '-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod'
+# R-258178 RHEL-09-654020
+rhel9STIG_stigrule_258178_Manage: True
+rhel9STIG_stigrule_258178__etc_audit_rules_d_audit_rules_chown_b32_Line: '-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod'
+rhel9STIG_stigrule_258178__etc_audit_rules_d_audit_rules_chown_b64_Line: '-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod'
+# R-258179 RHEL-09-654025
+rhel9STIG_stigrule_258179_Manage: True
+rhel9STIG_stigrule_258179__etc_audit_rules_d_audit_rules_lremovexattr_b32_unset_Line: '-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod'
+rhel9STIG_stigrule_258179__etc_audit_rules_d_audit_rules_lremovexattr_b64_unset_Line: '-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod'
+rhel9STIG_stigrule_258179__etc_audit_rules_d_audit_rules_lremovexattr_b32_Line: '-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod'
+rhel9STIG_stigrule_258179__etc_audit_rules_d_audit_rules_lremovexattr_b64_Line: '-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod'
+# R-258180 RHEL-09-654030
+rhel9STIG_stigrule_258180_Manage: True
+rhel9STIG_stigrule_258180__etc_audit_rules_d_audit_rules__usr_bin_umount_Line: '-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount'
+# R-258181 RHEL-09-654035
+rhel9STIG_stigrule_258181_Manage: True
+rhel9STIG_stigrule_258181__etc_audit_rules_d_audit_rules__usr_bin_chacl_Line: '-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod'
+# R-258182 RHEL-09-654040
+rhel9STIG_stigrule_258182_Manage: True
+rhel9STIG_stigrule_258182__etc_audit_rules_d_audit_rules__usr_bin_setfacl_Line: '-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod'
+# R-258183 RHEL-09-654045
+rhel9STIG_stigrule_258183_Manage: True
+rhel9STIG_stigrule_258183__etc_audit_rules_d_audit_rules__usr_bin_chcon_Line: '-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod'
+# R-258184 RHEL-09-654050
+rhel9STIG_stigrule_258184_Manage: True
+rhel9STIG_stigrule_258184__etc_audit_rules_d_audit_rules__usr_sbin_semanage_Line: '-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
+# R-258185 RHEL-09-654055
+rhel9STIG_stigrule_258185_Manage: True
+rhel9STIG_stigrule_258185__etc_audit_rules_d_audit_rules__usr_sbin_setfiles_Line: '-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
+# R-258186 RHEL-09-654060
+rhel9STIG_stigrule_258186_Manage: True
+rhel9STIG_stigrule_258186__etc_audit_rules_d_audit_rules__usr_sbin_setsebool_Line: '-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged'
+# R-258187 RHEL-09-654065
+rhel9STIG_stigrule_258187_Manage: True
+rhel9STIG_stigrule_258187__etc_audit_rules_d_audit_rules_rename_b32_Line: '-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete'
+rhel9STIG_stigrule_258187__etc_audit_rules_d_audit_rules_rename_b64_Line: '-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete'
+# R-258188 RHEL-09-654070
+rhel9STIG_stigrule_258188_Manage: True
+rhel9STIG_stigrule_258188__etc_audit_rules_d_audit_rules_truncate_EPERM_b32_Line: '-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access'
+rhel9STIG_stigrule_258188__etc_audit_rules_d_audit_rules_truncate_EPERM_b64_Line: '-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access'
+rhel9STIG_stigrule_258188__etc_audit_rules_d_audit_rules_truncate_EACCES_b32_Line: '-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access'
+rhel9STIG_stigrule_258188__etc_audit_rules_d_audit_rules_truncate_EACCES_b64_Line: '-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access'
+# R-258189 RHEL-09-654075
+rhel9STIG_stigrule_258189_Manage: True
+rhel9STIG_stigrule_258189__etc_audit_rules_d_audit_rules_delete_module_b32_Line: '-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng'
+rhel9STIG_stigrule_258189__etc_audit_rules_d_audit_rules_delete_module_b64_Line: '-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng'
+# R-258190 RHEL-09-654080
+rhel9STIG_stigrule_258190_Manage: True
+rhel9STIG_stigrule_258190__etc_audit_rules_d_audit_rules_init_module_b32_Line: '-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng'
+rhel9STIG_stigrule_258190__etc_audit_rules_d_audit_rules_init_module_b64_Line: '-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng'
+# R-258191 RHEL-09-654085
+rhel9STIG_stigrule_258191_Manage: True
+rhel9STIG_stigrule_258191__etc_audit_rules_d_audit_rules__usr_bin_chage_Line: '-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage'
+# R-258192 RHEL-09-654090
+rhel9STIG_stigrule_258192_Manage: True
+rhel9STIG_stigrule_258192__etc_audit_rules_d_audit_rules__usr_bin_chsh_Line: '-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd'
+# R-258193 RHEL-09-654095
+rhel9STIG_stigrule_258193_Manage: True
+rhel9STIG_stigrule_258193__etc_audit_rules_d_audit_rules__usr_bin_crontab_Line: '-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab'
+# R-258194 RHEL-09-654100
+rhel9STIG_stigrule_258194_Manage: True
+rhel9STIG_stigrule_258194__etc_audit_rules_d_audit_rules__usr_bin_gpasswd_Line: '-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd'
+# R-258195 RHEL-09-654105
+rhel9STIG_stigrule_258195_Manage: True
+rhel9STIG_stigrule_258195__etc_audit_rules_d_audit_rules__usr_bin_kmod_Line: '-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules'
+# R-258196 RHEL-09-654110
+rhel9STIG_stigrule_258196_Manage: True
+rhel9STIG_stigrule_258196__etc_audit_rules_d_audit_rules__usr_bin_newgrp_Line: '-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd'
+# R-258197 RHEL-09-654115
+rhel9STIG_stigrule_258197_Manage: True
+rhel9STIG_stigrule_258197__etc_audit_rules_d_audit_rules__usr_sbin_pam_timestamp_check_Line: '-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check'
+# R-258198 RHEL-09-654120
+rhel9STIG_stigrule_258198_Manage: True
+rhel9STIG_stigrule_258198__etc_audit_rules_d_audit_rules__usr_bin_passwd_Line: '-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd'
+# R-258199 RHEL-09-654125
+rhel9STIG_stigrule_258199_Manage: True
+rhel9STIG_stigrule_258199__etc_audit_rules_d_audit_rules__usr_sbin_postdrop_Line: '-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
+# R-258200 RHEL-09-654130
+rhel9STIG_stigrule_258200_Manage: True
+rhel9STIG_stigrule_258200__etc_audit_rules_d_audit_rules__usr_sbin_postqueue_Line: '-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
+# R-258201 RHEL-09-654135
+rhel9STIG_stigrule_258201_Manage: True
+rhel9STIG_stigrule_258201__etc_audit_rules_d_audit_rules__usr_bin_ssh_agent_Line: '-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh'
+# R-258202 RHEL-09-654140
+rhel9STIG_stigrule_258202_Manage: True
+rhel9STIG_stigrule_258202__etc_audit_rules_d_audit_rules__usr_libexec_openssh_ssh_keysign_Line: '-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh'
+# R-258203 RHEL-09-654145
+rhel9STIG_stigrule_258203_Manage: True
+rhel9STIG_stigrule_258203__etc_audit_rules_d_audit_rules__usr_bin_su_Line: '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change'
+# R-258204 RHEL-09-654150
+rhel9STIG_stigrule_258204_Manage: True
+rhel9STIG_stigrule_258204__etc_audit_rules_d_audit_rules__usr_bin_sudo_Line: '-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd'
+# R-258205 RHEL-09-654155
+rhel9STIG_stigrule_258205_Manage: True
+rhel9STIG_stigrule_258205__etc_audit_rules_d_audit_rules__usr_bin_sudoedit_Line: '-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd'
+# R-258206 RHEL-09-654160
+rhel9STIG_stigrule_258206_Manage: True
+rhel9STIG_stigrule_258206__etc_audit_rules_d_audit_rules__usr_sbin_unix_chkpwd_Line: '-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
+# R-258207 RHEL-09-654165
+rhel9STIG_stigrule_258207_Manage: True
+rhel9STIG_stigrule_258207__etc_audit_rules_d_audit_rules__usr_sbin_unix_update_Line: '-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
+# R-258208 RHEL-09-654170
+rhel9STIG_stigrule_258208_Manage: True
+rhel9STIG_stigrule_258208__etc_audit_rules_d_audit_rules__usr_sbin_userhelper_Line: '-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
+# R-258209 RHEL-09-654175
+rhel9STIG_stigrule_258209_Manage: True
+rhel9STIG_stigrule_258209__etc_audit_rules_d_audit_rules__usr_sbin_usermod_Line: '-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod'
+# R-258210 RHEL-09-654180
+rhel9STIG_stigrule_258210_Manage: True
+rhel9STIG_stigrule_258210__etc_audit_rules_d_audit_rules__usr_bin_mount_Line: '-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount'
+# R-258211 RHEL-09-654185
+rhel9STIG_stigrule_258211_Manage: True
+rhel9STIG_stigrule_258211__etc_audit_rules_d_audit_rules__usr_sbin_init_Line: '-a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init'
+# R-258212 RHEL-09-654190
+rhel9STIG_stigrule_258212_Manage: True
+rhel9STIG_stigrule_258212__etc_audit_rules_d_audit_rules__usr_sbin_poweroff_Line: '-a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged-poweroff'
+# R-258213 RHEL-09-654195
+rhel9STIG_stigrule_258213_Manage: True
+rhel9STIG_stigrule_258213__etc_audit_rules_d_audit_rules__usr_sbin_reboot_Line: '-a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot'
+# R-258214 RHEL-09-654200
+rhel9STIG_stigrule_258214_Manage: True
+rhel9STIG_stigrule_258214__etc_audit_rules_d_audit_rules__usr_sbin_shutdown_Line: '-a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown'
+# R-258217 RHEL-09-654215
+rhel9STIG_stigrule_258217_Manage: True
+rhel9STIG_stigrule_258217__etc_audit_rules_d_audit_rules__etc_sudoers_Line: '-w /etc/sudoers -p wa -k identity'
+# R-258218 RHEL-09-654220
+rhel9STIG_stigrule_258218_Manage: True
+rhel9STIG_stigrule_258218__etc_audit_rules_d_audit_rules__etc_sudoers_d__Line: '-w /etc/sudoers.d/ -p wa -k identity'
+# R-258219 RHEL-09-654225
+rhel9STIG_stigrule_258219_Manage: True
+rhel9STIG_stigrule_258219__etc_audit_rules_d_audit_rules__etc_group_Line: '-w /etc/group -p wa -k identity'
+# R-258220 RHEL-09-654230
+rhel9STIG_stigrule_258220_Manage: True
+rhel9STIG_stigrule_258220__etc_audit_rules_d_audit_rules__etc_gshadow_Line: '-w /etc/gshadow -p wa -k identity'
+# R-258221 RHEL-09-654235
+rhel9STIG_stigrule_258221_Manage: True
+rhel9STIG_stigrule_258221__etc_audit_rules_d_audit_rules__etc_security_opasswd_Line: '-w /etc/security/opasswd -p wa -k identity'
+# R-258222 RHEL-09-654240
+rhel9STIG_stigrule_258222_Manage: True
+rhel9STIG_stigrule_258222__etc_audit_rules_d_audit_rules__etc_passwd_Line: '-w /etc/passwd -p wa -k identity'
+# R-258223 RHEL-09-654245
+rhel9STIG_stigrule_258223_Manage: True
+rhel9STIG_stigrule_258223__etc_audit_rules_d_audit_rules__etc_shadow_Line: '-w /etc/shadow -p wa -k identity'
+# R-258224 RHEL-09-654250
+rhel9STIG_stigrule_258224_Manage: True
+rhel9STIG_stigrule_258224__etc_audit_rules_d_audit_rules__var_log_faillock_Line: '-w /var/log/faillock -p wa -k logins'
+# R-258225 RHEL-09-654255
+rhel9STIG_stigrule_258225_Manage: True
+rhel9STIG_stigrule_258225__etc_audit_rules_d_audit_rules__var_log_lastlog_Line: '-w /var/log/lastlog -p wa -k logins'
+# R-258226 RHEL-09-654260
+rhel9STIG_stigrule_258226_Manage: True
+rhel9STIG_stigrule_258226__etc_audit_rules_d_audit_rules__var_log_tallylog_Line: '-w /var/log/tallylog -p wa -k logins'
+# R-258227 RHEL-09-654265
+rhel9STIG_stigrule_258227_Manage: True
+rhel9STIG_stigrule_258227__etc_audit_rules_d_audit_rules_f2_Line: '-f 2'
+# R-258228 RHEL-09-654270
+rhel9STIG_stigrule_258228_Manage: True
+rhel9STIG_stigrule_258228__etc_audit_rules_d_audit_rules_loginuid_immutable_Line: '--loginuid-immutable'
+# R-258229 RHEL-09-654275
+rhel9STIG_stigrule_258229_Manage: True
+rhel9STIG_stigrule_258229__etc_audit_rules_d_audit_rules_e2_Line: '-e 2'
+# R-258234 RHEL-09-215100
+rhel9STIG_stigrule_258234_Manage: True
+rhel9STIG_stigrule_258234_crypto_policies_State: installed
+# R-272488 RHEL-09-215101
+rhel9STIG_stigrule_272488_Manage: True
+rhel9STIG_stigrule_272488_postfix_State: installed

collections/ansible_collections/demo/compliance/roles/rhel9STIG/handlers/main.yml

@@ -0,0 +1,30 @@
+- name: dconf_update
+  command: dconf update
+- name: auditd_restart
+  command: /usr/sbin/service auditd restart
+- name: ssh_restart
+  service:
+    name: sshd
+    state: restarted
+- name: rsyslog_restart
+  service:
+    name: rsyslog
+    state: restarted
+- name: sysctl_load_settings
+  command: sysctl --system
+- name: daemon_reload
+  systemd:
+    daemon_reload: true
+- name: networkmanager_reload
+  service:
+    name: NetworkManager
+    state: reloaded
+- name: logind_restart
+  service:
+    name: systemd-logind
+    state: restarted
+- name: with_faillock_enable
+  command: authselect enable-feature with-faillock
+- name: do_reboot
+  reboot:
+    pre_reboot_delay: 60

collections/ansible_collections/demo/compliance/roles/win2022STIG/callback_plugins/stig_xml.py

@@ -0,0 +1,93 @@
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+from ansible.plugins.callback import CallbackBase
+from time import gmtime, strftime
+import platform
+import tempfile
+import re
+import sys
+import os
+import xml.etree.ElementTree as ET
+import xml.dom.minidom
+
+
+class CallbackModule(CallbackBase):
+    CALLBACK_VERSION = 2.0
+    CALLBACK_TYPE = "xml"
+    CALLBACK_NAME = "stig_xml"
+
+    CALLBACK_NEEDS_WHITELIST = True
+
+    def _get_STIG_path(self):
+        cwd = os.path.abspath(".")
+        for dirpath, dirs, files in os.walk(cwd):
+            if os.path.sep + "files" in dirpath and ".xml" in files[0]:
+                return os.path.join(cwd, dirpath, files[0])
+
+    def __init__(self):
+        super(CallbackModule, self).__init__()
+        self.rules = {}
+        self.stig_path = os.environ.get("STIG_PATH")
+        self.XML_path = os.environ.get("XML_PATH")
+        if self.stig_path is None:
+            self.stig_path = self._get_STIG_path()
+        self._display.display("Using STIG_PATH: {}".format(self.stig_path))
+        if self.XML_path is None:
+            self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml"
+        self._display.display("Using XML_PATH: {}".format(self.XML_path))
+
+        print("Writing: {}".format(self.XML_path))
+        STIG_name = os.path.basename(self.stig_path)
+        ET.register_namespace("cdf", "http://checklists.nist.gov/xccdf/1.2")
+        self.tr = ET.Element("{http://checklists.nist.gov/xccdf/1.2}TestResult")
+        self.tr.set(
+            "id",
+            "xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}".format(STIG_name),
+        )
+        endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
+        self.tr.set("end-time", endtime)
+        tg = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}target")
+        tg.text = platform.node()
+
+    def _get_rev(self, nid):
+        with open(self.stig_path, "r") as f:
+            r = "SV-{}r(?P<rev>\d+)_rule".format(nid)
+            m = re.search(r, f.read())
+        if m:
+            rev = m.group("rev")
+        else:
+            rev = "0"
+        return rev
+
+    def v2_runner_on_ok(self, result):
+        name = result._task.get_name()
+        m = re.search("stigrule_(?P<id>\d+)", name)
+        if m:
+            nid = m.group("id")
+        else:
+            return
+        rev = self._get_rev(nid)
+        key = "{}r{}".format(nid, rev)
+        if self.rules.get(key, "Unknown") != False:
+            self.rules[key] = result.is_changed()
+
+    def v2_playbook_on_stats(self, stats):
+        for rule, changed in self.rules.items():
+            state = "fail" if changed else "pass"
+            rr = ET.SubElement(
+                self.tr, "{http://checklists.nist.gov/xccdf/1.2}rule-result"
+            )
+            rr.set("idref", "xccdf_mil.disa.stig_rule_SV-{}_rule".format(rule))
+            rs = ET.SubElement(rr, "{http://checklists.nist.gov/xccdf/1.2}result")
+            rs.text = state
+        passing = len(self.rules) - sum(self.rules.values())
+        sc = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}score")
+        sc.set("maximum", str(len(self.rules)))
+        sc.set("system", "urn:xccdf:scoring:flat-unweighted")
+        sc.text = str(passing)
+        with open(self.XML_path, "wb") as f:
+            out = ET.tostring(self.tr)
+            pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding="utf-8")
+            f.write(pretty)

collections/ansible_collections/demo/compliance/roles/win2022STIG/defaults/main.yml

@@ -0,0 +1,939 @@
+# R-254269 WN22-00-000320
+win2022STIG_stigrule_254269_Manage: True
+win2022STIG_stigrule_254269_Fax_State: absent
+# R-254270 WN22-00-000330
+win2022STIG_stigrule_254270_Manage: True
+win2022STIG_stigrule_254270_Web_Ftp_Service_State: absent
+# R-254271 WN22-00-000340
+win2022STIG_stigrule_254271_Manage: True
+win2022STIG_stigrule_254271_PNRP_State: absent
+# R-254272 WN22-00-000350
+win2022STIG_stigrule_254272_Manage: True
+win2022STIG_stigrule_254272_Simple_TCPIP_State: absent
+# R-254273 WN22-00-000360
+win2022STIG_stigrule_254273_Manage: True
+win2022STIG_stigrule_254273_Telnet_Client_State: absent
+# R-254275 WN22-00-000380
+win2022STIG_stigrule_254275_Manage: True
+win2022STIG_stigrule_254275_FS_SMB1_State: absent
+# R-254276 WN22-00-000390
+win2022STIG_stigrule_254276_Manage: True
+win2022STIG_stigrule_254276_SMB1_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\'
+win2022STIG_stigrule_254276_SMB1_State: 'Present'
+win2022STIG_stigrule_254276_SMB1_ValueData: '0'
+win2022STIG_stigrule_254276_SMB1_ValueType: 'Dword'
+win2022STIG_stigrule_254276_TFTP_Client_State: absent
+# R-254277 WN22-00-000400
+win2022STIG_stigrule_254277_Manage: True
+win2022STIG_stigrule_254277_Start_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10\'
+win2022STIG_stigrule_254277_Start_State: 'Present'
+win2022STIG_stigrule_254277_Start_ValueData: '4'
+win2022STIG_stigrule_254277_Start_ValueType: 'Dword'
+# R-254278 WN22-00-000410
+win2022STIG_stigrule_254278_Manage: True
+win2022STIG_stigrule_254278_PowerShell_v2_State: absent
+# R-254281 WN22-00-000440
+# Please choose an appropriate DoD time source from http://tycho.usno.navy.mil/ntp.html
+win2022STIG_stigrule_254281_Manage: False
+win2022STIG_stigrule_254281_NtpServer_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\W32time\Parameters'
+win2022STIG_stigrule_254281_NtpServer_State: 'Present'
+win2022STIG_stigrule_254281_NtpServer_ValueData: 'your|DoD|time|server|url|here'
+win2022STIG_stigrule_254281_NtpServer_ValueType: 'String'
+win2022STIG_stigrule_254281_Type_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\W32time\Parameters'
+win2022STIG_stigrule_254281_Type_State: 'Present'
+win2022STIG_stigrule_254281_Type_ValueData: 'NTP'
+win2022STIG_stigrule_254281_Type_ValueType: 'String'
+win2022STIG_stigrule_254281_CrossSiteSyncFlags_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient'
+win2022STIG_stigrule_254281_CrossSiteSyncFlags_State: 'Present'
+win2022STIG_stigrule_254281_CrossSiteSyncFlags_ValueData: '2'
+win2022STIG_stigrule_254281_CrossSiteSyncFlags_ValueType: 'Dword'
+win2022STIG_stigrule_254281_EventLogFlags_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient'
+win2022STIG_stigrule_254281_EventLogFlags_State: 'Present'
+win2022STIG_stigrule_254281_EventLogFlags_ValueData: '0'
+win2022STIG_stigrule_254281_EventLogFlags_ValueType: 'Dword'
+win2022STIG_stigrule_254281_ResolvePeerBackoffMaxTimes_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient'
+win2022STIG_stigrule_254281_ResolvePeerBackoffMaxTimes_State: 'Present'
+win2022STIG_stigrule_254281_ResolvePeerBackoffMaxTimes_ValueData: '7'
+win2022STIG_stigrule_254281_ResolvePeerBackoffMaxTimes_ValueType: 'Dword'
+win2022STIG_stigrule_254281_ResolvePeerBackoffMinutes_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient'
+win2022STIG_stigrule_254281_ResolvePeerBackoffMinutes_State: 'Present'
+win2022STIG_stigrule_254281_ResolvePeerBackoffMinutes_ValueData: '15'
+win2022STIG_stigrule_254281_ResolvePeerBackoffMinutes_ValueType: 'Dword'
+win2022STIG_stigrule_254281_SpecialPollInterval_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient'
+win2022STIG_stigrule_254281_SpecialPollInterval_State: 'Present'
+win2022STIG_stigrule_254281_SpecialPollInterval_ValueData: '3600'
+win2022STIG_stigrule_254281_SpecialPollInterval_ValueType: 'Dword'
+# R-254285 WN22-AC-000010
+win2022STIG_stigrule_254285_Manage: False
+win2022STIG_stigrule_254285_Account_lockout_duration_Value: 15
+# R-254286 WN22-AC-000020
+win2022STIG_stigrule_254286_Manage: False
+win2022STIG_stigrule_254286_Account_lockout_threshold_Value: 3
+# R-254287 WN22-AC-000030
+win2022STIG_stigrule_254287_Manage: False
+win2022STIG_stigrule_254287_Reset_account_lockout_counter_after_Value: 15
+# R-254288 WN22-AC-000040
+win2022STIG_stigrule_254288_Manage: True
+win2022STIG_stigrule_254288_Enforce_password_history_Value: 24
+# R-254289 WN22-AC-000050
+win2022STIG_stigrule_254289_Manage: True
+win2022STIG_stigrule_254289_Maximum_Password_Age_Value: 60
+# R-254290 WN22-AC-000060
+win2022STIG_stigrule_254290_Manage: True
+win2022STIG_stigrule_254290_Minimum_Password_Age_Value: 1
+# R-254291 WN22-AC-000070
+win2022STIG_stigrule_254291_Manage: True
+win2022STIG_stigrule_254291_Minimum_Password_Length_Value: 14
+# R-254292 WN22-AC-000080
+win2022STIG_stigrule_254292_Manage: True
+win2022STIG_stigrule_254292_Password_must_meet_complexity_requirements_Value: 1
+# R-254293 WN22-AC-000090
+win2022STIG_stigrule_254293_Manage: True
+win2022STIG_stigrule_254293_Store_passwords_using_reversible_encryption_Value: 0
+# R-254296 WN22-AU-000030
+win2022STIG_stigrule_254296_Manage: True
+# R-254297 WN22-AU-000040
+win2022STIG_stigrule_254297_Manage: True
+# R-254298 WN22-AU-000050
+win2022STIG_stigrule_254298_Manage: True
+# R-254300 WN22-AU-000070
+win2022STIG_stigrule_254300_Manage: True
+win2022STIG_stigrule_254300_Credential_Validation_AuditType: success,failure
+# R-254301 WN22-AU-000080
+win2022STIG_stigrule_254301_Manage: True
+win2022STIG_stigrule_254301_Credential_Validation_AuditType: success,failure
+# R-254302 WN22-AU-000090
+win2022STIG_stigrule_254302_Manage: True
+win2022STIG_stigrule_254302_Other_Account_Management_Events_AuditType: success
+# R-254303 WN22-AU-000100
+win2022STIG_stigrule_254303_Manage: True
+win2022STIG_stigrule_254303_Security_Group_Management_AuditType: success
+# R-254304 WN22-AU-000110
+win2022STIG_stigrule_254304_Manage: True
+win2022STIG_stigrule_254304_User_Account_Management_AuditType: success,failure
+# R-254305 WN22-AU-000120
+win2022STIG_stigrule_254305_Manage: True
+win2022STIG_stigrule_254305_User_Account_Management_AuditType: success,failure
+# R-254306 WN22-AU-000130
+win2022STIG_stigrule_254306_Manage: True
+win2022STIG_stigrule_254306_PNP_Activity_AuditType: success
+# R-254307 WN22-AU-000140
+win2022STIG_stigrule_254307_Manage: True
+win2022STIG_stigrule_254307_Process_Creation_AuditType: success
+# R-254308 WN22-AU-000150
+win2022STIG_stigrule_254308_Manage: True
+win2022STIG_stigrule_254308_Account_Lockout_AuditType: success,failure
+# R-254309 WN22-AU-000160
+win2022STIG_stigrule_254309_Manage: True
+win2022STIG_stigrule_254309_Account_Lockout_AuditType: success,failure
+# R-254310 WN22-AU-000170
+win2022STIG_stigrule_254310_Manage: True
+win2022STIG_stigrule_254310_Group_Membership_AuditType: success
+# R-254311 WN22-AU-000180
+win2022STIG_stigrule_254311_Manage: True
+win2022STIG_stigrule_254311_Logoff_AuditType: success
+# R-254312 WN22-AU-000190
+win2022STIG_stigrule_254312_Manage: True
+win2022STIG_stigrule_254312_Logon_AuditType: success,failure
+# R-254313 WN22-AU-000200
+win2022STIG_stigrule_254313_Manage: True
+win2022STIG_stigrule_254313_Logon_AuditType: success,failure
+# R-254314 WN22-AU-000210
+win2022STIG_stigrule_254314_Manage: True
+win2022STIG_stigrule_254314_Special_Logon_AuditType: success
+# R-254315 WN22-AU-000220
+win2022STIG_stigrule_254315_Manage: True
+win2022STIG_stigrule_254315_Other_Object_Access_Events_AuditType: success,failure
+# R-254316 WN22-AU-000230
+win2022STIG_stigrule_254316_Manage: True
+win2022STIG_stigrule_254316_Other_Object_Access_Events_AuditType: success,failure
+# R-254317 WN22-AU-000240
+win2022STIG_stigrule_254317_Manage: True
+win2022STIG_stigrule_254317_Removable_Storage_AuditType: success,failure
+# R-254318 WN22-AU-000250
+win2022STIG_stigrule_254318_Manage: True
+win2022STIG_stigrule_254318_Removable_Storage_AuditType: success,failure
+# R-254319 WN22-AU-000260
+win2022STIG_stigrule_254319_Manage: True
+win2022STIG_stigrule_254319_Policy_Change_AuditType: success,failure
+# R-254320 WN22-AU-000270
+win2022STIG_stigrule_254320_Manage: True
+win2022STIG_stigrule_254320_Policy_Change_AuditType: success,failure
+# R-254321 WN22-AU-000280
+win2022STIG_stigrule_254321_Manage: True
+win2022STIG_stigrule_254321_Authentication_Policy_Change_AuditType: success
+# R-254322 WN22-AU-000290
+win2022STIG_stigrule_254322_Manage: True
+win2022STIG_stigrule_254322_Authorization_Policy_Change_AuditType: success
+# R-254323 WN22-AU-000300
+win2022STIG_stigrule_254323_Manage: True
+win2022STIG_stigrule_254323_Sensitive_Privilege_Use_AuditType: success,failure
+# R-254324 WN22-AU-000310
+win2022STIG_stigrule_254324_Manage: True
+win2022STIG_stigrule_254324_Sensitive_Privilege_Use_AuditType: success,failure
+# R-254325 WN22-AU-000320
+win2022STIG_stigrule_254325_Manage: True
+win2022STIG_stigrule_254325_IPsec_Driver_AuditType: success,failure
+# R-254326 WN22-AU-000330
+win2022STIG_stigrule_254326_Manage: True
+win2022STIG_stigrule_254326_IPsec_Driver_AuditType: success,failure
+# R-254327 WN22-AU-000340
+win2022STIG_stigrule_254327_Manage: True
+win2022STIG_stigrule_254327_Other_System_Events_AuditType: success,failure
+# R-254328 WN22-AU-000350
+win2022STIG_stigrule_254328_Manage: True
+win2022STIG_stigrule_254328_Other_System_Events_AuditType: success,failure
+# R-254329 WN22-AU-000360
+win2022STIG_stigrule_254329_Manage: True
+win2022STIG_stigrule_254329_Security_State_Change_AuditType: success
+# R-254330 WN22-AU-000370
+win2022STIG_stigrule_254330_Manage: True
+win2022STIG_stigrule_254330_Security_System_Extension_AuditType: success
+# R-254331 WN22-AU-000380
+win2022STIG_stigrule_254331_Manage: True
+win2022STIG_stigrule_254331_System_Integrity_AuditType: success,failure
+# R-254332 WN22-AU-000390
+win2022STIG_stigrule_254332_Manage: True
+win2022STIG_stigrule_254332_System_Integrity_AuditType: success,failure
+# R-254333 WN22-CC-000010
+win2022STIG_stigrule_254333_Manage: True
+win2022STIG_stigrule_254333_NoLockScreenSlideshow_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization\'
+win2022STIG_stigrule_254333_NoLockScreenSlideshow_State: 'Present'
+win2022STIG_stigrule_254333_NoLockScreenSlideshow_ValueData: '1'
+win2022STIG_stigrule_254333_NoLockScreenSlideshow_ValueType: 'Dword'
+# R-254334 WN22-CC-000020
+win2022STIG_stigrule_254334_Manage: True
+win2022STIG_stigrule_254334_UseLogonCredential_Key: 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\'
+win2022STIG_stigrule_254334_UseLogonCredential_State: 'Present'
+win2022STIG_stigrule_254334_UseLogonCredential_ValueData: '0'
+win2022STIG_stigrule_254334_UseLogonCredential_ValueType: 'Dword'
+# R-254335 WN22-CC-000030
+win2022STIG_stigrule_254335_Manage: True
+win2022STIG_stigrule_254335_DisableIPSourceRouting_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\'
+win2022STIG_stigrule_254335_DisableIPSourceRouting_State: 'Present'
+win2022STIG_stigrule_254335_DisableIPSourceRouting_ValueData: '2'
+win2022STIG_stigrule_254335_DisableIPSourceRouting_ValueType: 'Dword'
+# R-254336 WN22-CC-000040
+win2022STIG_stigrule_254336_Manage: True
+win2022STIG_stigrule_254336_DisableIPSourceRouting_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\'
+win2022STIG_stigrule_254336_DisableIPSourceRouting_State: 'Present'
+win2022STIG_stigrule_254336_DisableIPSourceRouting_ValueData: '2'
+win2022STIG_stigrule_254336_DisableIPSourceRouting_ValueType: 'Dword'
+# R-254337 WN22-CC-000050
+win2022STIG_stigrule_254337_Manage: True
+win2022STIG_stigrule_254337_EnableICMPRedirect_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\'
+win2022STIG_stigrule_254337_EnableICMPRedirect_State: 'Present'
+win2022STIG_stigrule_254337_EnableICMPRedirect_ValueData: '0'
+win2022STIG_stigrule_254337_EnableICMPRedirect_ValueType: 'Dword'
+# R-254338 WN22-CC-000060
+win2022STIG_stigrule_254338_Manage: True
+win2022STIG_stigrule_254338_NoNameReleaseOnDemand_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\'
+win2022STIG_stigrule_254338_NoNameReleaseOnDemand_State: 'Present'
+win2022STIG_stigrule_254338_NoNameReleaseOnDemand_ValueData: '1'
+win2022STIG_stigrule_254338_NoNameReleaseOnDemand_ValueType: 'Dword'
+# R-254339 WN22-CC-000070
+win2022STIG_stigrule_254339_Manage: True
+win2022STIG_stigrule_254339_AllowInsecureGuestAuth_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation\'
+win2022STIG_stigrule_254339_AllowInsecureGuestAuth_State: 'Present'
+win2022STIG_stigrule_254339_AllowInsecureGuestAuth_ValueData: '0'
+win2022STIG_stigrule_254339_AllowInsecureGuestAuth_ValueType: 'Dword'
+# R-254340 WN22-CC-000080
+win2022STIG_stigrule_254340_Manage: True
+win2022STIG_stigrule_254340_____NETLOGON_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\'
+win2022STIG_stigrule_254340_____NETLOGON_State: 'Present'
+win2022STIG_stigrule_254340_____NETLOGON_ValueData: 'RequireMutualAuthentication=1, RequireIntegrity=1'
+win2022STIG_stigrule_254340_____NETLOGON_ValueType: 'String'
+win2022STIG_stigrule_254340_____SYSVOL_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\'
+win2022STIG_stigrule_254340_____SYSVOL_State: 'Present'
+win2022STIG_stigrule_254340_____SYSVOL_ValueData: 'RequireMutualAuthentication=1, RequireIntegrity=1'
+win2022STIG_stigrule_254340_____SYSVOL_ValueType: 'String'
+# R-254341 WN22-CC-000090
+win2022STIG_stigrule_254341_Manage: True
+win2022STIG_stigrule_254341_ProcessCreationIncludeCmdLine_Enabled_Key: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\'
+win2022STIG_stigrule_254341_ProcessCreationIncludeCmdLine_Enabled_State: 'Present'
+win2022STIG_stigrule_254341_ProcessCreationIncludeCmdLine_Enabled_ValueData: '1'
+win2022STIG_stigrule_254341_ProcessCreationIncludeCmdLine_Enabled_ValueType: 'Dword'
+# R-254342 WN22-CC-000100
+win2022STIG_stigrule_254342_Manage: True
+win2022STIG_stigrule_254342_AllowProtectedCreds_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\'
+win2022STIG_stigrule_254342_AllowProtectedCreds_State: 'Present'
+win2022STIG_stigrule_254342_AllowProtectedCreds_ValueData: '1'
+win2022STIG_stigrule_254342_AllowProtectedCreds_ValueType: 'Dword'
+# R-254343 WN22-CC-000110
+# Please ensure the hardware requirements are met. See https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements
+win2022STIG_stigrule_254343_Manage: False
+win2022STIG_stigrule_254343_EnableVirtualizationBasedSecurity_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\'
+win2022STIG_stigrule_254343_EnableVirtualizationBasedSecurity_State: 'Present'
+win2022STIG_stigrule_254343_EnableVirtualizationBasedSecurity_ValueData: '1'
+win2022STIG_stigrule_254343_EnableVirtualizationBasedSecurity_ValueType: 'Dword'
+win2022STIG_stigrule_254343_RequirePlatformSecurityFeatures_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\'
+win2022STIG_stigrule_254343_RequirePlatformSecurityFeatures_State: 'Present'
+win2022STIG_stigrule_254343_RequirePlatformSecurityFeatures_ValueData: '1'
+win2022STIG_stigrule_254343_RequirePlatformSecurityFeatures_ValueType: 'Dword'
+# R-254344 WN22-CC-000130
+win2022STIG_stigrule_254344_Manage: True
+win2022STIG_stigrule_254344_DriverLoadPolicy_Key: 'HKLM:\SYSTEM\CurrentControlSet\Policies\EarlyLaunch\'
+win2022STIG_stigrule_254344_DriverLoadPolicy_State: 'Present'
+win2022STIG_stigrule_254344_DriverLoadPolicy_ValueData: '1'
+win2022STIG_stigrule_254344_DriverLoadPolicy_ValueType: 'Dword'
+# R-254345 WN22-CC-000140
+win2022STIG_stigrule_254345_Manage: True
+win2022STIG_stigrule_254345_NoGPOListChanges_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\'
+win2022STIG_stigrule_254345_NoGPOListChanges_State: 'Present'
+win2022STIG_stigrule_254345_NoGPOListChanges_ValueData: '0'
+win2022STIG_stigrule_254345_NoGPOListChanges_ValueType: 'Dword'
+# R-254346 WN22-CC-000150
+win2022STIG_stigrule_254346_Manage: True
+win2022STIG_stigrule_254346_DisableWebPnPDownload_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\'
+win2022STIG_stigrule_254346_DisableWebPnPDownload_State: 'Present'
+win2022STIG_stigrule_254346_DisableWebPnPDownload_ValueData: '1'
+win2022STIG_stigrule_254346_DisableWebPnPDownload_ValueType: 'Dword'
+# R-254347 WN22-CC-000160
+win2022STIG_stigrule_254347_Manage: True
+win2022STIG_stigrule_254347_DisableHTTPPrinting_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\'
+win2022STIG_stigrule_254347_DisableHTTPPrinting_State: 'Present'
+win2022STIG_stigrule_254347_DisableHTTPPrinting_ValueData: '1'
+win2022STIG_stigrule_254347_DisableHTTPPrinting_ValueType: 'Dword'
+# R-254348 WN22-CC-000170
+win2022STIG_stigrule_254348_Manage: True
+win2022STIG_stigrule_254348_DontDisplayNetworkSelectionUI_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\'
+win2022STIG_stigrule_254348_DontDisplayNetworkSelectionUI_State: 'Present'
+win2022STIG_stigrule_254348_DontDisplayNetworkSelectionUI_ValueData: '1'
+win2022STIG_stigrule_254348_DontDisplayNetworkSelectionUI_ValueType: 'Dword'
+# R-254349 WN22-CC-000180
+win2022STIG_stigrule_254349_Manage: True
+win2022STIG_stigrule_254349_DCSettingIndex_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\'
+win2022STIG_stigrule_254349_DCSettingIndex_State: 'Present'
+win2022STIG_stigrule_254349_DCSettingIndex_ValueData: '1'
+win2022STIG_stigrule_254349_DCSettingIndex_ValueType: 'Dword'
+# R-254350 WN22-CC-000190
+win2022STIG_stigrule_254350_Manage: True
+win2022STIG_stigrule_254350_ACSettingIndex_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\'
+win2022STIG_stigrule_254350_ACSettingIndex_State: 'Present'
+win2022STIG_stigrule_254350_ACSettingIndex_ValueData: '1'
+win2022STIG_stigrule_254350_ACSettingIndex_ValueType: 'Dword'
+# R-254351 WN22-CC-000200
+win2022STIG_stigrule_254351_Manage: True
+win2022STIG_stigrule_254351_DisableInventory_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat\'
+win2022STIG_stigrule_254351_DisableInventory_State: 'Present'
+win2022STIG_stigrule_254351_DisableInventory_ValueData: '1'
+win2022STIG_stigrule_254351_DisableInventory_ValueType: 'Dword'
+# R-254352 WN22-CC-000210
+win2022STIG_stigrule_254352_Manage: True
+win2022STIG_stigrule_254352_NoAutoplayfornonVolume_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\'
+win2022STIG_stigrule_254352_NoAutoplayfornonVolume_State: 'Present'
+win2022STIG_stigrule_254352_NoAutoplayfornonVolume_ValueData: '1'
+win2022STIG_stigrule_254352_NoAutoplayfornonVolume_ValueType: 'Dword'
+# R-254353 WN22-CC-000220
+win2022STIG_stigrule_254353_Manage: True
+win2022STIG_stigrule_254353_NoAutorun_Key: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\'
+win2022STIG_stigrule_254353_NoAutorun_State: 'Present'
+win2022STIG_stigrule_254353_NoAutorun_ValueData: '1'
+win2022STIG_stigrule_254353_NoAutorun_ValueType: 'Dword'
+# R-254354 WN22-CC-000230
+win2022STIG_stigrule_254354_Manage: True
+win2022STIG_stigrule_254354_NoDriveTypeAutoRun_Key: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\'
+win2022STIG_stigrule_254354_NoDriveTypeAutoRun_State: 'Present'
+win2022STIG_stigrule_254354_NoDriveTypeAutoRun_ValueData: '255'
+win2022STIG_stigrule_254354_NoDriveTypeAutoRun_ValueType: 'Dword'
+# R-254355 WN22-CC-000240
+win2022STIG_stigrule_254355_Manage: True
+win2022STIG_stigrule_254355_EnumerateAdministrators_Key: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\'
+win2022STIG_stigrule_254355_EnumerateAdministrators_State: 'Present'
+win2022STIG_stigrule_254355_EnumerateAdministrators_ValueData: '0'
+win2022STIG_stigrule_254355_EnumerateAdministrators_ValueType: 'Dword'
+# R-254356 WN22-CC-000250
+win2022STIG_stigrule_254356_Manage: True
+win2022STIG_stigrule_254356_AllowTelemetry_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection\'
+win2022STIG_stigrule_254356_AllowTelemetry_State: 'Present'
+win2022STIG_stigrule_254356_AllowTelemetry_ValueData: '1'
+win2022STIG_stigrule_254356_AllowTelemetry_ValueType: 'Dword'
+# R-254357 WN22-CC-000260
+win2022STIG_stigrule_254357_Manage: True
+win2022STIG_stigrule_254357_DODownloadMode_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\'
+win2022STIG_stigrule_254357_DODownloadMode_State: 'Present'
+win2022STIG_stigrule_254357_DODownloadMode_ValueData: '100'
+win2022STIG_stigrule_254357_DODownloadMode_ValueType: 'Dword'
+# R-254358 WN22-CC-000270
+win2022STIG_stigrule_254358_Manage: True
+win2022STIG_stigrule_254358_MaxSize_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\'
+win2022STIG_stigrule_254358_MaxSize_State: 'Present'
+win2022STIG_stigrule_254358_MaxSize_ValueData: '32768'
+win2022STIG_stigrule_254358_MaxSize_ValueType: 'Dword'
+# R-254359 WN22-CC-000280
+win2022STIG_stigrule_254359_Manage: True
+win2022STIG_stigrule_254359_MaxSize_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\'
+win2022STIG_stigrule_254359_MaxSize_State: 'Present'
+win2022STIG_stigrule_254359_MaxSize_ValueData: '196608'
+win2022STIG_stigrule_254359_MaxSize_ValueType: 'Dword'
+# R-254360 WN22-CC-000290
+win2022STIG_stigrule_254360_Manage: True
+win2022STIG_stigrule_254360_MaxSize_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System\'
+win2022STIG_stigrule_254360_MaxSize_State: 'Present'
+win2022STIG_stigrule_254360_MaxSize_ValueData: '32768'
+win2022STIG_stigrule_254360_MaxSize_ValueType: 'Dword'
+# R-254361 WN22-CC-000300
+win2022STIG_stigrule_254361_Manage: True
+win2022STIG_stigrule_254361_EnableSmartScreen_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\'
+win2022STIG_stigrule_254361_EnableSmartScreen_State: 'Present'
+win2022STIG_stigrule_254361_EnableSmartScreen_ValueData: '1'
+win2022STIG_stigrule_254361_EnableSmartScreen_ValueType: 'Dword'
+# R-254362 WN22-CC-000310
+win2022STIG_stigrule_254362_Manage: True
+win2022STIG_stigrule_254362_NoDataExecutionPrevention_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\'
+win2022STIG_stigrule_254362_NoDataExecutionPrevention_State: 'Present'
+win2022STIG_stigrule_254362_NoDataExecutionPrevention_ValueData: '0'
+win2022STIG_stigrule_254362_NoDataExecutionPrevention_ValueType: 'Dword'
+# R-254363 WN22-CC-000320
+win2022STIG_stigrule_254363_Manage: True
+win2022STIG_stigrule_254363_NoHeapTerminationOnCorruption_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\'
+win2022STIG_stigrule_254363_NoHeapTerminationOnCorruption_State: 'Present'
+win2022STIG_stigrule_254363_NoHeapTerminationOnCorruption_ValueData: '0'
+win2022STIG_stigrule_254363_NoHeapTerminationOnCorruption_ValueType: 'Dword'
+# R-254364 WN22-CC-000330
+win2022STIG_stigrule_254364_Manage: True
+win2022STIG_stigrule_254364_PreXPSP2ShellProtocolBehavior_Key: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\'
+win2022STIG_stigrule_254364_PreXPSP2ShellProtocolBehavior_State: 'Present'
+win2022STIG_stigrule_254364_PreXPSP2ShellProtocolBehavior_ValueData: '0'
+win2022STIG_stigrule_254364_PreXPSP2ShellProtocolBehavior_ValueType: 'Dword'
+# R-254365 WN22-CC-000340
+win2022STIG_stigrule_254365_Manage: True
+win2022STIG_stigrule_254365_DisablePasswordSaving_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\'
+win2022STIG_stigrule_254365_DisablePasswordSaving_State: 'Present'
+win2022STIG_stigrule_254365_DisablePasswordSaving_ValueData: '1'
+win2022STIG_stigrule_254365_DisablePasswordSaving_ValueType: 'Dword'
+# R-254366 WN22-CC-000350
+win2022STIG_stigrule_254366_Manage: True
+win2022STIG_stigrule_254366_fDisableCdm_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\'
+win2022STIG_stigrule_254366_fDisableCdm_State: 'Present'
+win2022STIG_stigrule_254366_fDisableCdm_ValueData: '1'
+win2022STIG_stigrule_254366_fDisableCdm_ValueType: 'Dword'
+# R-254367 WN22-CC-000360
+win2022STIG_stigrule_254367_Manage: True
+win2022STIG_stigrule_254367_fPromptForPassword_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\'
+win2022STIG_stigrule_254367_fPromptForPassword_State: 'Present'
+win2022STIG_stigrule_254367_fPromptForPassword_ValueData: '1'
+win2022STIG_stigrule_254367_fPromptForPassword_ValueType: 'Dword'
+# R-254368 WN22-CC-000370
+win2022STIG_stigrule_254368_Manage: True
+win2022STIG_stigrule_254368_fEncryptRPCTraffic_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\'
+win2022STIG_stigrule_254368_fEncryptRPCTraffic_State: 'Present'
+win2022STIG_stigrule_254368_fEncryptRPCTraffic_ValueData: '1'
+win2022STIG_stigrule_254368_fEncryptRPCTraffic_ValueType: 'Dword'
+# R-254369 WN22-CC-000380
+win2022STIG_stigrule_254369_Manage: True
+win2022STIG_stigrule_254369_MinEncryptionLevel_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\'
+win2022STIG_stigrule_254369_MinEncryptionLevel_State: 'Present'
+win2022STIG_stigrule_254369_MinEncryptionLevel_ValueData: '3'
+win2022STIG_stigrule_254369_MinEncryptionLevel_ValueType: 'Dword'
+# R-254370 WN22-CC-000390
+win2022STIG_stigrule_254370_Manage: True
+win2022STIG_stigrule_254370_DisableEnclosureDownload_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\'
+win2022STIG_stigrule_254370_DisableEnclosureDownload_State: 'Present'
+win2022STIG_stigrule_254370_DisableEnclosureDownload_ValueData: '1'
+win2022STIG_stigrule_254370_DisableEnclosureDownload_ValueType: 'Dword'
+# R-254371 WN22-CC-000400
+win2022STIG_stigrule_254371_Manage: True
+win2022STIG_stigrule_254371_AllowBasicAuthInClear_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\'
+win2022STIG_stigrule_254371_AllowBasicAuthInClear_State: 'Present'
+win2022STIG_stigrule_254371_AllowBasicAuthInClear_ValueData: '0'
+win2022STIG_stigrule_254371_AllowBasicAuthInClear_ValueType: 'Dword'
+# R-254372 WN22-CC-000410
+win2022STIG_stigrule_254372_Manage: True
+win2022STIG_stigrule_254372_AllowIndexingEncryptedStoresOrItems_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search\'
+win2022STIG_stigrule_254372_AllowIndexingEncryptedStoresOrItems_State: 'Present'
+win2022STIG_stigrule_254372_AllowIndexingEncryptedStoresOrItems_ValueData: '0'
+win2022STIG_stigrule_254372_AllowIndexingEncryptedStoresOrItems_ValueType: 'Dword'
+# R-254373 WN22-CC-000420
+win2022STIG_stigrule_254373_Manage: True
+win2022STIG_stigrule_254373_EnableUserControl_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\'
+win2022STIG_stigrule_254373_EnableUserControl_State: 'Present'
+win2022STIG_stigrule_254373_EnableUserControl_ValueData: '0'
+win2022STIG_stigrule_254373_EnableUserControl_ValueType: 'Dword'
+# R-254374 WN22-CC-000430
+win2022STIG_stigrule_254374_Manage: True
+win2022STIG_stigrule_254374_AlwaysInstallElevated_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\'
+win2022STIG_stigrule_254374_AlwaysInstallElevated_State: 'Present'
+win2022STIG_stigrule_254374_AlwaysInstallElevated_ValueData: '0'
+win2022STIG_stigrule_254374_AlwaysInstallElevated_ValueType: 'Dword'
+# R-254375 WN22-CC-000440
+win2022STIG_stigrule_254375_Manage: True
+win2022STIG_stigrule_254375_SafeForScripting_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\'
+win2022STIG_stigrule_254375_SafeForScripting_State: 'Present'
+win2022STIG_stigrule_254375_SafeForScripting_ValueData: '0'
+win2022STIG_stigrule_254375_SafeForScripting_ValueType: 'Dword'
+# R-254376 WN22-CC-000450
+win2022STIG_stigrule_254376_Manage: True
+win2022STIG_stigrule_254376_DisableAutomaticRestartSignOn_Key: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\'
+win2022STIG_stigrule_254376_DisableAutomaticRestartSignOn_State: 'Present'
+win2022STIG_stigrule_254376_DisableAutomaticRestartSignOn_ValueData: '1'
+win2022STIG_stigrule_254376_DisableAutomaticRestartSignOn_ValueType: 'Dword'
+# R-254378 WN22-CC-000470
+win2022STIG_stigrule_254378_Manage: True
+win2022STIG_stigrule_254378_EnableScriptBlockLogging_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\'
+win2022STIG_stigrule_254378_EnableScriptBlockLogging_State: 'Present'
+win2022STIG_stigrule_254378_EnableScriptBlockLogging_ValueData: '1'
+win2022STIG_stigrule_254378_EnableScriptBlockLogging_ValueType: 'Dword'
+# R-254379 WN22-CC-000480
+win2022STIG_stigrule_254379_Manage: True
+win2022STIG_stigrule_254379_AllowBasic_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\'
+win2022STIG_stigrule_254379_AllowBasic_State: 'Present'
+win2022STIG_stigrule_254379_AllowBasic_ValueData: '0'
+win2022STIG_stigrule_254379_AllowBasic_ValueType: 'Dword'
+# R-254380 WN22-CC-000490
+win2022STIG_stigrule_254380_Manage: True
+win2022STIG_stigrule_254380_AllowUnencryptedTraffic_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\'
+win2022STIG_stigrule_254380_AllowUnencryptedTraffic_State: 'Present'
+win2022STIG_stigrule_254380_AllowUnencryptedTraffic_ValueData: '0'
+win2022STIG_stigrule_254380_AllowUnencryptedTraffic_ValueType: 'Dword'
+# R-254381 WN22-CC-000500
+win2022STIG_stigrule_254381_Manage: True
+win2022STIG_stigrule_254381_AllowDigest_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\'
+win2022STIG_stigrule_254381_AllowDigest_State: 'Present'
+win2022STIG_stigrule_254381_AllowDigest_ValueData: '0'
+win2022STIG_stigrule_254381_AllowDigest_ValueType: 'Dword'
+# R-254382 WN22-CC-000510
+win2022STIG_stigrule_254382_Manage: True
+win2022STIG_stigrule_254382_AllowBasic_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\'
+win2022STIG_stigrule_254382_AllowBasic_State: 'Present'
+win2022STIG_stigrule_254382_AllowBasic_ValueData: '0'
+win2022STIG_stigrule_254382_AllowBasic_ValueType: 'Dword'
+# R-254383 WN22-CC-000520
+win2022STIG_stigrule_254383_Manage: True
+win2022STIG_stigrule_254383_AllowUnencryptedTraffic_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\'
+win2022STIG_stigrule_254383_AllowUnencryptedTraffic_State: 'Present'
+win2022STIG_stigrule_254383_AllowUnencryptedTraffic_ValueData: '0'
+win2022STIG_stigrule_254383_AllowUnencryptedTraffic_ValueType: 'Dword'
+# R-254384 WN22-CC-000530
+win2022STIG_stigrule_254384_Manage: True
+win2022STIG_stigrule_254384_DisableRunAs_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\'
+win2022STIG_stigrule_254384_DisableRunAs_State: 'Present'
+win2022STIG_stigrule_254384_DisableRunAs_ValueData: '1'
+win2022STIG_stigrule_254384_DisableRunAs_ValueType: 'Dword'
+# R-254407 WN22-DC-000230
+win2022STIG_stigrule_254407_Manage: True
+win2022STIG_stigrule_254407_Computer_Account_Management_AuditType: success
+# R-254408 WN22-DC-000240
+win2022STIG_stigrule_254408_Manage: True
+win2022STIG_stigrule_254408_Directory_Service_Access_AuditType: success,failure
+# R-254409 WN22-DC-000250
+win2022STIG_stigrule_254409_Manage: True
+win2022STIG_stigrule_254409_Directory_Service_Access_AuditType: success,failure
+# R-254410 WN22-DC-000260
+win2022STIG_stigrule_254410_Manage: True
+win2022STIG_stigrule_254410_Directory_Service_Changes_AuditType: success,failure
+# R-254411 WN22-DC-000270
+win2022STIG_stigrule_254411_Manage: True
+win2022STIG_stigrule_254411_Directory_Service_Changes_AuditType: success,failure
+# R-254416 WN22-DC-000320
+win2022STIG_stigrule_254416_Manage: True
+win2022STIG_stigrule_254416_Domain_controller_LDAP_server_signing_requirements_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\'
+win2022STIG_stigrule_254416_Domain_controller_LDAP_server_signing_requirements_State: 'Present'
+win2022STIG_stigrule_254416_Domain_controller_LDAP_server_signing_requirements_ValueData: '2'
+win2022STIG_stigrule_254416_Domain_controller_LDAP_server_signing_requirements_ValueType: 'Dword'
+# R-254417 WN22-DC-000330
+win2022STIG_stigrule_254417_Manage: True
+win2022STIG_stigrule_254417_Domain_controller_Refuse_machine_account_password_changes_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\'
+win2022STIG_stigrule_254417_Domain_controller_Refuse_machine_account_password_changes_State: 'Present'
+win2022STIG_stigrule_254417_Domain_controller_Refuse_machine_account_password_changes_ValueData: '0'
+win2022STIG_stigrule_254417_Domain_controller_Refuse_machine_account_password_changes_ValueType: 'Dword'
+# R-254418 WN22-DC-000340
+win2022STIG_stigrule_254418_Manage: False
+win2022STIG_stigrule_254418_SeNetworkLogonRight_Users: ['Administrators','Authenticated Users','Enterprise Domain Controllers']
+# R-254419 WN22-DC-000350
+win2022STIG_stigrule_254419_Manage: True
+win2022STIG_stigrule_254419_SeMachineAccountPrivilege_Users: ['Administrators']
+# R-254420 WN22-DC-000360
+win2022STIG_stigrule_254420_Manage: True
+win2022STIG_stigrule_254420_SeRemoteInteractiveLogonRight_Users: ['Administrators']
+# R-254421 WN22-DC-000370
+win2022STIG_stigrule_254421_Manage: False
+win2022STIG_stigrule_254421_SeDenyNetworkLogonRight_Users: ['Guests']
+# R-254422 WN22-DC-000380
+win2022STIG_stigrule_254422_Manage: False
+win2022STIG_stigrule_254422_SeDenyBatchLogonRight_Users: ['Guests']
+# R-254423 WN22-DC-000390
+win2022STIG_stigrule_254423_Manage: False
+win2022STIG_stigrule_254423_SeDenyServiceLogonRight_Users: []
+# R-254424 WN22-DC-000400
+win2022STIG_stigrule_254424_Manage: False
+win2022STIG_stigrule_254424_SeDenyInteractiveLogonRight_Users: ['Guests']
+# R-254425 WN22-DC-000410
+win2022STIG_stigrule_254425_Manage: False
+win2022STIG_stigrule_254425_SeDenyRemoteInteractiveLogonRight_Users: ['Guests']
+# R-254426 WN22-DC-000420
+win2022STIG_stigrule_254426_Manage: False
+win2022STIG_stigrule_254426_SeEnableDelegationPrivilege_Users: ['Administrators']
+# R-254429 WN22-MS-000020
+win2022STIG_stigrule_254429_Manage: False
+win2022STIG_stigrule_254429_LocalAccountTokenFilterPolicy_Key: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+win2022STIG_stigrule_254429_LocalAccountTokenFilterPolicy_State: 'Present'
+win2022STIG_stigrule_254429_LocalAccountTokenFilterPolicy_ValueData: '0'
+win2022STIG_stigrule_254429_LocalAccountTokenFilterPolicy_ValueType: 'Dword'
+# R-254430 WN22-MS-000030
+win2022STIG_stigrule_254430_Manage: True
+win2022STIG_stigrule_254430_EnumerateLocalUsers_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\'
+win2022STIG_stigrule_254430_EnumerateLocalUsers_State: 'Present'
+win2022STIG_stigrule_254430_EnumerateLocalUsers_ValueData: '0'
+win2022STIG_stigrule_254430_EnumerateLocalUsers_ValueType: 'Dword'
+# R-254431 WN22-MS-000040
+win2022STIG_stigrule_254431_Manage: True
+win2022STIG_stigrule_254431_RestrictRemoteClients_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc\'
+win2022STIG_stigrule_254431_RestrictRemoteClients_State: 'Present'
+win2022STIG_stigrule_254431_RestrictRemoteClients_ValueData: '1'
+win2022STIG_stigrule_254431_RestrictRemoteClients_ValueType: 'Dword'
+# R-254432 WN22-MS-000050
+win2022STIG_stigrule_254432_Manage: True
+win2022STIG_stigrule_254432_Interactive_logon_Number_of_previous_logons_to_cache_in_case_domain_controller_is_not_available_Key: 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\'
+win2022STIG_stigrule_254432_Interactive_logon_Number_of_previous_logons_to_cache_in_case_domain_controller_is_not_available_State: 'Present'
+win2022STIG_stigrule_254432_Interactive_logon_Number_of_previous_logons_to_cache_in_case_domain_controller_is_not_available_ValueData: '4'
+win2022STIG_stigrule_254432_Interactive_logon_Number_of_previous_logons_to_cache_in_case_domain_controller_is_not_available_ValueType: 'string'
+# R-254434 WN22-MS-000070
+win2022STIG_stigrule_254434_Manage: False
+win2022STIG_stigrule_254434_SeNetworkLogonRight_Users: ['Administrators','Authenticated Users']
+# R-254436 WN22-MS-000090
+win2022STIG_stigrule_254436_Manage: False
+win2022STIG_stigrule_254436_SeDenyBatchLogonRight_Users: ['Enterprise Admins','Domain Admins','Guests']
+# R-254437 WN22-MS-000100
+win2022STIG_stigrule_254437_Manage: False
+win2022STIG_stigrule_254437_SeDenyServiceLogonRight_Users: ['Enterprise Admins','Domain Admins']
+# R-254438 WN22-MS-000110
+win2022STIG_stigrule_254438_Manage: False
+win2022STIG_stigrule_254438_SeDenyInteractiveLogonRight_Users: ['Enterprise Admins','Domain Admins','Guests']
+# R-254440 WN22-MS-000130
+win2022STIG_stigrule_254440_Manage: False
+win2022STIG_stigrule_254440_SeEnableDelegationPrivilege_Users: []
+# R-254441 WN22-MS-000140
+# Please ensure the hardware requirements are met. See https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements
+win2022STIG_stigrule_254441_Manage: False
+win2022STIG_stigrule_254441_LsaCfgFlags_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\'
+win2022STIG_stigrule_254441_LsaCfgFlags_State: 'Present'
+win2022STIG_stigrule_254441_LsaCfgFlags_ValueData: '1'
+win2022STIG_stigrule_254441_LsaCfgFlags_ValueType: 'Dword'
+# R-254445 WN22-SO-000010
+win2022STIG_stigrule_254445_Manage: True
+win2022STIG_stigrule_254445_Accounts_Guest_account_status_ValueData: '0'
+# R-254446 WN22-SO-000020
+win2022STIG_stigrule_254446_Manage: True
+win2022STIG_stigrule_254446_Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only_Key: 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\'
+win2022STIG_stigrule_254446_Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only_State: 'Present'
+win2022STIG_stigrule_254446_Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only_ValueData: '1'
+win2022STIG_stigrule_254446_Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only_ValueType: 'Dword'
+# R-254448 WN22-SO-000040
+win2022STIG_stigrule_254448_Manage: False
+win2022STIG_stigrule_254448_Accounts_Rename_guest_account_ValueData: 'RenamedGuest'
+# R-254449 WN22-SO-000050
+win2022STIG_stigrule_254449_Manage: True
+win2022STIG_stigrule_254449_Audit_Force_audit_policy_subcategory_settings_Windows_Vista_or_later_to_override_audit_policy_category_settings_Key: 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\'
+win2022STIG_stigrule_254449_Audit_Force_audit_policy_subcategory_settings_Windows_Vista_or_later_to_override_audit_policy_category_settings_State: 'Present'
+win2022STIG_stigrule_254449_Audit_Force_audit_policy_subcategory_settings_Windows_Vista_or_later_to_override_audit_policy_category_settings_ValueData: '1'
+win2022STIG_stigrule_254449_Audit_Force_audit_policy_subcategory_settings_Windows_Vista_or_later_to_override_audit_policy_category_settings_ValueType: 'Dword'
+# R-254450 WN22-SO-000060
+win2022STIG_stigrule_254450_Manage: True
+win2022STIG_stigrule_254450_Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\'
+win2022STIG_stigrule_254450_Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always_State: 'Present'
+win2022STIG_stigrule_254450_Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always_ValueData: '1'
+win2022STIG_stigrule_254450_Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always_ValueType: 'Dword'
+# R-254451 WN22-SO-000070
+win2022STIG_stigrule_254451_Manage: True
+win2022STIG_stigrule_254451_Domain_member_Digitally_encrypt_secure_channel_data_when_possible_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\'
+win2022STIG_stigrule_254451_Domain_member_Digitally_encrypt_secure_channel_data_when_possible_State: 'Present'
+win2022STIG_stigrule_254451_Domain_member_Digitally_encrypt_secure_channel_data_when_possible_ValueData: '1'
+win2022STIG_stigrule_254451_Domain_member_Digitally_encrypt_secure_channel_data_when_possible_ValueType: 'Dword'
+# R-254452 WN22-SO-000080
+win2022STIG_stigrule_254452_Manage: True
+win2022STIG_stigrule_254452_Domain_member_Digitally_sign_secure_channel_data_when_possible_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\'
+win2022STIG_stigrule_254452_Domain_member_Digitally_sign_secure_channel_data_when_possible_State: 'Present'
+win2022STIG_stigrule_254452_Domain_member_Digitally_sign_secure_channel_data_when_possible_ValueData: '1'
+win2022STIG_stigrule_254452_Domain_member_Digitally_sign_secure_channel_data_when_possible_ValueType: 'Dword'
+# R-254453 WN22-SO-000090
+win2022STIG_stigrule_254453_Manage: True
+win2022STIG_stigrule_254453_Domain_member_Disable_machine_account_password_changes_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\'
+win2022STIG_stigrule_254453_Domain_member_Disable_machine_account_password_changes_State: 'Present'
+win2022STIG_stigrule_254453_Domain_member_Disable_machine_account_password_changes_ValueData: '0'
+win2022STIG_stigrule_254453_Domain_member_Disable_machine_account_password_changes_ValueType: 'Dword'
+# R-254454 WN22-SO-000100
+win2022STIG_stigrule_254454_Manage: True
+win2022STIG_stigrule_254454_Domain_member_Maximum_machine_account_password_age_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\'
+win2022STIG_stigrule_254454_Domain_member_Maximum_machine_account_password_age_State: 'Present'
+win2022STIG_stigrule_254454_Domain_member_Maximum_machine_account_password_age_ValueData: '30'
+win2022STIG_stigrule_254454_Domain_member_Maximum_machine_account_password_age_ValueType: 'Dword'
+# R-254455 WN22-SO-000110
+win2022STIG_stigrule_254455_Manage: True
+win2022STIG_stigrule_254455_Domain_member_Require_strong_Windows_2000_or_later_session_key_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\'
+win2022STIG_stigrule_254455_Domain_member_Require_strong_Windows_2000_or_later_session_key_State: 'Present'
+win2022STIG_stigrule_254455_Domain_member_Require_strong_Windows_2000_or_later_session_key_ValueData: '1'
+win2022STIG_stigrule_254455_Domain_member_Require_strong_Windows_2000_or_later_session_key_ValueType: 'Dword'
+# R-254456 WN22-SO-000120
+win2022STIG_stigrule_254456_Manage: True
+win2022STIG_stigrule_254456_Interactive_logon_Machine_inactivity_limit_Key: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\'
+win2022STIG_stigrule_254456_Interactive_logon_Machine_inactivity_limit_State: 'Present'
+win2022STIG_stigrule_254456_Interactive_logon_Machine_inactivity_limit_ValueData: '900'
+win2022STIG_stigrule_254456_Interactive_logon_Machine_inactivity_limit_ValueType: 'Dword'
+# R-254457 WN22-SO-000130
+win2022STIG_stigrule_254457_Manage: True
+win2022STIG_stigrule_254457_Interactive_logon_Message_text_for_users_attempting_to_log_on_Key: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\'
+win2022STIG_stigrule_254457_Interactive_logon_Message_text_for_users_attempting_to_log_on_State: 'Present'
+win2022STIG_stigrule_254457_Interactive_logon_Message_text_for_users_attempting_to_log_on_ValueData: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+-At any time, the USG may inspect and seize data stored on this IS.
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'
+win2022STIG_stigrule_254457_Interactive_logon_Message_text_for_users_attempting_to_log_on_ValueType: 'string'
+# R-254458 WN22-SO-000140
+win2022STIG_stigrule_254458_Manage: True
+win2022STIG_stigrule_254458_Interactive_logon_Message_title_for_users_attempting_to_log_on_Key: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\'
+win2022STIG_stigrule_254458_Interactive_logon_Message_title_for_users_attempting_to_log_on_State: 'Present'
+win2022STIG_stigrule_254458_Interactive_logon_Message_title_for_users_attempting_to_log_on_ValueData: 'DoD Notice and Consent Banner'
+win2022STIG_stigrule_254458_Interactive_logon_Message_title_for_users_attempting_to_log_on_ValueType: 'string'
+# R-254459 WN22-SO-000150
+win2022STIG_stigrule_254459_Manage: True
+win2022STIG_stigrule_254459_Interactive_logon_Smart_card_removal_behavior_Key: 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\'
+win2022STIG_stigrule_254459_Interactive_logon_Smart_card_removal_behavior_State: 'Present'
+win2022STIG_stigrule_254459_Interactive_logon_Smart_card_removal_behavior_ValueData: '1'
+win2022STIG_stigrule_254459_Interactive_logon_Smart_card_removal_behavior_ValueType: 'string'
+# R-254460 WN22-SO-000160
+win2022STIG_stigrule_254460_Manage: True
+win2022STIG_stigrule_254460_Microsoft_network_client_Digitally_sign_communications_always_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\'
+win2022STIG_stigrule_254460_Microsoft_network_client_Digitally_sign_communications_always_State: 'Present'
+win2022STIG_stigrule_254460_Microsoft_network_client_Digitally_sign_communications_always_ValueData: '1'
+win2022STIG_stigrule_254460_Microsoft_network_client_Digitally_sign_communications_always_ValueType: 'Dword'
+# R-254461 WN22-SO-000170
+win2022STIG_stigrule_254461_Manage: True
+win2022STIG_stigrule_254461_Microsoft_network_client_Digitally_sign_communications_if_server_agrees_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\'
+win2022STIG_stigrule_254461_Microsoft_network_client_Digitally_sign_communications_if_server_agrees_State: 'Present'
+win2022STIG_stigrule_254461_Microsoft_network_client_Digitally_sign_communications_if_server_agrees_ValueData: '1'
+win2022STIG_stigrule_254461_Microsoft_network_client_Digitally_sign_communications_if_server_agrees_ValueType: 'Dword'
+# R-254462 WN22-SO-000180
+win2022STIG_stigrule_254462_Manage: True
+win2022STIG_stigrule_254462_Microsoft_network_client_Send_unencrypted_password_to_third_party_SMB_servers_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\'
+win2022STIG_stigrule_254462_Microsoft_network_client_Send_unencrypted_password_to_third_party_SMB_servers_State: 'Present'
+win2022STIG_stigrule_254462_Microsoft_network_client_Send_unencrypted_password_to_third_party_SMB_servers_ValueData: '0'
+win2022STIG_stigrule_254462_Microsoft_network_client_Send_unencrypted_password_to_third_party_SMB_servers_ValueType: 'Dword'
+# R-254463 WN22-SO-000190
+win2022STIG_stigrule_254463_Manage: True
+win2022STIG_stigrule_254463_Microsoft_network_server_Digitally_sign_communications_always_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\'
+win2022STIG_stigrule_254463_Microsoft_network_server_Digitally_sign_communications_always_State: 'Present'
+win2022STIG_stigrule_254463_Microsoft_network_server_Digitally_sign_communications_always_ValueData: '1'
+win2022STIG_stigrule_254463_Microsoft_network_server_Digitally_sign_communications_always_ValueType: 'Dword'
+# R-254464 WN22-SO-000200
+win2022STIG_stigrule_254464_Manage: True
+win2022STIG_stigrule_254464_Microsoft_network_server_Digitally_sign_communications_if_client_agrees_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\'
+win2022STIG_stigrule_254464_Microsoft_network_server_Digitally_sign_communications_if_client_agrees_State: 'Present'
+win2022STIG_stigrule_254464_Microsoft_network_server_Digitally_sign_communications_if_client_agrees_ValueData: '1'
+win2022STIG_stigrule_254464_Microsoft_network_server_Digitally_sign_communications_if_client_agrees_ValueType: 'Dword'
+# R-254465 WN22-SO-000210
+win2022STIG_stigrule_254465_Manage: False
+win2022STIG_stigrule_254465_Network_access_Allow_anonymous_SID_Name_translation_ValueData: '0'
+# R-254466 WN22-SO-000220
+win2022STIG_stigrule_254466_Manage: True
+win2022STIG_stigrule_254466_Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_Key: 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\'
+win2022STIG_stigrule_254466_Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_State: 'Present'
+win2022STIG_stigrule_254466_Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_ValueData: '1'
+win2022STIG_stigrule_254466_Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_ValueType: 'Dword'
+# R-254467 WN22-SO-000230
+win2022STIG_stigrule_254467_Manage: True
+win2022STIG_stigrule_254467_Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_and_shares_Key: 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\'
+win2022STIG_stigrule_254467_Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_and_shares_State: 'Present'
+win2022STIG_stigrule_254467_Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_and_shares_ValueData: '1'
+win2022STIG_stigrule_254467_Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_and_shares_ValueType: 'Dword'
+# R-254468 WN22-SO-000240
+win2022STIG_stigrule_254468_Manage: True
+win2022STIG_stigrule_254468_Network_access_Let_Everyone_permissions_apply_to_anonymous_users_Key: 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\'
+win2022STIG_stigrule_254468_Network_access_Let_Everyone_permissions_apply_to_anonymous_users_State: 'Present'
+win2022STIG_stigrule_254468_Network_access_Let_Everyone_permissions_apply_to_anonymous_users_ValueData: '0'
+win2022STIG_stigrule_254468_Network_access_Let_Everyone_permissions_apply_to_anonymous_users_ValueType: 'Dword'
+# R-254469 WN22-SO-000250
+win2022STIG_stigrule_254469_Manage: True
+win2022STIG_stigrule_254469_Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\'
+win2022STIG_stigrule_254469_Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares_State: 'Present'
+win2022STIG_stigrule_254469_Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares_ValueData: '1'
+win2022STIG_stigrule_254469_Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares_ValueType: 'Dword'
+# R-254470 WN22-SO-000260
+win2022STIG_stigrule_254470_Manage: True
+win2022STIG_stigrule_254470_Network_security_Allow_Local_System_to_use_computer_identity_for_NTLM_Key: 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\'
+win2022STIG_stigrule_254470_Network_security_Allow_Local_System_to_use_computer_identity_for_NTLM_State: 'Present'
+win2022STIG_stigrule_254470_Network_security_Allow_Local_System_to_use_computer_identity_for_NTLM_ValueData: '1'
+win2022STIG_stigrule_254470_Network_security_Allow_Local_System_to_use_computer_identity_for_NTLM_ValueType: 'Dword'
+# R-254471 WN22-SO-000270
+win2022STIG_stigrule_254471_Manage: True
+win2022STIG_stigrule_254471_Network_security_Allow_LocalSystem_NULL_session_fallback_Key: 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0\'
+win2022STIG_stigrule_254471_Network_security_Allow_LocalSystem_NULL_session_fallback_State: 'Present'
+win2022STIG_stigrule_254471_Network_security_Allow_LocalSystem_NULL_session_fallback_ValueData: '0'
+win2022STIG_stigrule_254471_Network_security_Allow_LocalSystem_NULL_session_fallback_ValueType: 'Dword'
+# R-254472 WN22-SO-000280
+win2022STIG_stigrule_254472_Manage: True
+win2022STIG_stigrule_254472_Network_Security_Allow_PKU2U_authentication_requests_to_this_computer_to_use_online_identities_Key: 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\pku2u\'
+win2022STIG_stigrule_254472_Network_Security_Allow_PKU2U_authentication_requests_to_this_computer_to_use_online_identities_State: 'Present'
+win2022STIG_stigrule_254472_Network_Security_Allow_PKU2U_authentication_requests_to_this_computer_to_use_online_identities_ValueData: '0'
+win2022STIG_stigrule_254472_Network_Security_Allow_PKU2U_authentication_requests_to_this_computer_to_use_online_identities_ValueType: 'Dword'
+# R-254474 WN22-SO-000300
+win2022STIG_stigrule_254474_Manage: True
+win2022STIG_stigrule_254474_Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change_Key: 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\'
+win2022STIG_stigrule_254474_Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change_State: 'Present'
+win2022STIG_stigrule_254474_Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change_ValueData: '1'
+win2022STIG_stigrule_254474_Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change_ValueType: 'Dword'
+# R-254475 WN22-SO-000310
+win2022STIG_stigrule_254475_Manage: True
+win2022STIG_stigrule_254475_Network_security_LAN_Manager_authentication_level_Key: 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA\'
+win2022STIG_stigrule_254475_Network_security_LAN_Manager_authentication_level_State: 'Present'
+win2022STIG_stigrule_254475_Network_security_LAN_Manager_authentication_level_ValueData: '5'
+win2022STIG_stigrule_254475_Network_security_LAN_Manager_authentication_level_ValueType: 'Dword'
+# R-254476 WN22-SO-000320
+win2022STIG_stigrule_254476_Manage: True
+win2022STIG_stigrule_254476_Network_security_LDAP_client_signing_requirements_Key: 'HKLM:\SYSTEM\CurrentControlSet\Services\LDAP\'
+win2022STIG_stigrule_254476_Network_security_LDAP_client_signing_requirements_State: 'Present'
+win2022STIG_stigrule_254476_Network_security_LDAP_client_signing_requirements_ValueData: '1'
+win2022STIG_stigrule_254476_Network_security_LDAP_client_signing_requirements_ValueType: 'Dword'
+# R-254477 WN22-SO-000330
+win2022STIG_stigrule_254477_Manage: True
+win2022STIG_stigrule_254477_Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_clients_Key: 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\'
+win2022STIG_stigrule_254477_Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_clients_State: 'Present'
+win2022STIG_stigrule_254477_Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_clients_ValueData: '537395200'
+win2022STIG_stigrule_254477_Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_clients_ValueType: 'Dword'
+# R-254478 WN22-SO-000340
+win2022STIG_stigrule_254478_Manage: True
+win2022STIG_stigrule_254478_Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_servers_Key: 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\'
+win2022STIG_stigrule_254478_Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_servers_State: 'Present'
+win2022STIG_stigrule_254478_Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_servers_ValueData: '537395200'
+win2022STIG_stigrule_254478_Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_servers_ValueType: 'Dword'
+# R-254479 WN22-SO-000350
+win2022STIG_stigrule_254479_Manage: True
+win2022STIG_stigrule_254479_System_cryptography_Force_strong_key_protection_for_user_keys_stored_on_the_computer_Key: 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\'
+win2022STIG_stigrule_254479_System_cryptography_Force_strong_key_protection_for_user_keys_stored_on_the_computer_State: 'Present'
+win2022STIG_stigrule_254479_System_cryptography_Force_strong_key_protection_for_user_keys_stored_on_the_computer_ValueData: '2'
+win2022STIG_stigrule_254479_System_cryptography_Force_strong_key_protection_for_user_keys_stored_on_the_computer_ValueType: 'Dword'
+# R-254480 WN22-SO-000360
+win2022STIG_stigrule_254480_Manage: True
+win2022STIG_stigrule_254480_System_cryptography_Use_FIPS_compliant_algorithms_for_encryption_hashing_and_signing_Key: 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\'
+win2022STIG_stigrule_254480_System_cryptography_Use_FIPS_compliant_algorithms_for_encryption_hashing_and_signing_State: 'Present'
+win2022STIG_stigrule_254480_System_cryptography_Use_FIPS_compliant_algorithms_for_encryption_hashing_and_signing_ValueData: '1'
+win2022STIG_stigrule_254480_System_cryptography_Use_FIPS_compliant_algorithms_for_encryption_hashing_and_signing_ValueType: 'Dword'
+# R-254481 WN22-SO-000370
+win2022STIG_stigrule_254481_Manage: True
+win2022STIG_stigrule_254481_System_objects_Strengthen_default_permissions_of_internal_system_objects_eg_Symbolic_Links_Key: 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\'
+win2022STIG_stigrule_254481_System_objects_Strengthen_default_permissions_of_internal_system_objects_eg_Symbolic_Links_State: 'Present'
+win2022STIG_stigrule_254481_System_objects_Strengthen_default_permissions_of_internal_system_objects_eg_Symbolic_Links_ValueData: '1'
+win2022STIG_stigrule_254481_System_objects_Strengthen_default_permissions_of_internal_system_objects_eg_Symbolic_Links_ValueType: 'Dword'
+# R-254482 WN22-SO-000380
+win2022STIG_stigrule_254482_Manage: True
+win2022STIG_stigrule_254482_User_Account_Control_Admin_Approval_Mode_for_the_Built_in_Administrator_account_Key: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\'
+win2022STIG_stigrule_254482_User_Account_Control_Admin_Approval_Mode_for_the_Built_in_Administrator_account_State: 'Present'
+win2022STIG_stigrule_254482_User_Account_Control_Admin_Approval_Mode_for_the_Built_in_Administrator_account_ValueData: '1'
+win2022STIG_stigrule_254482_User_Account_Control_Admin_Approval_Mode_for_the_Built_in_Administrator_account_ValueType: 'Dword'
+# R-254483 WN22-SO-000390
+win2022STIG_stigrule_254483_Manage: True
+win2022STIG_stigrule_254483_User_Account_Control_Allow_UIAccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop_Key: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\'
+win2022STIG_stigrule_254483_User_Account_Control_Allow_UIAccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop_State: 'Present'
+win2022STIG_stigrule_254483_User_Account_Control_Allow_UIAccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop_ValueData: '0'
+win2022STIG_stigrule_254483_User_Account_Control_Allow_UIAccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop_ValueType: 'Dword'
+# R-254484 WN22-SO-000400
+win2022STIG_stigrule_254484_Manage: True
+win2022STIG_stigrule_254484_User_Account_Control_Behavior_of_the_elevation_prompt_for_administrators_in_Admin_Approval_Mode_Key: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\'
+win2022STIG_stigrule_254484_User_Account_Control_Behavior_of_the_elevation_prompt_for_administrators_in_Admin_Approval_Mode_State: 'Present'
+win2022STIG_stigrule_254484_User_Account_Control_Behavior_of_the_elevation_prompt_for_administrators_in_Admin_Approval_Mode_ValueData: '2'
+win2022STIG_stigrule_254484_User_Account_Control_Behavior_of_the_elevation_prompt_for_administrators_in_Admin_Approval_Mode_ValueType: 'Dword'
+# R-254485 WN22-SO-000410
+win2022STIG_stigrule_254485_Manage: True
+win2022STIG_stigrule_254485_User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users_Key: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\'
+win2022STIG_stigrule_254485_User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users_State: 'Present'
+win2022STIG_stigrule_254485_User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users_ValueData: '0'
+win2022STIG_stigrule_254485_User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users_ValueType: 'Dword'
+# R-254486 WN22-SO-000420
+win2022STIG_stigrule_254486_Manage: True
+win2022STIG_stigrule_254486_User_Account_Control_Detect_application_installations_and_prompt_for_elevation_Key: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\'
+win2022STIG_stigrule_254486_User_Account_Control_Detect_application_installations_and_prompt_for_elevation_State: 'Present'
+win2022STIG_stigrule_254486_User_Account_Control_Detect_application_installations_and_prompt_for_elevation_ValueData: '1'
+win2022STIG_stigrule_254486_User_Account_Control_Detect_application_installations_and_prompt_for_elevation_ValueType: 'Dword'
+# R-254487 WN22-SO-000430
+win2022STIG_stigrule_254487_Manage: True
+win2022STIG_stigrule_254487_User_Account_Control_Only_elevate_UIAccess_applications_that_are_installed_in_secure_locations_Key: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\'
+win2022STIG_stigrule_254487_User_Account_Control_Only_elevate_UIAccess_applications_that_are_installed_in_secure_locations_State: 'Present'
+win2022STIG_stigrule_254487_User_Account_Control_Only_elevate_UIAccess_applications_that_are_installed_in_secure_locations_ValueData: '1'
+win2022STIG_stigrule_254487_User_Account_Control_Only_elevate_UIAccess_applications_that_are_installed_in_secure_locations_ValueType: 'Dword'
+# R-254488 WN22-SO-000440
+win2022STIG_stigrule_254488_Manage: True
+win2022STIG_stigrule_254488_User_Account_Control_Run_all_administrators_in_Admin_Approval_Mode_Key: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\'
+win2022STIG_stigrule_254488_User_Account_Control_Run_all_administrators_in_Admin_Approval_Mode_State: 'Present'
+win2022STIG_stigrule_254488_User_Account_Control_Run_all_administrators_in_Admin_Approval_Mode_ValueData: '1'
+win2022STIG_stigrule_254488_User_Account_Control_Run_all_administrators_in_Admin_Approval_Mode_ValueType: 'Dword'
+# R-254489 WN22-SO-000450
+win2022STIG_stigrule_254489_Manage: True
+win2022STIG_stigrule_254489_User_Account_Control_Virtualize_file_and_registry_write_failures_to_per_user_locations_Key: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\'
+win2022STIG_stigrule_254489_User_Account_Control_Virtualize_file_and_registry_write_failures_to_per_user_locations_State: 'Present'
+win2022STIG_stigrule_254489_User_Account_Control_Virtualize_file_and_registry_write_failures_to_per_user_locations_ValueData: '1'
+win2022STIG_stigrule_254489_User_Account_Control_Virtualize_file_and_registry_write_failures_to_per_user_locations_ValueType: 'Dword'
+# R-254490 WN22-UC-000010
+win2022STIG_stigrule_254490_Manage: True
+win2022STIG_stigrule_254490_SaveZoneInformation_Key: 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\'
+win2022STIG_stigrule_254490_SaveZoneInformation_State: 'Present'
+win2022STIG_stigrule_254490_SaveZoneInformation_ValueData: '2'
+win2022STIG_stigrule_254490_SaveZoneInformation_ValueType: 'Dword'
+# R-254491 WN22-UR-000010
+win2022STIG_stigrule_254491_Manage: True
+win2022STIG_stigrule_254491_SeTrustedCredManAccessPrivilege_Users: []
+# R-254492 WN22-UR-000020
+win2022STIG_stigrule_254492_Manage: True
+win2022STIG_stigrule_254492_SeTcbPrivilege_Users: []
+# R-254493 WN22-UR-000030
+win2022STIG_stigrule_254493_Manage: True
+win2022STIG_stigrule_254493_SeInteractiveLogonRight_Users: ['Administrators']
+# R-254494 WN22-UR-000040
+win2022STIG_stigrule_254494_Manage: True
+win2022STIG_stigrule_254494_SeBackupPrivilege_Users: ['Administrators']
+# R-254495 WN22-UR-000050
+win2022STIG_stigrule_254495_Manage: True
+win2022STIG_stigrule_254495_SeCreatePagefilePrivilege_Users: ['Administrators']
+# R-254496 WN22-UR-000060
+win2022STIG_stigrule_254496_Manage: True
+win2022STIG_stigrule_254496_SeCreateTokenPrivilege_Users: []
+# R-254497 WN22-UR-000070
+win2022STIG_stigrule_254497_Manage: True
+win2022STIG_stigrule_254497_SeCreateGlobalPrivilege_Users: ['Administrators','Service','Local Service','Network Service']
+# R-254498 WN22-UR-000080
+win2022STIG_stigrule_254498_Manage: True
+win2022STIG_stigrule_254498_SeCreatePermanentPrivilege_Users: []
+# R-254499 WN22-UR-000090
+win2022STIG_stigrule_254499_Manage: True
+win2022STIG_stigrule_254499_SeCreateSymbolicLinkPrivilege_Users: ['Administrators']
+# R-254500 WN22-UR-000100
+win2022STIG_stigrule_254500_Manage: True
+win2022STIG_stigrule_254500_SeDebugPrivilege_Users: ['Administrators']
+# R-254501 WN22-UR-000110
+win2022STIG_stigrule_254501_Manage: True
+win2022STIG_stigrule_254501_SeRemoteShutdownPrivilege_Users: ['Administrators']
+# R-254502 WN22-UR-000120
+win2022STIG_stigrule_254502_Manage: True
+win2022STIG_stigrule_254502_SeAuditPrivilege_Users: ['Local Service','Network Service']
+# R-254503 WN22-UR-000130
+win2022STIG_stigrule_254503_Manage: True
+win2022STIG_stigrule_254503_SeImpersonatePrivilege_Users: ['Administrators','Service','Local Service','Network Service']
+# R-254504 WN22-UR-000140
+win2022STIG_stigrule_254504_Manage: True
+win2022STIG_stigrule_254504_SeIncreaseBasePriorityPrivilege_Users: ['Administrators']
+# R-254505 WN22-UR-000150
+win2022STIG_stigrule_254505_Manage: True
+win2022STIG_stigrule_254505_SeLoadDriverPrivilege_Users: ['Administrators']
+# R-254506 WN22-UR-000160
+win2022STIG_stigrule_254506_Manage: True
+win2022STIG_stigrule_254506_SeLockMemoryPrivilege_Users: []
+# R-254507 WN22-UR-000170
+win2022STIG_stigrule_254507_Manage: True
+win2022STIG_stigrule_254507_SeSecurityPrivilege_Users: ['Administrators']
+# R-254508 WN22-UR-000180
+win2022STIG_stigrule_254508_Manage: True
+win2022STIG_stigrule_254508_SeSystemEnvironmentPrivilege_Users: ['Administrators']
+# R-254509 WN22-UR-000190
+win2022STIG_stigrule_254509_Manage: True
+win2022STIG_stigrule_254509_SeManageVolumePrivilege_Users: ['Administrators']
+# R-254510 WN22-UR-000200
+win2022STIG_stigrule_254510_Manage: True
+win2022STIG_stigrule_254510_SeProfileSingleProcessPrivilege_Users: ['Administrators']
+# R-254511 WN22-UR-000210
+win2022STIG_stigrule_254511_Manage: True
+win2022STIG_stigrule_254511_SeRestorePrivilege_Users: ['Administrators']
+# R-254512 WN22-UR-000220
+win2022STIG_stigrule_254512_Manage: True
+win2022STIG_stigrule_254512_SeTakeOwnershipPrivilege_Users: ['Administrators']

collections/ansible_collections/demo/openshift/roles/cluster_config/README.md

@@ -0,0 +1,131 @@
+Role Name
+=========
+
+This Ansible role helps configure Operators on the Openshift Cluster to support VM migrations. Tasks include
+- Configure Catalog Sources to use mirroring repository for Operators
+- Create and configure Operators
+
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+The task `operators/catalog_sources.yml` needs following variables:
+
+- **Variable Name**: `cluster_config_catalog_sources`
+  - **Type**: List
+  - **Description**: A list of custom CatalogSources configurations used as loop variables to generate Kubernetes manifest files from the  template `catalog_source.j2` for CatalogSource. If the variable is not available, no manifest is created.
+  - **Example**:
+    ```yaml
+    cluster_config_catalog_sources:
+      - name: redhat-marketplace2
+        source_type: grpc
+        display_name: Mirror to Red Hat Marketplace
+        image_path: internal-registry.example.com/operator:v1
+        priority: '-300'
+        icon:
+          base64data: ''
+          mediatype: ''
+        publisher: redhat
+        address: ''
+        grpc_pod_config: |
+          nodeSelector:
+            kubernetes.io/os: linux
+            node-role.kubernetes.io/master: ''
+          priorityClassName: system-cluster-critical
+          securityContextConfig: restricted
+          tolerations:
+            - effect: NoSchedule
+              key: node-role.kubernetes.io/master
+              operator: Exists
+            - effect: NoExecute
+              key: node.kubernetes.io/unreachable
+              operator: Exists
+              tolerationSeconds: 120
+            - effect: NoExecute
+              key: node.kubernetes.io/not-ready
+              operator: Exists
+              tolerationSeconds: 120
+        registry_poll_interval: 10m
+    ```
+
+The task `operators/operator_config.yaml` needs following variables:
+
+- **Variable Name**: `cluster_config_operators`
+  - **Type**: List
+  - **Description**: A list of operators to be installed on OCP cluster
+- **Variable Name**: `cluster_config_[OPERATOR_NAME]`
+  - **Type**: Dict
+  - **Description**: Configuration specific to each operator listed in `cluster_config_operators`. Includes settings for namespace, operator group, subscription, and any extra resources
+  - **Example**: Assume the `cluster_config_operators` specifies these operators:
+  ```yaml
+  cluster_config_operators:
+    - cnv
+    - oadp
+  ```
+  then the corresponding `cluster_config_mtv` and `cluster_config_cnv` can be configured as following:
+  ```yaml
+  cluster_config_cnv_namespace: openshift-cnv
+  cluster_config_cnv:
+  namespace:
+    name: "{{ cluster_config_cnv_namespace }}"
+  operator_group:
+    name: kubevirt-hyperconverged-group
+    target_namespaces:
+      - "{{ cluster_config_cnv_namespace }}"
+  subscription:
+    name: kubevirt-hyperconverged
+    starting_csv: kubevirt-hyperconverged-operator.v4.13.8
+  extra_resources:
+    - apiVersion: hco.kubevirt.io/v1beta1
+      kind: HyperConverged
+      metadata:
+        name: kubevirt-hyperconverged
+        namespace: "{{ cluster_config_cnv_namespace }}"
+      spec:
+        BareMetalPlatform: true
+
+  cluster_config_oadp_namespace: openshift-adp
+  cluster_config_oadp:
+  namespace:
+    name: "{{ cluster_config_oadp_namespace }}"
+  operator_group:
+    name: redhat-oadp-operator-group
+    target_namespaces:
+      - "{{ cluster_config_oadp_namespace }}"
+  subscription:
+    name: redhat-oadp-operator-subscription
+    spec_name: redhat-oadp-operator
+  ```
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+An example of configuring a CatalogSource resource:
+```
+- name: Configure Catalog Sources for Operators
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - ansible.builtin.include_role:
+        name: cluster_config
+        tasks_from: operators/catalog_sources
+```
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

collections/ansible_collections/demo/openshift/roles/cluster_config/defaults/main.yml

@@ -0,0 +1,23 @@
+---
+# defaults file for cluster_config
+cluster_config_operators:
+  - cnv
+
+cluster_config_cnv:
+  checkplan: true
+  namespace:
+    name: &cluster_config_cnv_namespace openshift-cnv
+  operator_group:
+    name: kubevirt-hyperconverged-group
+    target_namespaces:
+      - *cluster_config_cnv_namespace
+  subscription:
+    name: kubevirt-hyperconverged
+  extra_resources:
+    - apiVersion: hco.kubevirt.io/v1beta1
+      kind: HyperConverged
+      metadata:
+        name: kubevirt-hyperconverged
+        namespace: *cluster_config_cnv_namespace
+      spec:
+        BareMetalPlatform: true

collections/ansible_collections/demo/openshift/roles/cluster_config/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for cluster_config

collections/ansible_collections/demo/openshift/roles/cluster_config/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+- name: Configure Operators
+  ansible.builtin.import_tasks: operators/operator_config.yml

collections/ansible_collections/demo/openshift/roles/cluster_config/tasks/operators/_operator_config_item.yml

@@ -0,0 +1,37 @@
+---
+- name: Retrieve Operator name
+  ansible.builtin.set_fact:
+    _operator: "{{ vars['cluster_config_' + _operator_name] }}"
+- name: Configure Operator {{ _operator_name }}
+  redhat.openshift.k8s:
+    state: present
+    template:
+      - operators/namespace.yml.j2
+      - operators/operator_group.yml.j2
+      - operators/subscription.yml.j2
+- name: Query for install plan
+  kubernetes.core.k8s_info:
+    api_version: operators.coreos.com/v1alpha1
+    kind: InstallPlan
+    namespace: "{{ _operator.namespace.name }}"
+  register: r_install_plans
+  retries: 30
+  delay: 5
+  until:
+    - r_install_plans.resources | default([]) | length > 0
+    - r_install_plans.resources[0].status is defined
+    - r_install_plans.resources[0].status.phase == "Complete"
+  when:
+    - _operator.checkplan is defined
+    - _operator.checkplan | bool
+
+- name: Configure extra resources for Operator {{ _operator_name }}
+  redhat.openshift.k8s:
+    state: present
+    definition: "{{ item }}"
+  register: creation_result
+  loop: "{{ _operator.extra_resources }}"
+  retries: 30
+  delay: 5
+  until: creation_result is success
+  when: _operator.extra_resources is defined

collections/ansible_collections/demo/openshift/roles/cluster_config/tasks/operators/catalog_sources.yml

@@ -0,0 +1,7 @@
+---
+- name: Configure custom CatalogSource for Operators
+  redhat.openshift.k8s:
+    state: present
+    template: operators/catalog_source.j2
+  loop: "{{ cluster_config_catalog_sources }}"
+  when: cluster_config_catalog_sources is defined

collections/ansible_collections/demo/openshift/roles/cluster_config/tasks/operators/node-health-check.yml

@@ -0,0 +1,59 @@
+---
+- name: Create node-health-check operator namespace
+  redhat.openshift.k8s:
+    name:  openshift-workload-availability
+    api_version: v1
+    kind: Namespace
+    state: present
+
+- name: Create node-health-check operator group
+  redhat.openshift.k8s:
+    state: present
+    definition:
+      apiVersion: operators.coreos.com/v1
+      kind: OperatorGroup
+      metadata:
+        generateName: openshift-workload-availability-
+        annotations:
+          olm.providedAPIs: >-
+            NodeHealthCheck.v1alpha1.remediation.medik8s.io,SelfNodeRemediation.v1alpha1.self-node-remediation.medik8s.io,SelfNodeRemediationConfig.v1alpha1.self-node-remediation.medik8s.io,SelfNodeRemediationTemplate.v1alpha1.self-node-remediation.medik8s.io
+        namespace: openshift-workload-availability
+      spec:
+        upgradeStrategy: Default
+
+- name: Create node-health-check operator subscription
+  redhat.openshift.k8s:
+    state: present
+    definition:
+      apiVersion: operators.coreos.com/v1alpha1
+      kind: Subscription
+      metadata:
+        labels:
+          operators.coreos.com/node-healthcheck-operator.openshift-workload-availability: ''
+        name: node-health-check-operator
+        namespace: openshift-workload-availability
+      spec:
+        channel: stable
+        installPlanApproval: Automatic
+        name: node-healthcheck-operator
+        source: redhat-operators
+        sourceNamespace: openshift-marketplace
+
+- name: Create Self Node Remediation subscription
+  redhat.openshift.k8s:
+    state: present
+    definition:
+      apiVersion: operators.coreos.com/v1alpha1
+      kind: Subscription
+      metadata:
+        name: self-node-remediation-stable-redhat-operators-openshift-marketplace
+        namespace: openshift-workload-availability
+        labels:
+          operators.coreos.com/self-node-remediation.openshift-workload-availability: ''
+      spec:
+        channel: stable
+        installPlanApproval: Automatic
+        name: self-node-remediation
+        source: redhat-operators
+        sourceNamespace: openshift-marketplace
+        startingCSV: self-node-remediation.v0.8.0

collections/ansible_collections/demo/openshift/roles/cluster_config/tasks/operators/operator_config.yml

@@ -0,0 +1,6 @@
+---
+- name: Configure Operators
+  ansible.builtin.include_tasks: _operator_config_item.yml
+  loop: "{{ cluster_config_operators }}"
+  loop_control:
+    loop_var: _operator_name

collections/ansible_collections/demo/openshift/roles/cluster_config/templates/operators/catalog_source.j2

@@ -0,0 +1,34 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: CatalogSource
+metadata:
+  name: {{ item.name }}
+  namespace: openshift-marketplace
+spec:
+  sourceType: {{ item.source_type | d('grpc',true) }}
+  image: {{ item.image_path }}
+  {% if item.display_name is defined -%}
+  displayName: {{ item.display_name }}
+  {% endif -%}
+  {% if item.priority is defined -%}
+  priority: {{ item.priority }}
+  {% endif -%}
+  {% if item.grpc_pod_config is defined -%}
+  grpcPodConfig:
+    {{ item.grpc_pod_config | indent(4) }}
+  {% endif -%}
+  {% if item.icon is defined -%}
+  icon:
+    base64data: '{{ item.icon.base64data or ''  }}'
+    mediatype: '{{ item.icon.mediatype or '' }}'
+  {% endif -%}
+  {% if item.publisher is defined -%}
+  publisher: {{ item.publisher }}
+  {% endif -%}
+  {% if item.address is defined -%}
+  address: {{ item.address }}
+  {% endif -%}
+  {% if item.registry_poll_interval is defined -%}
+  updateStrategy:
+    registryPoll:
+      interval: {{ item.registry_poll_interval }}
+  {% endif -%}

collections/ansible_collections/demo/openshift/roles/cluster_config/templates/operators/namespace.yml.j2

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+    name: {{ _operator.namespace.name }}
+{% if _operator.namespace.labels is defined %}
+    labels:
+      {% for key, value in _operator.namespace.labels.items() -%}
+      {{ key }}: "{{ value }}"
+      {% endfor -%}
+{% endif -%}

collections/ansible_collections/demo/openshift/roles/cluster_config/templates/operators/operator_group.yml.j2

@@ -0,0 +1,12 @@
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: {{ _operator.operator_group.name }}
+  namespace: {{ _operator.operator_group.namespace | d(_operator.namespace.name, true) }}
+spec:
+  {% if _operator.operator_group.target_namespaces is defined -%}
+  targetNamespaces:
+  {% for item in _operator.operator_group.target_namespaces %}
+    - {{ item }}
+  {% endfor %}
+  {% endif -%}

collections/ansible_collections/demo/openshift/roles/cluster_config/templates/operators/subscription.yml.j2

@@ -0,0 +1,14 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: {{ _operator.subscription.name }}
+  namespace: "{{ _operator.subscription.namespace | d(_operator.namespace.name, true) }}"
+spec:
+  channel: {{ _operator.subscription.channel | d('stable', true) }}
+  installPlanApproval: {{ _operator.subscription.install_plan_approval | d('Automatic', true) }}
+  name: {{ _operator.subscription.spec_name | d(_operator.subscription.name, true) }}
+  source: {{ _operator.subscription.source | d('redhat-operators', true) }}
+  sourceNamespace: {{ _operator.subscription.source_namespace | d('openshift-marketplace', true) }}
+{% if _operator.subscription.starting_csv is defined %}
+  startingCSV: {{ _operator.subscription.starting_csv }}
+{% endif -%}

collections/ansible_collections/demo/openshift/roles/cluster_config/tests/inventory

@@ -0,0 +1 @@
+localhost

collections/ansible_collections/demo/openshift/roles/cluster_config/tests/test.yml

@@ -0,0 +1,6 @@
+---
+- name: Include cluster_config role
+  hosts: localhost
+  remote_user: root
+  roles:
+    - cluster_config

collections/ansible_collections/demo/openshift/roles/cluster_config/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for cluster_config

collections/ansible_collections/demo/openshift/roles/eda_controller/.yamllint

@@ -0,0 +1,13 @@
+---
+extends: default
+
+rules:
+  comments:
+    require-starting-space: false
+    min-spaces-from-content: 1
+  comments-indentation: disable
+  indentation:
+    indent-sequences: consistent
+  line-length:
+    max: 120
+    allow-non-breakable-inline-mappings: true

collections/ansible_collections/demo/openshift/roles/eda_controller/defaults/main.yml

@@ -0,0 +1,16 @@
+---
+# --------------------------------------------------------
+# Ansible Automation Platform Controller URL
+# --------------------------------------------------------
+# eda_controller_aap_controller_url: [Required]
+
+# --------------------------------------------------------
+# Workload: eda_controller
+# --------------------------------------------------------
+eda_controller_project: "aap"
+eda_controller_project_app_name: "eda-controller"
+
+# eda_controller_admin_password: "{{ common_password }}"
+
+eda_controller_cluster_rolebinding_name: eda_default
+eda_controller_cluster_rolebinding_role: cluster-admin

collections/ansible_collections/demo/openshift/roles/eda_controller/meta/main.yml

@@ -0,0 +1,14 @@
+---
+galaxy_info:
+  role_name: eda_controller
+  author: Mitesh Sharma (mitsharm@redhat.com)
+  description: |
+    Installs EDA on OpenShift
+  license: GPLv3
+  min_ansible_version: "2.9"
+  platforms: []
+  galaxy_tags:
+    - eda
+    - openshift
+    - aap
+dependencies: []

collections/ansible_collections/demo/openshift/roles/eda_controller/readme.adoc

@@ -0,0 +1,6 @@
+== eda_controller
+
+This role installs EDA on OpenShift, mostly copied from https://github.com/redhat-cop/agnosticd/.
+
+== Dependencies
+Role: automation_controller_platform

collections/ansible_collections/demo/openshift/roles/eda_controller/tasks/main.yml

@@ -0,0 +1,54 @@
+---
+- name: Setup environment vars
+  block:
+    - name: Create secret and Install EDA
+      kubernetes.core.k8s:
+        state: present
+        definition: "{{ lookup('template', __definition) }}"
+      loop:
+        - eda_admin_secret.j2
+        - eda_controller.j2
+      loop_control:
+        loop_var: __definition
+
+    - name: Retrieve created route
+      kubernetes.core.k8s_info:
+        api_version: "route.openshift.io/v1"
+        kind: Route
+        name: "{{ eda_controller_project_app_name }}"
+        namespace: "{{ eda_controller_project }}"
+      register: eda_controller_r_eda_route
+      until: eda_controller_r_eda_route.resources[0].spec.host is defined
+      retries: 30
+      delay: 45
+
+    - name: Get eda-controller route hostname
+      ansible.builtin.set_fact:
+        eda_controller_hostname: "{{ eda_controller_r_eda_route.resources[0].spec.host }}"
+
+    - name: Wait for eda_controller to be running
+      ansible.builtin.uri:
+        url: https://{{ eda_controller_hostname }}/api/eda/v1/users/me/awx-tokens/
+        user: "admin"
+        password: "{{ lookup('ansible.builtin.env', 'CONTROLLER_PASSWORD') }}"
+        method: GET
+        force_basic_auth: true
+        validate_certs: false
+        body_format: json
+        status_code: 200
+      register: eda_controller_r_result
+      until: not eda_controller_r_result.failed
+      retries: 60
+      delay: 45
+
+    - name: Create Rolebinding for Rulebook Activations
+      kubernetes.core.k8s:
+        state: present
+        definition: "{{ lookup('template', 'cluster_rolebinding.j2') }}"
+
+    - name: Display EDA Controller URL
+      ansible.builtin.debug:
+        msg:
+          - "EDA Controller URL: https://{{ eda_controller_hostname }}"
+          - "EDA Controller Admin Login: admin"
+          - "EDA Controller Admin Password: <same as the Controller Admin password>"

collections/ansible_collections/demo/openshift/roles/eda_controller/templates/cluster_rolebinding.j2

@@ -0,0 +1,13 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ eda_controller_cluster_rolebinding_name }}
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: {{ eda_controller_project }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ eda_controller_cluster_rolebinding_role }}

collections/ansible_collections/demo/openshift/roles/eda_controller/templates/eda_admin_secret.j2

@@ -0,0 +1,15 @@
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  name: {{ eda_controller_project_app_name }}-admin-password
+  namespace: {{ eda_controller_project }}
+  labels:
+    app.kubernetes.io/component: eda
+    app.kubernetes.io/managed-by: eda-operator
+    app.kubernetes.io/name: {{ eda_controller_project_app_name }}
+    app.kubernetes.io/operator-version: '2.4'
+    app.kubernetes.io/part-of: {{ eda_controller_project_app_name }}
+data:
+  password: "{{ lookup('ansible.builtin.env', 'CONTROLLER_PASSWORD') | b64encode }}"
+type: Opaque