ptoal/product-demos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: ptoal:rhpd_test
Branches Tags
ptoal:main ptoal:fix_ci ptoal:cnv_fixes2 ptoal:jce/cloud-cleanup ptoal:jce/firewalld-fix ptoal:fix_aws_groups ptoal:windows_change_pass ptoal:jce/multi-arch-ee ptoal:abandon-galaxy ptoal:wtome-devspaces ptoal:jce/devcontainer ptoal:jce/ansible-cfg ptoal:jce/disa-update ptoal:jce/apd-org ptoal:jce/session-timeout ptoal:jce/az-fix ptoal:collection ptoal:wtome/2.5 ptoal:usr_app ptoal:wtome/windows-bsod ptoal:jce/goals ptoal:small_fixes ptoal:azure-finops ptoal:csv-inventory ptoal:gitlab_ver ptoal:creds-exist ptoal:rhpd_test ptoal:rhc ptoal:master
ptoal:test ptoal:TEST
...
pull from: ptoal:main
Branches Tags
ptoal:main ptoal:fix_ci ptoal:cnv_fixes2 ptoal:jce/cloud-cleanup ptoal:jce/firewalld-fix ptoal:fix_aws_groups ptoal:windows_change_pass ptoal:jce/multi-arch-ee ptoal:abandon-galaxy ptoal:wtome-devspaces ptoal:jce/devcontainer ptoal:jce/ansible-cfg ptoal:jce/disa-update ptoal:jce/apd-org ptoal:jce/session-timeout ptoal:jce/az-fix ptoal:collection ptoal:wtome/2.5 ptoal:usr_app ptoal:wtome/windows-bsod ptoal:jce/goals ptoal:small_fixes ptoal:azure-finops ptoal:csv-inventory ptoal:gitlab_ver ptoal:creds-exist ptoal:rhpd_test ptoal:rhc ptoal:master
ptoal:test ptoal:TEST

82 Commits
rhpd_test ... main

Author SHA1 Message Date
Matthew Fernandez
cc1fa209e2 Fix ci (#269) 2025-08-11 15:02:13 -06:00
Zach LeBlanc
a0fd566f2a Add Documentation for Connecting to Windows Hosts (#258) 2025-07-14 15:14:06 -04:00
Chris Edillon
a7b79faf34 Refer to bootstrap repo for initial APD setup (#257) 2025-07-09 13:07:17 -06:00
Chris Edillon
af7d93fcdb Improve compliance report firewalld conditional (#253) 
Co-authored-by: Matthew Fernandez <l3acon@users.noreply.github.com>
 2025-06-25 14:00:29 -06:00
Matthew Fernandez
0634643f21 Fix AWS groups (#255) 2025-06-25 13:06:49 -04:00
Todd Ruch
db97b38fbc Resolve parameter failure in Windows "Create some users" task (#250) 2025-06-20 14:38:08 -04:00
Chris Edillon
7468d14a98 support building multi-arch EE image (#249) 
Co-authored-by: Matthew Fernandez <l3acon@users.noreply.github.com>
 2025-06-18 16:49:04 -04:00
Matthew Fernandez
8a70edbfdc Attempt galaxy workaround (#252) 
this will eventually be re-worked to put roles in our EE
 2025-06-17 10:00:20 -06:00
Matthew Fernandez
9a93004e0a Fix mistake where the main README.md is overridden. (#243) 2025-05-13 12:08:50 -06:00
Matthew Fernandez
64f7c88114 Refactor pre commit (#237) 
Wheee!
 2025-05-06 14:24:25 -06:00
Chris Edillon
4285a68f3e Update DISA supplemental roles for RHEL STIG (#238) 2025-05-05 11:11:14 -06:00
Matthew Fernandez
7cfb27600f Add Compliance Workflow (#219) 
Co-authored-by: Matt Fernandez <matferna@matferna-mac.lab.cheeseburgia.com>
Co-authored-by: Chris Edillon <67980205+jce-redhat@users.noreply.github.com>
 2025-05-01 17:46:06 -04:00
Matthew Fernandez
3400e73675 Rename Windows ec2 instance for #235 (#236) 
pushed the EE's, merging
 2025-04-29 13:05:13 -06:00
Todd Ruch
0b1904e727 Updated Windows job templates to use the Product Demos EE (#231) 
Co-authored-by: Todd Ruch <truch@redhat.com>
 2025-03-19 16:48:08 -04:00
Todd Ruch
53b180d43e Updated to include the available chart versions and add an instance deployment message (#230) 
Co-authored-by: Todd Ruch <truch@redhat.com>
 2025-03-12 14:28:47 -06:00
Chris Edillon
3b4fa650b3 Add availability zone mapping for VPC subnet (#220) 2025-02-18 11:25:57 -05:00
Todd Ruch
a9b940958d Added check_mode: false to ensure yum utils is installed regardless of check mode (#217) 
Co-authored-by: Todd Ruch <truch@redhat.com>
Co-authored-by: Chris Edillon <67980205+jce-redhat@users.noreply.github.com>
 2025-01-27 15:16:54 -05:00
Chris Edillon
a9dbf33655 Added network.backup collection to 2.5 EE (#211) 2025-01-20 11:20:57 -05:00
Todd Ruch
53fa6fa359 Added Network Backups to show using validated content to back up network devices (#214) 
Co-authored-by: Todd Ruch <truch@redhat.com>
 2025-01-13 14:47:32 -07:00
Zach LeBlanc
39d2d0f283 Upgade pywinrm to fix Windows workloads for AAP 2.5 EE running Python 3.11 (#207) 2024-12-17 15:11:06 -05:00
Matthew Fernandez
3137ce1090 Add RHDP dependencies to APD EE definition (#203) 2024-11-18 16:18:54 -05:00
Matthew Fernandez
5581e790f6 A few small bug fixes around OCP CNV demos (#202) 2024-11-12 08:47:39 -07:00
Chris Edillon
90d28aabbe Resolved firewalld issue on patch report server (#200) 2024-11-11 15:04:03 -07:00
shebistar
b523a48b23 Update chart version for gitlab to 8.5.1 (#199) 2024-11-11 11:02:47 -05:00
Matthew Fernandez
d085007b55 Update APD EE for use with AgnosticD (#198) 2024-11-05 11:53:57 -05:00
Matthew Fernandez
c98732009c update common to use new default EE (#197) 2024-10-28 14:14:27 -06:00
Chris Edillon
0f1e4828a3 apply single-demo fix to multi-demo JT (#196) 2024-10-28 13:35:06 -04:00
Chris Edillon
fbb6d95736 added 2.5 EE to build script (#195) 2024-10-28 13:10:31 -04:00
Chris Edillon
1e266f457a hotfix: disable controller_configuration check 
see https://github.com/redhat-cop/infra.aap_configuration/issues/942
 2024-10-28 12:58:31 -04:00
Chris Edillon
fd9405ef02 Switch to the new product demos EE and bootstrap repo (#194) 2024-10-28 11:58:30 -04:00
Chris Edillon
fe006bdb9e Fix latest pre-commit errors (#189) 2024-10-22 09:55:55 -04:00
Sean Cavanaugh
a257597a7d Fix Cloud Report (#190) 2024-09-24 09:28:42 -04:00
Chris Edillon
6c65b53ac9 added local build script for product demos EEs (#184) 2024-09-23 15:15:53 -04:00
Todd Ruch
a359559cb2 Resolve issue #107 to restore network report demo (#175) 
Co-authored-by: Todd Ruch <truch@redhat.com>
Co-authored-by: Chris Edillon <67980205+jce-redhat@users.noreply.github.com>
 2024-09-18 11:27:11 -04:00
Zach LeBlanc
0c4030d932 Specify Windows image owner to prevent licensing error (#185) 
Closes #186
 2024-09-18 11:11:31 -04:00
Matthew Fernandez
ae7f24e8a4 Updating openshift/README.md to include recently added demos (#183) 
Yay docs
 2024-09-09 12:37:04 -06:00
Chris Edillon
c192aa2c55 Fixed linting issues causing GitHub action failures (#180) 2024-08-30 10:51:28 -04:00
Matthew Fernandez
28eb5be812 Adding a workflow to patch CNV instances with snapshot and restore on failure. (#171) 2024-08-29 15:34:43 -04:00
Zach LeBlanc
8a99b66adc Workflow to setup Windows Domain with DC and hosts (#168) 
Co-authored-by: willtome <wtome@redhat.com>
Co-authored-by: Chris Edillon <67980205+jce-redhat@users.noreply.github.com>
 2024-08-29 14:15:40 -04:00
Chris Edillon
035f815486 Added set_stats example to cloud workflow (#173) 2024-08-27 09:46:35 -04:00
Chris Edillon
552acdcb6c Updated versions of compliance-related roles (#170) 2024-08-20 13:30:48 -04:00
Chris Edillon
40515ac65b Create common prerequisites configuration (#169) 2024-08-16 14:07:59 -04:00
Todd Ruch
70d7c46604 Resolves NETWORK / DISA STIG job logging error (#164) 2024-08-12 15:18:11 -04:00
Chris Edillon
7455e7fa70 Removed release process from contributor guidelines (#167) 2024-08-12 15:11:51 -04:00
Matthew Fernandez
d80cc0ac7a Fix 'Delete VM' JT to actually delete VMs and remove unnecessary CNV … (#162) 2024-08-05 15:04:33 -04:00
Chris Edillon
120fe3068f Update pre-commit actions to latest versions (#159) 2024-07-22 15:35:35 -04:00
Matthew Fernandez
0babde7960 Add EDA Controller Job template (#155) 
Co-authored-by: Chris Edillon <67980205+jce-redhat@users.noreply.github.com>
 2024-07-22 15:34:57 -04:00
Matthew Fernandez
4588ef9892 Fix ocp-v inventory to match changes upstream (#157) 2024-07-22 15:33:29 -04:00
Chris Edillon
19de077c3b create report server instance (#153) 2024-07-18 14:45:57 -04:00
Matthew Fernandez
716f2fa74b add some small fixes (#156) 2024-06-25 12:55:29 -06:00
Matthew Fernandez
40807f1eab Add OCP-CNV patching demo (#140) 2024-06-11 15:23:56 -06:00
willtome
65936930c0 Add state exists for credentials (#150) 2024-06-10 08:37:23 -04:00
Dale Lemons
c98170d5f7 variablize chart version via host_vars (#151) 2024-06-06 12:43:34 -04:00
Chris Edillon
c6c3231234 updated requirements to match product-demos-ee (#145) 2024-06-06 10:17:09 -04:00
willtome
f554bc0ee1 Revert "add state exists to credentials" 
This reverts commit 88b171bb48.
 2024-06-06 09:45:37 -04:00
willtome
88b171bb48 add state exists to credentials 2024-06-06 09:38:57 -04:00
Chris Edillon
16553210bd Add deployment ID for bucket naming (#149) 2024-05-20 15:10:02 -04:00
Chris Edillon
4f0df3c8db Change injector raw formatting (#146) 2024-05-13 15:19:38 -04:00
Chris Edillon
e990f39c60 switch to infra.controller_configuration.dispatch (#147) 2024-04-29 10:36:22 -04:00
Todd Ruch
9cd49892c6 Updated README.md to provide details on using the new product-demos EE (#139) 2024-04-08 11:19:05 -04:00
Matthew Fernandez
3468d1c443 add cjis to compliance demo (#134) 2024-03-03 14:46:19 -05:00
Leo
10f0bb4641 Feature/changelog release (#131) 2024-01-15 15:20:57 -05:00
willtome
018c006e3b Update gitlab version (#128) 
Co-authored-by: youtous <contact@youtous.me>
 2024-01-14 14:02:31 -05:00
MKletz
1af584b4ea Workaround for #109 (#123) 
Co-authored-by: willtome <wtome@redhat.com>
 2024-01-08 10:08:52 -05:00
Zach LeBlanc
d60e0c7ca6 Update COLLECTIONS_PATHS config (#127) 
Co-authored-by: willtome <wtome@redhat.com>
 2024-01-05 10:05:33 -05:00
willtome
c198780d72 More Windows in Workflow (#126) 2024-01-05 10:05:02 -05:00
Leo
1832bb6199 fix missing comment in win_scan_packages (#125) 2023-12-15 16:21:02 -05:00
Leo
2447d0d511 Feature/improve pre commit (#119) 2023-12-14 15:29:28 -05:00
willtome
c0cd993c69 Random Bug fixes (#103) 
Co-authored-by: youtous <contact@youtous.me>
 2023-12-11 15:27:14 -05:00
MKletz
d5093fa544 #113 solution - Windows AD domain reboots (#114) 2023-11-13 11:12:18 -05:00
Dale Lemons
dd1de852b6 fix playbook paths for Cloud setup (#112) 2023-11-09 14:38:25 -05:00
Dale Lemons
e958164cb6 Gitlab url fix (#106) 2023-10-23 15:40:22 -04:00
Dale Lemons
98416fcc3c gitlab first pass (#104) 
Co-authored-by: willtome <wtome@redhat.com>
 2023-10-16 15:58:30 -04:00
Matthew Fernandez
5f8bd8929e Setup multiple (selectable) demos (#102) 2023-10-16 15:49:50 -04:00
Chris Edillon
2ee334f6b3 added pre-commit configuration for ansible-lint (#93) 
Co-authored-by: willtome <wtome@redhat.com>
 2023-09-25 15:56:11 -04:00
willtome
d7e9ad637b Update ansible-lint.yml 2023-09-25 15:40:43 -04:00
Chris Edillon
a5aa9564f5 Multi-profile compliance (#87) 
Co-authored-by: willtome <wtome@redhat.com>
 2023-09-25 15:13:15 -04:00
willtome
44585bf1b9 Update Docs (#63) 2023-09-18 14:19:56 -05:00
Matthew Fernandez
2cd3ec6f72 Extend create vm job template (#97) 2023-09-13 08:09:34 -06:00
Zach LeBlanc
7e4399eac2 Patch EC2 Workflow (#75) 
Co-authored-by: zjleblanc <zjleblanc3@gmail.com>
Co-authored-by: willtome <wtome@redhat.com>
 2023-09-11 16:00:17 -04:00
willtome
a78e74e782 OpenShift Dev Spaces (#64) 2023-08-28 15:57:19 -04:00
willtome
ddb4c09157 Move to Demo Creds and Inventory (#88) 2023-08-22 09:03:34 -04:00
238 changed files with 18706 additions and 3079 deletions
Expand all files Collapse all files

15
.ansible-lint
View File

@@ -1,4 +1,19 @@
---
profile: production
offline: true
skip_list:
- "galaxy[no-changelog]"
warn_list:
# seems to be a bug, see https://github.com/ansible/ansible-lint/issues/4172
- "fqcn[canonical]"
# @matferna: really not sure why lint thinks it can't find jmespath, it is installed and functional
- "jinja[invalid]"
exclude_paths:
# would be better to move the roles here to the top-level roles directory
- collections/ansible_collections/demo/compliance/roles/
- roles/redhatofficial.*
- .github/
- execution_environments/ee_contexts/

13
.devfile.yaml Normal file
View File

@@ -0,0 +1,13 @@
---
schemaVersion: 2.2.0
metadata:
name: product-demos
components:
- name: product-demos-ee
container:
image: quay.io/mloriedo/ansible-creator-ee:latest # workaround for https://github.com/eclipse/che/issues/21778
memoryRequest: 256M
memoryLimit: 5Gi
cpuRequest: 250m
cpuLimit: 2000m
args: ['tail', '-f', '/dev/null']

BIN
.github/images/project-architecture.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 111 KiB

BIN
.github/images/setup_domain_final_state.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 157 KiB

BIN
.github/images/setup_domain_workflow.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 120 KiB

BIN
.github/images/setup_domain_workflow_domain.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 98 KiB

BIN
.github/images/setup_domain_workflow_inventory.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 62 KiB

BIN
.github/images/windows_vm_password.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

25
.github/workflows/README.md vendored Normal file
View File

@@ -0,0 +1,25 @@
# GitHub Actions
## Background
We want to make attempts to run our integration tests in the same manner wether using GitHub actions or on a developers's machine locally. For this reason, the tests are curated to run using container images. As of this writing, two images exist which we would like to test against:
- quay.io/ansible-product-demos/apd-ee-24:latest
- quay.io/ansible-product-demos/apd-ee-25:latest
These images are built given the structure defined in their respective EE [definitions][../execution_environments]. Because they differ (mainly due to their python versions), each gets some special handling.
## Troubleshooting GitHub Actions
### Interactive
It is likely the most straight-forward approach to interactively debug issues. The following podman command can be run from the project root directory to replicate the GitHub action:
```
podman run \
--user root \
-v $(pwd):/runner:Z \
-it \
<image> \
/bin/bash
```
`<image>` is one of `quay.io/ansible-product-demos/apd-ee-25:latest`, `quay.io/ansible-product-demos/apd-ee-24:latest`
It is not exact because GitHub seems to run closer to a sidecar container paradigm, and uses docker instead of podman, but hopefully it's close enough.
For the 24 EE, the python interpreriter verions is set for our pre-commit script like so: `USE_PYTHON=python3.9 ./.github/workflows/run-pc.sh`
The 25 EE is similary run but without the need for this variable: `./.github/workflows/run-pc.sh`

25
.github/workflows/ansible-lint.yml vendored
View File

@@ -1,25 +0,0 @@
---
name: Ansible Lint
on:
- push
- pull_request
env:
ANSIBLE_GALAXY_SERVER_LIST: ah,galaxy
ANSIBLE_GALAXY_SERVER_AH_URL: https://console.redhat.com/api/automation-hub/
ANSIBLE_GALAXY_SERVER_AH_AUTH_URL: https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
ANSIBLE_GALAXY_SERVER_AH_TOKEN: ${{ secrets.ANSIBLE_GALAXY_SERVER_AH_TOKEN }}
ANSIBLE_GALAXY_SERVER_GALAXY_URL: https://galaxy.ansible.com/
jobs:
build:
runs-on: ubuntu-latest
steps:
# Important: This sets up your GITHUB_WORKSPACE environment variable
- uses: actions/checkout@v3
with:
fetch-depth: 0 # needed for progressive mode to work
- name: Run ansible-lint
uses: ansible/ansible-lint-action@v6.11.0

50
.github/workflows/linter.yml.old vendored
View File

@@ -1,50 +0,0 @@
---
###########################
###########################
## Linter GitHub Actions ##
###########################
###########################
name: Lint Code Base
#
# Documentation:
# https://help.github.com/en/articles/workflow-syntax-for-github-actions
#
#############################
# Start the job on all push #
#############################
on: [push, pull_request]
###############
# Set the Job #
###############
jobs:
build:
# Name the Job
name: Lint Code Base
# Set the agent to run on
runs-on: ubuntu-latest
##################
# Load all steps #
##################
steps:
##########################
# Checkout the code base #
##########################
- name: Checkout Code
uses: actions/checkout@v2
with:
# Full git history is needed to get a proper list of changed files within `super-linter`
fetch-depth: 0
################################
# Run Linter against code base #
################################
- name: Lint Code Base
uses: github/super-linter@v4
env:
VALIDATE_ALL_CODEBASE: false
DEFAULT_BRANCH: main
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

17
.github/workflows/pre-commit.yml vendored Normal file
View File

@@ -0,0 +1,17 @@
---
name: pre-commit
on:
- push
- pull_request_target
jobs:
pre-commit-25:
container:
image: quay.io/ansible-product-demos/apd-ee-25
options: --user root
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: ./.github/workflows/run-pc.sh
shell: bash

41
.github/workflows/release.yml vendored Normal file
View File

@@ -0,0 +1,41 @@
---
name: release
on:
push:
branches:
- main
tags:
- "v*.*.*"
workflow_run:
workflows: ["pre-commit"]
types:
- completed
jobs:
release:
name: Release Job
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install go (required for Changelog parsing)
uses: actions/setup-go@v4
- name: Parse CHANGELOG.md
run: |
GO111MODULE=on go install github.com/rcmachado/changelog@0.7.0
changelog show "$GITHUB_REF_NAME" > ${{ github.workspace }}-CHANGELOG.txt
echo "Release note for $GITHUB_REF_NAME :"
cat ${{ github.workspace }}-CHANGELOG.txt
- name: Release
uses: softprops/action-gh-release@v1
with:
body_path: ${{ github.workspace }}-CHANGELOG.txt
files: |
LICENSE
CHANGELOG.md

25
.github/workflows/run-pc.sh vendored Executable file
View File

@@ -0,0 +1,25 @@
#!/bin/bash -x
# should no longer need this
#dnf install git-lfs -y
PYTHON_VARIANT="${USE_PYTHON:-python3.11}"
PATH="$PATH:$HOME/.local/bin"
# intsall pip
eval "${PYTHON_VARIANT} -m pip install --user --upgrade pip"
# try to fix 2.4 incompatibility
eval "${PYTHON_VARIANT} -m pip install --user --upgrade setuptools wheel twine check-wheel-contents"
# intsall pre-commit
eval "${PYTHON_VARIANT} -m pip install --user pre-commit"
# view pip packages
eval "${PYTHON_VARIANT} -m pip freeze --local"
# fix permissions on directory
git config --global --add safe.directory $(pwd)
# run pre-commit
pre-commit run --config $(pwd)/.pre-commit-gh.yml --show-diff-on-failure --color=always

11
.gitignore vendored
View File

@@ -1,4 +1,4 @@
ansible-navigator.log
sean_login_info.yml
.DS_Store
choose_demo.yml
@@ -6,4 +6,11 @@ choose_demo_example_azure.yml
choose_demo_example_aws.yml
.ansible.cfg
*.gz
*artifact*.json
roles/*
!roles/requirements.yml
.deployment_id
.cache/
.ansible/
**/tmp/
execution_environments/context/

29
.pre-commit-config.yaml Normal file
View File

@@ -0,0 +1,29 @@
---
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
hooks:
- id: trailing-whitespace
exclude: rhel[89]STIG/.*$
- id: check-yaml
exclude: \.j2.(yaml|yml)$|\.(yaml|yml).j2$
args: [--unsafe] # see https://github.com/pre-commit/pre-commit-hooks/issues/273
- id: check-toml
- id: check-json
- id: check-symlinks
- repo: local
hooks:
- id: ansible-lint
name: ansible-navigator lint --eei quay.io/ansible-product-demos/apd-ee-25:latest --mode stdout
language: python
entry: bash -c "ansible-navigator lint --eei quay.io/ansible-product-demos/apd-ee-25 -v --force-color --mode stdout"
- repo: https://github.com/psf/black-pre-commit-mirror
rev: 23.11.0
hooks:
- id: black
exclude: rhel[89]STIG/.*$
...

30
.pre-commit-gh.yml Normal file
View File

@@ -0,0 +1,30 @@
---
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
hooks:
- id: trailing-whitespace
exclude: rhel[89]STIG/.*$
- id: check-yaml
exclude: \.j2.(yaml|yml)$|\.(yaml|yml).j2$
args: [--unsafe] # see https://github.com/pre-commit/pre-commit-hooks/issues/273
- id: check-toml
- id: check-json
- id: check-symlinks
- repo: https://github.com/ansible/ansible-lint.git
# get latest release tag from https://github.com/ansible/ansible-lint/releases/
rev: v25.7.0
hooks:
- id: ansible-lint
additional_dependencies:
- jmespath
- repo: https://github.com/psf/black-pre-commit-mirror
rev: 23.11.0
hooks:
- id: black
exclude: rhel[89]STIG/.*$
...

7
.vscode/extensions.json vendored Normal file
View File

@@ -0,0 +1,7 @@
{
"recommendations": [
"redhat.vscode-yaml",
"redhat.ansible",
"ms-python.black-formatter"
]
}

3
.vscode/settings.json vendored Normal file
View File

@@ -0,0 +1,3 @@
{
"editor.renderWhitespace": "all"
}

19
.yamllint Normal file
View File

@@ -0,0 +1,19 @@
---
extends: default
rules:
line-length: disable
trailing-spaces: enable
colons:
max-spaces-before: 0
max-spaces-after: -1
indentation:
level: error
indent-sequences: true # consistent with ansible-lint
truthy:
level: error
allowed-values:
- 'true'
- 'false'
...

42
CONTRIBUTING.md
View File

@@ -1,17 +1,24 @@
# Contribution Guidelines
This document aims to outline the requirements for the various forms of contribution for this project.
**ALL** contributions are subject to review via pull request
## Project Architecture
![project-architecture](.github/images/project-architecture.png)
## Pull Requests
**ALL** contributions are subject to review via pull request
### Pull Requests
1) Ensure the "base repository" is set to "ansible/product-demos".
### Pull Request Guidelines
#### Pull Request Guidelines
- PRs should include the playbook/demo and required entry in corresponding `<demo>/setup.yml`.
- PRs should include documentation in corresponding `<demo>/README.md`.
- PRs should be rebased against the `main` branch to avoid conflicts.
- PRs should not impact more than a single directory/demo section.
- PRs should not rely on external infrastructure or configuration unless the dependency is automated or specified in the `user_message` of `setup.yml`.
- PR titles should describe the work done in the PR. Titles should not be generic ("Added new demo") and should not refer to an issue number ("Fix for issue #123").
## Adding a New Demo
1) Create a new branch based on main. (eg. `git checkout -b <branch name>`)
@@ -19,13 +26,15 @@ This document aims to outline the requirements for the various forms of contribu
3) Make any changes needed to match the existing standards in the directory.
1) Ex: Parameterized hosts
```ansible
hosts: "{{ HOSTS | default('windows') }}"
hosts: "{{ _hosts | default('windows') }}"
```
4) Create an entry for your playbook in your subdirectories `setup.yml`
1) You can copy paste an existing one and edit it.
2) Ensure you edit the name, playbook path, survey etc.
5) Add any needed roles/collections to the [requirements.yml](/collections/requirements.yml)
6) Test via RHPDS, specify your branch name within the project configuration.
6) Test via [demo.redhat.com](https://demo.redhat.com/catalog?search=product&item=babylon-catalog-prod%2Fopenshift-cnv.aap-product-demos-cnv.prod), specifying your branch name within the project configuration.
> NOTE: demo.redhat.com is available to Red Hat Associates and Partners with a valid account.
## New Demo Section/Category
1) Create a new subdirectory with no spaces
@@ -35,12 +44,29 @@ This document aims to outline the requirements for the various forms of contribu
---
user_message: ''
controller_components:
- job_templates
controller_templates:
...
```
- `controller_components` can be any of the roles defined [here](https://github.com/redhat-cop/controller_configuration/tree/devel/roles)
- Configuration variables can be from any of the roles defined in the [infra.controller_configuration collection](https://github.com/redhat-cop/controller_configuration/tree/devel/roles)
- Add variables for each component listed
3) Include a README.md in the subdirectory
## Testing
We utilize pre-commit to handle Git hooks, initiating a pre-commit check with each commit, both locally and on CI.
To install pre-commit, use the following commands:
```bash
pip install pre-commit
pre-commit install
```
For further details, refer to the [pre-commit installation documentation](https://pre-commit.com/#installation).
To execute ansible-lint (whether within pre-commit or independently), you must configure an environment variable for the token required to connect to Automation Hub. Obtain the token [here](https://console.redhat.com/ansible/automation-hub/token).
Copy the token value and execute the following command:
```bash
export ANSIBLE_GALAXY_SERVER_AH_TOKEN=<token>
```

48
README.md
View File

@@ -1,39 +1,35 @@
# Official Ansible Product Demos
[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
[![Dev Spaces](https://img.shields.io/badge/Customize%20Here-0078d7.svg?style=for-the-badge&logo=visual-studio-code&logoColor=white)](https://workspaces.openshift.com/f?url=https://github.com/ansible/product-demos)
This is a centralized location for all Ansible Product Demos going forward.
# APD - Ansible Product Demos
The Ansible Product Demos (APD) project is a set of Ansible demos that are deployed using [Red Hat Ansible Automation Platform](https://www.redhat.com/en/technologies/management/ansible). It uses configuraton-as-code to create AAP resources such as projects, templates, and credentials that form the basis for demonstrating automation use cases in several technology domains:
| Demo Name | Description |
|-----------|-------------|
| [Linux](linux/README.md) | Repository of demos for RHEL and Linux automation |
| [Windows](windows/README.md) | Repository of demos for Windows Server automation |
| [Cloud](cloud/README.md) | Demo for infrastructure and cloud provisioning automation |
| [Network](network/README.md) | Ansible Network automation demos |
## Contributions
If you would like to contribute to this project please refer to [contribution guide](CONTRIBUTING.md) for best practices.
| [Network](network/README.md) | Network automation demos |
| [OpenShift](openshift/README.md) | OpenShift automation demos |
| [Satellite](satellite/README.md) | Demos of automation with Red Hat Satellite Server |
## Using this project
> This project is tested for compatibility with AAP2 Linux Automation Workshop available to Red Hat Employees and Partners. To use with other Ansible Controller installations, review the [pre-requisite documentation](https://github.com/RedHatGov/ansible-tower-samples/tree/product-demos).
Use the [APD bootstrap](https://github.com/ansible/product-demos-bootstrap) repo to add APD to an existing Ansible Automation Platform deployment. The bootstrap repo provides the initial manual prerequisite steps as well as a playbook for adding APD to the existing deployment.
1. First you must create a credential for [Automation Hub](https://console.redhat.com/ansible/automation-hub/) to successfully sync collections used by this project.
1. In the Credentials section of the Controller UI, add a new Credential called `Automation Hub` with the type `Ansible Galaxy/Automation Hub API Token`
2. You can obtain a token [here](https://console.redhat.com/ansible/automation-hub/token). This page will also provide the Server URL and Auth Server URL.
3. Next, click on Organizations and edit the `Default` organization. Add your `Automation Hub` credential to the `Galaxy Credentials` section. Don't forget to click Save!!
For Red Hat associates and partners, there is an Ansible Product Demos catalog item [available on demo.redhat.com](https://red.ht/apd-sandbox) (account required).
2. If it has not been created for you, add a Project called `Ansible official demo project` with this repo as a source. NOTE: if you are using a fork, be sure that you have the correct URL. Update the project.
3. Finally, Create a Job Template called `Setup` with the following configuration:
- Name: Setup
- Inventory: Demo Inventory
- Exec Env: Control Plane EE
- Playbook: setup_demo.yml
- Credentials:
## Bring Your Own Demo
- Type: Red Hat Ansible Automation Platform
- Name: Controller Credential
- Extra vars:
demo: <linux or windows or cloud or network>
Can't find what you're looking for? Customize this repo to make it your own.
1. Create a fork of this repo.
2. Update the URL of the `Ansible Project Demos` project your Ansible Automation Platform controller.
3. Make changes to your fork as needed and run the **Product Demos | Single demo setup** job
See the [contributing guide](CONTRIBUTING.md) for more details on how to customize the project.
---
[Privacy statement](https://www.redhat.com/en/about/privacy-policy) | [Terms of use](https://www.redhat.com/en/about/terms-use) | [Security disclosure](https://www.ansible.com/security?hsLang=en-us) | [All policies and guidelines](https://www.redhat.com/en/about/all-policies-guidelines)

19
ansible.cfg
View File

@@ -1,3 +1,20 @@
[defaults]
collections_paths=./collections
collections_path=./collections:/usr/share/ansible/collections
roles_path=./roles
[galaxy]
server_list = certified,validated,galaxy
[galaxy_server.certified]
# Grab a token at https://console.redhat.com/ansible/automation-hub/token
# Then define it in the ANSIBLE_GALAXY_SERVER_CERTIFIED_TOKEN environment variable
url=https://console.redhat.com/api/automation-hub/content/published/
auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
[galaxy_server.validated]
# Define the token in the ANSIBLE_GALAXY_SERVER_VALIDATED_TOKEN environment variable
url=https://console.redhat.com/api/automation-hub/content/validated/
auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
[galaxy_server.galaxy]
url=https://galaxy.ansible.com/

22
cloud/README.md
View File

@@ -10,7 +10,7 @@
- [Configure Credentials](#configure-credentials)
- [Add Workshop Credential Password](#add-workshop-credential-password)
- [Remove Inventory Variables](#remove-inventory-variables)
- [Getting your Puiblic Key for Create Infra Job](#getting-your-puiblic-key-for-create-infra-job)
- [Getting your Public Key for Create Keypair Job](#getting-your-public-key-for-create-keypair-job)
- [Suggested Usage](#suggested-usage)
- [Known Issues](#known-issues)
@@ -19,9 +19,11 @@ This category of demos shows examples of multi-cloud provisioning and management
### Jobs
- [**Cloud / Create Infra**](create_infra.yml) - Creates a VPC with required routing and firewall rules for provisioning VMs
- [**Cloud / Create VM**](create_vm.yml) - Create a VM based on a [blueprint](blueprints/) in the selected cloud provider
- [**Cloud / Destroy VM**](destroy_vm.yml) - Destroy a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be deleted.
- [**Cloud / AWS / Create VM**](create_vm.yml) - Create a VM based on a [blueprint](blueprints/) in the selected cloud provider
- [**Cloud / AWS / Destroy VM**](destroy_vm.yml) - Destroy a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be deleted.
- [**Cloud / AWS / Snapshot EC2**](snapshot_ec2.yml) - Snapshot a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be snapshot.
- [**Cloud / AWS / Restore EC2 from Snapshot**](snapshot_ec2.yml) - Restore a VM that has been created in a cloud provider. By default, volumes will be restored from their latest snapshot. VM must be imported into dynamic inventory to be patched.
- [**Cloud / Resize EC2**](resize_ec2.yml) - Re-size an EC2 instance.
### Inventory
@@ -46,19 +48,23 @@ After running the setup job template, there are a few steps required to make the
1) Remove Workshop Inventory variables on the Details page of the inventory. Required until [RFE](https://github.com/ansible/workshops/issues/1597]) is complete
### Getting your Puiblic Key for Create Infra Job
### Getting your Public Key for Create Keypair Job
1) Connect to the command line of your Controller server. This is easiest to do by opening the VS Code Web Editor from the landing page where you found the Controller login details.
2) Open a Terminal Window in the VS Code Web Editor.
3) SSH to one of your linux nodes (eg. `ssh node1`). This should log you into the node as `ec2-user`
3) SSH to one of your linux nodes (eg. `ssh aws_rhel9`). This should log you into the node as `ec2-user`
4) `cat .ssh/authorized_keys` and copy the key listed including the `ssh-rsa` prefix
## Suggested Usage
**Cloud / Create Infra** -The Create Infra job builds cloud infrastructure based on the provider definition in the included `demo.cloud` collection.
**Deploy Cloud Stack in AWS** - This workflow builds out many helpful and convient resources in AWS. Given an AWS region, key, and some organizational paremetres for tagging it builds a default VPC, keypair, five VMs (three RHEL and two Windows), and even provides a report for cloud stats. It is the typical starting point for using Ansible Product-Demos in AWS.
**Cloud / Create VM** - The Create VM job builds a VM in the given provider based on the included `demo.cloud` collection. VM [blueprints](blueprints/) define variables for each provider that override the defaults in the collection. When creating VMs it is recommended to follow naming conventions that can be used as host patterns. (eg. VM names: `win1`, `win2`, `win3`. Host Pattern: `win*` )
**Cloud / AWS / Patch EC2 Workflow** - Create a VPC and one or more linux VM(s) in AWS using the `Cloud / Create VPC` and `Cloud / Create VM` templates. Run the workflow and observe the instance snapshots followed by patching operation. Optionally, use the survey to force a patch failure in order to demonstrate the restore path. At this time, the workflow does not support patching Windows instances.
**Cloud / AWS / Resize EC2** - Given an EC2 instance, change its size. This takes an AWS region, target host pattern, and a target instance size as parameters. As a final step, this job refreshes the AWS inventory so the re-created instance is accessible from AAP.
## Known Issues
Azure does not work without a custom execution environment that includes the Azure dependencies.
Azure does not work without a custom execution environment that includes the Azure dependencies.

9
cloud/aws_key.yml
View File

@@ -10,7 +10,7 @@
ansible.builtin.assert:
that:
- aws_key_name is defined
- aws_region is defined
- create_vm_aws_region is defined
- aws_public_key is defined
- aws_keypair_owner is defined
fail_msg: "Required variables not set"
@@ -18,8 +18,13 @@
- name: Create AWS keypair
amazon.aws.ec2_key:
name: "{{ aws_key_name }}"
region: "{{ aws_region }}"
region: "{{ create_vm_aws_region }}"
key_material: "{{ aws_public_key }}"
state: present
tags:
owner: "{{ aws_keypair_owner }}"
- name: Set VPC stats
ansible.builtin.set_stats:
data:
stat_aws_key_pair: '{{ aws_key_name }}'

103
cloud/create_vpc.yml
View File

@@ -2,6 +2,7 @@
- name: Create Cloud Infra
hosts: localhost
gather_facts: false
vars:
aws_vpc_name: aws-test-vpc
aws_owner_tag: default
@@ -9,11 +10,31 @@
aws_tenancy: default
aws_vpc_cidr_block: 10.0.0.0/16
aws_subnet_cidr: 10.0.1.0/24
aws_region: us-east-1
aws_sg_name: aws-test-sg
aws_subnet_name: aws-test-subnet
aws_rt_name: aws-test-rt
# map of availability zones to use per region, added since not all
# instance types are available in all AZs. must match the drop-down
# list for the create_vm_aws_region variable described in cloud/setup.yml
_azs:
us-east-1:
- us-east-1a
- us-east-1b
- us-east-1c
us-east-2:
- us-east-2a
- us-east-2b
- us-east-2c
us-west-1:
# us-west-1a not available when last checked 20250218
- us-west-1b
- us-west-1c
us-west-2:
- us-west-2a
- us-west-2b
- us-west-2c
tasks:
- name: Create VPC
amazon.aws.ec2_vpc_net:
@@ -21,7 +42,7 @@
name: "{{ aws_vpc_name }}"
cidr_block: "{{ aws_vpc_cidr_block }}"
tenancy: "{{ aws_tenancy }}"
region: "{{ aws_region }}"
region: "{{ create_vm_aws_region }}"
tags:
owner: "{{ aws_owner_tag }}"
purpose: "{{ aws_purpose_tag }}"
@@ -31,7 +52,7 @@
amazon.aws.ec2_vpc_igw:
state: present
vpc_id: "{{ aws_vpc.vpc.id }}"
region: "{{ aws_region }}"
region: "{{ create_vm_aws_region }}"
tags:
Name: "{{ aws_vpc_name }}"
owner: "{{ aws_owner_tag }}"
@@ -42,17 +63,17 @@
amazon.aws.ec2_security_group:
state: present
name: "{{ aws_sg_name }}"
region: "{{ aws_region }}"
region: "{{ create_vm_aws_region }}"
description: Inbound WinRM and RDP, http for demo servers and internal AD ports
rules:
- proto: tcp
ports:
- 80 # HTTP
- 443 # HTTPS
- 22 # SSH
- 5986 # WinRM
- 3389 # RDP
- 9090 # Cockpit
- 80 # HTTP
- 443 # HTTPS
- 22 # SSH
- 5986 # WinRM
- 3389 # RDP
- 9090 # Cockpit
cidr_ip: 0.0.0.0/0
- proto: icmp
to_port: -1
@@ -60,32 +81,32 @@
cidr_ip: 0.0.0.0/0
- proto: tcp
ports:
- 80 # HTTP
- 5986 # WinRM
- 3389 # RDP
- 53 # DNS
- 88 # Kerberos Authentication
- 135 # RPC
- 139 # Netlogon
- 389 # LDAP
- 445 # SMB
- 464 # Kerberos Authentication
- 5432 # PostgreSQL
- 636 # LDAPS (LDAP over TLS)
- 873 # Rsync
- 3268-3269 # Global Catalog
- 1024-65535 # Ephemeral RPC ports
- 80 # HTTP
- 5986 # WinRM
- 3389 # RDP
- 53 # DNS
- 88 # Kerberos Authentication
- 135 # RPC
- 139 # Netlogon
- 389 # LDAP
- 445 # SMB
- 464 # Kerberos Authentication
- 5432 # PostgreSQL
- 636 # LDAPS (LDAP over TLS)
- 873 # Rsync
- 3268-3269 # Global Catalog
- 1024-65535 # Ephemeral RPC ports
cidr_ip: "{{ aws_vpc_cidr_block }}"
- proto: udp
ports:
- 53 # DNS
- 88 # Kerberos Authentication
- 123 # NTP
- 137-138 # Netlogon
- 389 # LDAP
- 445 # SMB
- 464 # Kerberos Authentication
- 1024-65535 # Ephemeral RPC ports
- 53 # DNS
- 88 # Kerberos Authentication
- 123 # NTP
- 137-138 # Netlogon
- 389 # LDAP
- 445 # SMB
- 464 # Kerberos Authentication
- 1024-65535 # Ephemeral RPC ports
cidr_ip: "{{ aws_vpc_cidr_block }}"
rules_egress:
- proto: -1
@@ -96,12 +117,13 @@
owner: "{{ aws_owner_tag }}"
purpose: "{{ aws_purpose_tag }}"
- name: Create a subnet on the VPC
- name: Create a subnet in the VPC
amazon.aws.ec2_vpc_subnet:
state: present
vpc_id: "{{ aws_vpc.vpc.id }}"
cidr: "{{ aws_subnet_cidr }}"
region: "{{ aws_region }}"
region: "{{ create_vm_aws_region }}"
az: "{{ _azs[create_vm_aws_region] | shuffle | first }}"
map_public: true
tags:
Name: "{{ aws_subnet_name }}"
@@ -113,7 +135,7 @@
amazon.aws.ec2_vpc_route_table:
state: present
vpc_id: "{{ aws_vpc.vpc.id }}"
region: "{{ aws_region }}"
region: "{{ create_vm_aws_region }}"
subnets:
- "{{ aws_subnet.subnet.id }}"
routes:
@@ -123,3 +145,12 @@
Name: "{{ aws_rt_name }}"
owner: "{{ aws_owner_tag }}"
purpose: "{{ aws_purpose_tag }}"
- name: Set VPC stats
ansible.builtin.set_stats:
data:
stat_aws_region: '{{ create_vm_aws_region }}'
stat_aws_vpc_id: '{{ aws_vpc.vpc.id }}'
stat_aws_vpc_cidr: '{{ aws_vpc_cidr_block }}'
stat_aws_subnet_id: '{{ aws_subnet.subnet.id }}'
stat_aws_subnet_cidr: '{{ aws_subnet_cidr }}'

18
cloud/display-ec2-stats.yml Normal file
View File

@@ -0,0 +1,18 @@
---
- name: Display EC2 stats
hosts: localhost
gather_facts: false
tasks:
- name: Display stats for EC2 VPC and key pair
ansible.builtin.debug:
var: '{{ item }}'
loop:
- stat_aws_region
- stat_aws_key_pair
- stat_aws_vpc_id
- stat_aws_vpc_cidr
- stat_aws_subnet_id
- stat_aws_subnet_cidr
...

10
cloud/resize_ec2.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: Resize ec2 instances
hosts: "{{ _hosts | default(omit) }}"
gather_facts: false
tasks:
- name: Include snapshot role
ansible.builtin.include_role:
name: "demo.cloud.aws"
tasks_from: resize_ec2

10
cloud/restore_ec2.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: Restore ec2 instance from snapshot
hosts: "{{ _hosts | default(omit) }}"
gather_facts: false
tasks:
- name: Include restore from snapshot role
ansible.builtin.include_role:
name: "demo.cloud.aws"
tasks_from: restore_vm

405
cloud/setup.yml
View File

@@ -1,90 +1,8 @@
---
_deployment_id: "{{ lookup('file', playbook_dir + '/.deployment_id') }}"
user_message:
controller_components:
- execution_environments
- projects
- credentials
- inventory_sources
- groups
- job_templates
- workflow_job_templates
controller_execution_environments:
- name: Cloud Services Execution Environment
image: quay.io/scottharwell/cloud-ee:latest
controller_projects:
- name: Ansible Cloud Content Lab - AWS
organization: Default
scm_type: git
wait: true
scm_url: https://github.com/ansible-content-lab/aws.infrastructure_config_demos.git
default_environment: Cloud Services Execution Environment
controller_credentials:
- name: AWS
credential_type: Amazon Web Services
organization: Default
update_secrets: false
inputs:
username: REPLACEME
password: REPLACEME
# - name: Azure
# credential_type: Microsoft Azure Resource Manager
# organization: Default
# update_secrets: false
# inputs:
# subscription: REPLACEME
controller_inventory_sources:
- name: AWS Inventory
organization: Default
source: ec2
inventory: Demo Inventory
credential: AWS
overwrite: true
source_vars:
hostnames:
- tag:Name
compose:
ansible_host: public_ip_address
ansible_user: 'ec2-user'
groups:
cloud_aws: true
os_linux: tags.blueprint.startswith('rhel')
keyed_groups:
- key: platform
prefix: os
- key: tags.blueprint
prefix: blueprint
- key: tags.owner
prefix: owner
# - name: Azure Inventory
# organization: Default
# source: azure_rm
# inventory: Demo Inventory
# credential: Azure
# execution_environment: Ansible Engine 2.9 execution environment
# overwrite: true
# source_vars:
# hostnames:
# - tags.Name
# - default
# keyed_groups:
# - key: os_profile.system
# prefix: os
# conditional_groups:
# cloud_azure: true
controller_groups:
- name: cloud_aws
inventory: Demo Inventory
variables:
ansible_user: ec2-user
controller_templates:
- name: Cloud / AWS / Create Peer Infrastructure
job_type: run
@@ -92,7 +10,7 @@ controller_templates:
credentials:
- AWS
project: Ansible Cloud Content Lab - AWS
playbook: playbook_create_peer_network.yml
playbook: playbooks/create_peer_network.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -108,7 +26,7 @@ controller_templates:
credentials:
- AWS
project: Ansible Cloud Content Lab - AWS
playbook: playbook_delete_peer_network.yml
playbook: playbooks/delete_peer_network.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -122,7 +40,7 @@ controller_templates:
credentials:
- AWS
project: Ansible Cloud Content Lab - AWS
playbook: playbook_create_transit_network.yml
playbook: playbooks/create_transit_network.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -138,7 +56,7 @@ controller_templates:
credentials:
- AWS
project: Ansible Cloud Content Lab - AWS
playbook: playbook_delete_transit_network.yml
playbook: playbooks/delete_transit_network.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -146,50 +64,37 @@ controller_templates:
extra_vars:
aws_region: us-east-1
- name: Cloud / AWS / Create VPC
- name: Cloud / AWS / VPC Report
job_type: run
organization: Default
credentials:
- AWS
project: Ansible official demo project
playbook: cloud/create_vpc.yml
project: Ansible Cloud AWS Demos
playbook: playbooks/cloud_report.yml
inventory: Demo Inventory
execution_environment: Cloud Services Execution Environment
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: aws_region
required: true
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Owner
type: text
variable: aws_owner_tag
required: true
extra_vars:
reports_aws_bucket_name: reports-pd-{{ _deployment_id }}
reports_aws_region: "us-east-1"
- name: Cloud / AWS / Create VM
- name: Cloud / AWS / Tags Report
job_type: run
organization: Default
credentials:
- AWS
- Demo Credential
project: Ansible Cloud Content Lab - AWS
playbook: playbook_create_vm.yml
playbook: playbooks/create_reports.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
extra_vars:
aws_report: tags
reports_aws_bucket_name: reports-pd-{{ _deployment_id }}
survey_enabled: true
allow_simultaneous: true
survey:
name: ''
description: ''
@@ -203,127 +108,45 @@ controller_templates:
- us-east-2
- us-west-1
- us-west-2
- question_name: Name
type: text
variable: create_vm_vm_name
required: true
- question_name: Owner
type: text
variable: create_vm_vm_owner
required: true
- question_name: Deployment
type: text
variable: create_vm_vm_deployment
required: true
- question_name: Environment
type: multiplechoice
variable: create_vm_vm_environment
required: true
choices:
- Dev
- QA
- Prod
- question_name: Blueprint
type: multiplechoice
variable: vm_blueprint
required: true
choices:
- windows_core
- windows_full
- rhel9
- rhel8
- rhel7
- al2023
- question_name: Subnet
type: text
variable: create_vm_aws_vpc_subnet_name
required: true
default: aws-test-subnet
- question_name: Security Group
type: text
variable: create_vm_aws_securitygroup_name
required: true
default: aws-test-sg
- question_name: SSH Keypair
type: text
variable: create_vm_aws_keypair_name
required: true
default: aws-test-key
- name: Cloud / AWS / Delete VM
- name: Cloud / AWS / Snapshot EC2
job_type: run
organization: Default
credentials:
- AWS
- Demo Credential
project: Ansible Cloud Content Lab - AWS
playbook: playbook_delete_inventory_vm.yml
project: Ansible Product Demos
playbook: cloud/snapshot_ec2.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
extra_vars:
aws_region: us-east-1
survey:
name: ''
description: ''
spec:
- question_name: Name or Pattern
- question_name: AWS Region
type: multiplechoice
variable: aws_region
required: true
default: us-east-1
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Specify target hosts
type: text
variable: _hosts
required: true
required: false
- name: Cloud / AWS / VPC Report
- name: Cloud / AWS / Restore EC2 from Snapshot
job_type: run
organization: Default
credentials:
- AWS
project: Ansible Cloud Content Lab - AWS
playbook: playbook_create_reports.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
extra_vars:
aws_region: us-east-1
aws_report: vpc
- name: Cloud / AWS / Tags Report
job_type: run
organization: Default
credentials:
- AWS
project: Ansible Cloud Content Lab - AWS
playbook: playbook_create_reports.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
extra_vars:
aws_report: tags
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: aws_region
required: true
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- name: Cloud / AWS / Create Keypair
job_type: run
organization: Default
credentials:
- AWS
project: Ansible official demo project
playbook: cloud/aws_key.yml
project: Ansible Product Demos
playbook: cloud/restore_ec2.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
@@ -337,23 +160,50 @@ controller_templates:
type: multiplechoice
variable: aws_region
required: true
default: us-east-1
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Keypair Name
- question_name: Specify target hosts
type: text
variable: aws_key_name
required: true
default: aws-test-key
- question_name: Keypair Public Key
type: textarea
variable: aws_public_key
required: true
- question_name: Owner
variable: _hosts
required: false
- name: Cloud / AWS / Display EC2 Stats
job_type: run
organization: Default
credentials:
- AWS
project: Ansible Product Demos
playbook: cloud/display-ec2-stats.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
- name: "LINUX / Patching"
job_type: check
inventory: "Demo Inventory"
project: "Ansible Product Demos"
playbook: "linux/patching.yml"
execution_environment: Default execution environment
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
use_fact_cache: true
ask_job_type_on_launch: true
credentials:
- "Demo Credential"
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Server Name or Pattern
type: text
variable: aws_keypair_owner
variable: _hosts
required: true
controller_workflows:
@@ -372,7 +222,7 @@ controller_workflows:
spec:
- question_name: AWS Region
type: multiplechoice
variable: aws_region
variable: create_vm_aws_region
required: true
choices:
- us-east-1
@@ -381,7 +231,7 @@ controller_workflows:
- us-west-2
- question_name: Owner
type: text
variable: aws_owner_tag
variable: create_vm_aws_owner_tag
required: true
- question_name: Environment
type: multiplechoice
@@ -402,35 +252,48 @@ controller_workflows:
simplified_workflow_nodes:
- identifier: Create Keypair
unified_job_template: Cloud / AWS / Create Keypair
extra_data:
aws_keypair_owner: !unsafe "{{ aws_owner_tag }}"
success_nodes:
- VPC Report
- EC2 Stats
failure_nodes:
- Ticket - Keypair Failed
- identifier: Create VPC
unified_job_template: Cloud / AWS / Create VPC
success_nodes:
- VPC Report
- EC2 Stats
failure_nodes:
- Ticket - VPC Failed
- identifier: Ticket - Keypair Failed
unified_job_template: 'SUBMIT FEEDBACK'
extra_data:
feedback: Failed to create AWS keypair
- identifier: EC2 Stats
unified_job_template: Cloud / AWS / Display EC2 Stats
all_parents_must_converge: true
always_nodes:
- VPC Report
- identifier: VPC Report
unified_job_template: Cloud / AWS / VPC Report
all_parents_must_converge: true
success_nodes:
- Deploy Windows Blueprint
always_nodes:
- Deploy Windows GUI Blueprint
- Deploy RHEL8 Blueprint
- Deploy RHEL9 Blueprint
- identifier: Deploy Windows Blueprint
- Deploy Windows Core Blueprint
- Deploy Report Server
- identifier: Deploy Windows GUI Blueprint
unified_job_template: Cloud / AWS / Create VM
extra_data:
vm_name: aws_win
create_vm_vm_name: aws-dc
vm_blueprint: windows_full
vm_owner: !unsafe "{{ aws_owner_tag }}"
success_nodes:
- Update Inventory
failure_nodes:
- Ticket - Instance Failed
- identifier: Deploy Windows Core Blueprint
unified_job_template: Cloud / AWS / Create VM
extra_data:
create_vm_vm_name: aws_win1
vm_blueprint: windows_core
success_nodes:
- Update Inventory
failure_nodes:
@@ -438,9 +301,8 @@ controller_workflows:
- identifier: Deploy RHEL8 Blueprint
unified_job_template: Cloud / AWS / Create VM
extra_data:
vm_name: aws_rhel8
create_vm_vm_name: aws_rhel8
vm_blueprint: rhel8
vm_owner: !unsafe "{{ aws_owner_tag }}"
success_nodes:
- Update Inventory
failure_nodes:
@@ -448,17 +310,21 @@ controller_workflows:
- identifier: Deploy RHEL9 Blueprint
unified_job_template: Cloud / AWS / Create VM
extra_data:
vm_name: aws_rhel9
create_vm_vm_name: aws_rhel9
vm_blueprint: rhel9
vm_owner: !unsafe "{{ aws_owner_tag }}"
success_nodes:
- Update Inventory
failure_nodes:
- Ticket - Instance Failed
- identifier: Ticket - VPC Failed
unified_job_template: 'SUBMIT FEEDBACK'
- identifier: Deploy Report Server
unified_job_template: Cloud / AWS / Create VM
extra_data:
feedback: Failed to create AWS VPC
create_vm_vm_name: reports
vm_blueprint: rhel9
success_nodes:
- Update Inventory
failure_nodes:
- Ticket - Instance Failed
- identifier: Update Inventory
unified_job_template: AWS Inventory
success_nodes:
@@ -469,3 +335,60 @@ controller_workflows:
feedback: Failed to create AWS instance
- identifier: Tag Report
unified_job_template: Cloud / AWS / Tags Report
- identifier: Ticket - VPC Failed
unified_job_template: 'SUBMIT FEEDBACK'
extra_data:
feedback: Failed to create AWS VPC
- name: Cloud / AWS / Patch EC2 Workflow
description: A workflow to patch ec2 instances with snapshot and restore on failure.
organization: Default
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: aws_region
required: true
default: us-east-1
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Specify target hosts
type: text
variable: _hosts
required: true
default: os_linux
simplified_workflow_nodes:
- identifier: Project Sync
unified_job_template: Ansible Product Demos
success_nodes:
- Take Snapshot
- identifier: Inventory Sync
unified_job_template: AWS Inventory
success_nodes:
- Take Snapshot
- identifier: Take Snapshot
unified_job_template: Cloud / AWS / Snapshot EC2
success_nodes:
- Patch Instance
- identifier: Patch Instance
unified_job_template: LINUX / Patching
job_type: run
failure_nodes:
- Restore from Snapshot
- identifier: Restore from Snapshot
unified_job_template: Cloud / AWS / Restore EC2 from Snapshot
failure_nodes:
- Ticket - Restore Failed
- identifier: Ticket - Restore Failed
unified_job_template: 'SUBMIT FEEDBACK'
extra_data:
feedback: Cloud / AWS / Patch EC2 Workflow | Failed to restore ec2 from snapshot

10
cloud/snapshot_ec2.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: Snapshot ec2 instance
hosts: "{{ _hosts | default(omit) }}"
gather_facts: false
tasks:
- name: Include snapshot role
ansible.builtin.include_role:
name: "demo.cloud.aws"
tasks_from: snapshot_vm

1
collections/ansible_collections/demo/cloud/roles/aws/defaults/main.yml
View File

@@ -21,3 +21,4 @@ aws_env_tag: prod
aws_purpose_tag: ansible_demo
aws_ansiblegroup_tag: cloud
aws_ec2_wait: true
aws_snapshots: {}

56
collections/ansible_collections/demo/cloud/roles/aws/tasks/create_infra.yml
View File

@@ -31,11 +31,11 @@
rules:
- proto: tcp
ports:
- 80 # HTTP
- 443 # HTTPS
- 22 # SSH
- 5986 # WinRM
- 3389 # RDP
- 80 # HTTP
- 443 # HTTPS
- 22 # SSH
- 5986 # WinRM
- 3389 # RDP
cidr_ip: 0.0.0.0/0
- proto: icmp
to_port: -1
@@ -43,32 +43,32 @@
cidr_ip: 0.0.0.0/0
- proto: tcp
ports:
- 80 # HTTP
- 5986 # WinRM
- 3389 # RDP
- 53 # DNS
- 88 # Kerberos Authentication
- 135 # RPC
- 139 # Netlogon
- 389 # LDAP
- 445 # SMB
- 464 # Kerberos Authentication
- 5432 # PostgreSQL
- 636 # LDAPS (LDAP over TLS)
- 873 # Rsync
- 3268-3269 # Global Catalog
- 1024-65535 # Ephemeral RPC ports
- 80 # HTTP
- 5986 # WinRM
- 3389 # RDP
- 53 # DNS
- 88 # Kerberos Authentication
- 135 # RPC
- 139 # Netlogon
- 389 # LDAP
- 445 # SMB
- 464 # Kerberos Authentication
- 5432 # PostgreSQL
- 636 # LDAPS (LDAP over TLS)
- 873 # Rsync
- 3268-3269 # Global Catalog
- 1024-65535 # Ephemeral RPC ports
cidr_ip: 10.0.0.0/16
- proto: udp
ports:
- 53 # DNS
- 88 # Kerberos Authentication
- 123 # NTP
- 137-138 # Netlogon
- 389 # LDAP
- 445 # SMB
- 464 # Kerberos Authentication
- 1024-65535 # Ephemeral RPC ports
- 53 # DNS
- 88 # Kerberos Authentication
- 123 # NTP
- 137-138 # Netlogon
- 389 # LDAP
- 445 # SMB
- 464 # Kerberos Authentication
- 1024-65535 # Ephemeral RPC ports
cidr_ip: 10.0.0.0/16
rules_egress:
- proto: -1

4
collections/ansible_collections/demo/cloud/roles/aws/tasks/create_vm.yml
View File

@@ -17,12 +17,12 @@
filters:
name: "{{ aws_image_filter }}"
architecture: "{{ aws_image_architecture | default(omit) }}"
register: amis
register: aws_amis
- name: AWS| CREATE VM | save ami
ansible.builtin.set_fact:
aws_instance_ami: >
{{ (amis.images | selectattr('name', 'defined') | sort(attribute='creation_date'))[-2] }}
{{ (aws_amis.images | selectattr('name', 'defined') | sort(attribute='creation_date'))[-2] }}
- name: AWS| CREATE VM | create instance
amazon.aws.ec2_instance:

45
collections/ansible_collections/demo/cloud/roles/aws/tasks/resize_ec2.yml Normal file
View File

@@ -0,0 +1,45 @@
---
# parameters
# instance_type: new instance type, e.g. t3.large
- name: AWS | RESIZE VM
delegate_to: localhost
vars:
controller_dependency_check: false # noqa: var-naming[no-role-prefix]
controller_inventory_sources:
- name: AWS Inventory
inventory: Demo Inventory
organization: Default
wait: true
block:
- name: AWS | RESIZE EC2 | assert required vars
ansible.builtin.assert:
that:
- instance_id is defined
- aws_region is defined
fail_msg: "instance_id, aws_region is required for resize operations"
- name: AWS | RESIZE EC2 | shutdown instance
amazon.aws.ec2_instance:
instance_ids: "{{ instance_id }}"
region: "{{ aws_region }}"
state: stopped
wait: true
- name: AWS | RESIZE EC2 | update instance type
amazon.aws.ec2_instance:
region: "{{ aws_region }}"
instance_ids: "{{ instance_id }}"
instance_type: "{{ instance_type }}"
wait: true
- name: AWS | RESIZE EC2 | start instance
amazon.aws.ec2_instance:
instance_ids: "{{ instance_id }}"
region: "{{ aws_region }}"
state: started
wait: true
- name: Synchronize inventory
run_once: true
ansible.builtin.include_role:
name: infra.controller_configuration.inventory_source_update

62
collections/ansible_collections/demo/cloud/roles/aws/tasks/restore_vm.yml Normal file
View File

@@ -0,0 +1,62 @@
---
- name: AWS | RESTORE VM
delegate_to: localhost
block:
- name: AWS | RESTORE VM | stop vm
amazon.aws.ec2_instance:
region: "{{ aws_region }}"
instance_ids: "{{ instance_id }}"
state: stopped
wait: true
- name: AWS | RESTORE VM | get volumes
register: aws_r_vol_info
amazon.aws.ec2_vol_info:
region: "{{ aws_region }}"
filters:
attachment.instance-id: "{{ instance_id }}"
- name: AWS | RESTORE VM | detach volumes
loop: "{{ aws_r_vol_info.volumes }}"
loop_control:
loop_var: volume
label: "{{ volume.id }}"
amazon.aws.ec2_vol:
region: "{{ aws_region }}"
id: "{{ volume.id }}"
instance: None
- name: AWS | RESTORE VM | attach snapshots from stat
when: inventory_hostname in aws_snapshots
loop: "{{ aws_snapshots[inventory_hostname] }}"
loop_control:
loop_var: snap
label: "{{ snap.snapshot_id }}"
amazon.aws.ec2_vol:
region: "{{ aws_region }}"
instance: "{{ instance_id }}"
snapshot: "{{ snap.snapshot_id }}"
device_name: "{{ snap.device }}"
- name: AWS | RESTORE VM | get all snapshots
when: inventory_hostname not in aws_snapshots
register: aws_r_snapshots
amazon.aws.ec2_snapshot_info:
region: "{{ aws_region }}"
filters:
"tag:Name": "{{ inventory_hostname }}"
- name: AWS | RESTORE VM | create volume from latest snapshot
when: inventory_hostname not in aws_snapshots
amazon.aws.ec2_vol:
region: "{{ aws_region }}"
instance: "{{ instance_id }}"
snapshot: "{{ aws_r_snapshots.snapshots[0].snapshot_id }}"
device_name: "/dev/sda1"
- name: AWS | RESTORE VM | start vm
amazon.aws.ec2_instance:
region: "{{ aws_region }}"
instance_ids: "{{ instance_id }}"
state: started
wait: true

42
collections/ansible_collections/demo/cloud/roles/aws/tasks/snapshot_vm.yml Normal file
View File

@@ -0,0 +1,42 @@
---
- name: AWS | SNAPSHOT VM
delegate_to: localhost
block:
- name: AWS | SNAPSHOT VM | assert id
ansible.builtin.assert:
that: instance_id is defined
fail_msg: "instance_id is required for snapshot operations"
- name: AWS | SNAPSHOT VM | include vars
ansible.builtin.include_vars:
file: snapshot_vm.yml
- name: AWS | SNAPSHOT VM | get volumes
register: aws_r_vol_info
amazon.aws.ec2_vol_info:
region: "{{ aws_region }}"
filters:
attachment.instance-id: "{{ instance_id }}"
- name: AWS | SNAPSHOT VM | take snapshots
loop: "{{ aws_r_vol_info.volumes }}"
loop_control:
loop_var: volume
label: "{{ volume.id }}"
register: aws_r_snapshots
amazon.aws.ec2_snapshot:
region: "{{ aws_region }}"
volume_id: "{{ volume.id }}"
description: "Snapshot taken by Red Hat Product demos"
snapshot_tags: "{{ tags }}"
- name: AWS | SNAPSHOT VM | format snapshot stat
ansible.builtin.set_fact:
aws_snapshot_stat:
- key: "{{ inventory_hostname }}"
value: "{{ aws_r_snapshots.results | json_query(aws_ec2_snapshot_query) }}"
- name: AWS | SNAPSHOT VM | record snapshot with host key
ansible.builtin.set_stats:
data:
aws_snapshots: "{{ aws_snapshot_stat | items2dict }}"

2
collections/ansible_collections/demo/cloud/roles/aws/templates/aws_windows_userdata.j2
View File

@@ -26,4 +26,4 @@ New-LocalUser -Name "ec2-user" -Description "Ansible Service Account" -Password
Add-LocalGroupMember -Group "Administrators" -Member "ec2-user"
Rename-Computer -NewName {{ aws_vm_name }} -Force -Restart
</powershell>
</powershell>

11
collections/ansible_collections/demo/cloud/roles/aws/vars/snapshot_vm.yml Normal file
View File

@@ -0,0 +1,11 @@
---
# Set stat_snapshots with model:
# [
# {
# "snapshot_id": "snap-0e981f05704e19ffd",
# "vol_id": "vol-0bd55f313bb7bcdd8",
# "device": "/dev/sda1"
# },
# ...
# ]
aws_ec2_snapshot_query: "[].{snapshot_id: snapshot_id, vol_id: volume.id, device: volume.attachment_set[?instance_id=='{{ instance_id }}'].device | [0]}"

65
collections/ansible_collections/demo/compliance/roles/iosxeSTIG/callback_plugins/stig_xml.py
View File

@@ -1,4 +1,5 @@
from __future__ import (absolute_import, division, print_function)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
from ansible.plugins.callback import CallbackBase
@@ -14,61 +15,65 @@ import xml.dom.minidom
role = "iosxeSTIG"
class CallbackModule(CallbackBase):
CALLBACK_VERSION = 2.0
CALLBACK_TYPE = 'xml'
CALLBACK_NAME = 'stig_xml'
CALLBACK_TYPE = "xml"
CALLBACK_NAME = "stig_xml"
CALLBACK_NEEDS_WHITELIST = True
def __init__(self):
super(CallbackModule, self).__init__()
self.rules = {}
self.stig_path = os.environ.get('STIG_PATH')
self.XML_path = os.environ.get('XML_PATH')
self.stig_path = os.environ.get("STIG_PATH")
self.XML_path = os.environ.get("XML_PATH")
if self.stig_path is None:
self.stig_path = os.path.join(os.getcwd(), "roles", role, "files")
self._display.display('Using STIG_PATH: {}'.format(self.stig_path))
self._display.display("Using STIG_PATH: {}".format(self.stig_path))
if self.XML_path is None:
self.XML_path = os.getcwd()
self._display.display('Using XML_PATH: {}'.format(self.XML_path))
self._display.display("Using XML_PATH: {}".format(self.XML_path))
print("Writing: {}".format(self.XML_path))
STIG_name = os.path.basename(self.stig_path)
ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2')
self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult')
self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name))
ET.register_namespace("cdf", "http://checklists.nist.gov/xccdf/1.2")
self.tr = ET.Element("{http://checklists.nist.gov/xccdf/1.2}TestResult")
self.tr.set(
"id",
"xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}".format(STIG_name),
)
endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
self.tr.set('end-time', endtime)
tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target')
self.tr.set("end-time", endtime)
tg = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}target")
tg.text = platform.node()
def __get_rev(self, nid):
rev = '0'
rev = "0"
# Check all files for the rule number.
for file in os.listdir(self.stig_path):
with open(os.path.join(self.stig_path, file), 'r') as f:
r = 'SV-{}r(?P<rev>\d)_rule'.format(nid)
with open(os.path.join(self.stig_path, file), "r") as f:
r = "SV-{}r(?P<rev>\d)_rule".format(nid)
m = re.search(r, f.read())
if m:
rev = m.group('rev')
rev = m.group("rev")
break
return rev
def v2_runner_on_ok(self, result):
name = result._task.get_name()
m = re.search('stigrule_(?P<id>\d+)', name)
m = re.search("stigrule_(?P<id>\d+)", name)
if m:
nid = m.group('id')
nid = m.group("id")
else:
return
rev = self.__get_rev(nid)
key = "{}r{}".format(nid, rev)
if self.rules.get(key, 'Unknown') != False:
if self.rules.get(key, "Unknown") != False:
self.rules[key] = result.is_changed()
def __set_duplicates(self):
with open(os.path.join(self.stig_path, 'duplicates.json')) as f:
with open(os.path.join(self.stig_path, "duplicates.json")) as f:
dups = json.load(f)
for d in dups:
dup_of = str(dups[d][0])
@@ -82,17 +87,19 @@ class CallbackModule(CallbackBase):
def v2_playbook_on_stats(self, stats):
self.__set_duplicates()
for rule, changed in self.rules.items():
state = 'fail' if changed else 'pass'
rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result')
rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule))
rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result')
state = "fail" if changed else "pass"
rr = ET.SubElement(
self.tr, "{http://checklists.nist.gov/xccdf/1.2}rule-result"
)
rr.set("idref", "xccdf_mil.disa.stig_rule_SV-{}_rule".format(rule))
rs = ET.SubElement(rr, "{http://checklists.nist.gov/xccdf/1.2}result")
rs.text = state
passing = len(self.rules) - sum(self.rules.values())
sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score')
sc.set('maximum', str(len(self.rules)))
sc.set('system', 'urn:xccdf:scoring:flat-unweighted')
sc = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}score")
sc.set("maximum", str(len(self.rules)))
sc.set("system", "urn:xccdf:scoring:flat-unweighted")
sc.text = str(passing)
with open(os.path.join(self.XML_path, "xccdf-results.xml"), 'w') as f:
with open(os.path.join(self.XML_path, "xccdf-results.xml"), "w") as f:
out = ET.tostring(self.tr)
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8')
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding="utf-8")
f.write(pretty)

4
collections/ansible_collections/demo/compliance/roles/iosxeSTIG/defaults/main.yml
View File

@@ -26,7 +26,7 @@ iosxeSTIG_stigrule_215814_login_Text: 'You are accessing a U.S. Government (USG)
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and
counterintelligence (CI) investigations.
@@ -36,7 +36,7 @@ counterintelligence (CI) investigations.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE, or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys,
-Notwithstanding the above, using this IS does not constitute consent to PM, LE, or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys,
psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'
# R-215815 CISC-ND-000210

192
collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/U_Cisco_IOS-XE_Router_NDM_STIG_V2R1_Manual-xccdf.xml
View File

@@ -69,20 +69,20 @@ archive
Note: Configuration changes can be viewed using the show archive log config all command.
If account removal is not automatically audited, this is a finding.</check-content></check></Rule></Group><Group id="V-215812"><title>SRG-APP-000038-NDM-000213</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215812r539421_rule" weight="10.0" severity="medium"><version>CISC-ND-000140</version><title>The Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.</title><description>&lt;VulnDiscussion&gt;A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Information flow control regulates where management information is allowed to travel within a network device. The flow of all management information must be monitored and controlled so it does not introduce any unacceptable risk to the network device or data.
If account removal is not automatically audited, this is a finding.</check-content></check></Rule></Group><Group id="V-215812"><title>SRG-APP-000038-NDM-000213</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215812r539421_rule" weight="10.0" severity="medium"><version>CISC-ND-000140</version><title>The Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.</title><description>&lt;VulnDiscussion&gt;A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Information flow control regulates where management information is allowed to travel within a network device. The flow of all management information must be monitored and controlled so it does not introduce any unacceptable risk to the network device or data.
Application-specific examples of enforcement occur in systems that employ rule sets or establish configuration settings that restrict information system services or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics).
Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of management information within the system in accordance with applicable policy.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96205</ident><ident system="http://cyber.mil/legacy">SV-105343</ident><ident system="http://cyber.mil/cci">CCI-001368</ident><fixtext fixref="F-17049r539420_fix">Configure the Cisco router to restrict management access to specific IP addresses via SSH as shown in the example below.
SW2(config)#ip access-list standard MANAGEMENT_NET
SW2(config-std-nacl)#permit x.x.x.0 0.0.0.255
SW2(config-std-nacl)#exit
SW2(config)#line vty 0 4
SW2(config-line)#transport input ssh
SW2(config-line)#access-class MANAGEMENT_NET in
SW2(config)#ip access-list standard MANAGEMENT_NET
SW2(config-std-nacl)#permit x.x.x.0 0.0.0.255
SW2(config-std-nacl)#exit
SW2(config)#line vty 0 4
SW2(config-line)#transport input ssh
SW2(config-line)#access-class MANAGEMENT_NET in
SW2(config-line)#end
</fixtext><fix id="F-17049r539420_fix" /><check system="C-17051r539419_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Review the Cisco router configuration to verify that it is compliant with this requirement.
</fixtext><fix id="F-17049r539420_fix" /><check system="C-17051r539419_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Review the Cisco router configuration to verify that it is compliant with this requirement.
Step 1: Verify that the line vty has an ACL inbound applied as shown in the example below.
@@ -92,7 +92,7 @@ line vty 0 4
Step 2: Verify that the ACL permits only hosts from the management network to access the router.
ip access-list extended MANAGEMENT_NET
ip access-list extended MANAGEMENT_NET
permit ip x.x.x.0 0.0.0.255 any
deny ip any any log-input
@@ -166,7 +166,7 @@ archive
Note: The logging userinfo global configuration command will generate a log when a user increases his or her privilege level.
If logging of administrator activity is not configured, this is a finding.</check-content></check></Rule></Group><Group id="V-215816"><title>SRG-APP-000091-NDM-000223</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215816r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-000250</version><title>The Cisco router must be configured to generate audit records when successful/unsuccessful attempts to log on with access privileges occur.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
If logging of administrator activity is not configured, this is a finding.</check-content></check></Rule></Group><Group id="V-215816"><title>SRG-APP-000091-NDM-000223</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215816r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-000250</version><title>The Cisco router must be configured to generate audit records when successful/unsuccessful attempts to log on with access privileges occur.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96221</ident><ident system="http://cyber.mil/legacy">SV-105359</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-17053r287488_fix">Configure the Cisco router to log all logon attempts as shown in the example below.
@@ -193,7 +193,7 @@ R1(config-ext-nacl)#deny icmp any any log-input</fixtext><fix id="F-17055r287494
ip access-list extended BLOCK_INBOUND
deny icmp any any log-input
If the router is not configured with the log-input parameter after any deny statements to note where packets have been dropped via an ACL, this is a finding.</check-content></check></Rule></Group><Group id="V-215819"><title>SRG-APP-000101-NDM-000231</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215819r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-000330</version><title>The Cisco router must be configured to generate audit records containing the full-text recording of privileged commands.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
If the router is not configured with the log-input parameter after any deny statements to note where packets have been dropped via an ACL, this is a finding.</check-content></check></Rule></Group><Group id="V-215819"><title>SRG-APP-000101-NDM-000231</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215819r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-000330</version><title>The Cisco router must be configured to generate audit records containing the full-text recording of privileged commands.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. The additional information required is dependent on the type of information (i.e., sensitivity of the data and the environment within which it resides). At a minimum, the organization must audit full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96227</ident><ident system="http://cyber.mil/legacy">SV-105365</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><fixtext fixref="F-17056r287497_fix">Configure the Cisco router to log all configuration changes as shown in the example below.
@@ -210,11 +210,11 @@ Note: Configuration changes can be viewed using the show archive log config all
If the Cisco router is not configured to generate audit records of configuration changes, this is a finding.</check-content></check></Rule></Group><Group id="V-215820"><title>SRG-APP-000119-NDM-000236</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215820r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-000380</version><title>The Cisco router must be configured to protect audit information from unauthorized modification.</title><description>&lt;VulnDiscussion&gt;Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit network device activity.
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
To ensure the veracity of audit data, the network device must protect audit information from unauthorized modification.
To ensure the veracity of audit data, the network device must protect audit information from unauthorized modification.
This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions and limiting log data locations.
This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions and limiting log data locations.
Network devices providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights that the user enjoys in order to make access decisions regarding the modification of audit data.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96231</ident><ident system="http://cyber.mil/legacy">SV-105369</ident><ident system="http://cyber.mil/cci">CCI-000163</ident><fixtext fixref="F-17057r287500_fix">If persistent logging is enabled, configure the router to only allow administrators with privilege level "15" access to the file system as shown in the example below.
@@ -226,15 +226,15 @@ logging persistent url disk0:/logfile size 134217728 filesize 16384
Step 2: Verify that the router is not configured with a privilege level other than "15" to allow access to the file system as shown in the example below.
file privilege 10
file privilege 10
Note: The default privilege level required for access to the file system is "15"; hence, the command file privilege "15" will not be shown in the configuration.
If the router is configured with a privilege level other than "15" to allow access to the file system, this is a finding.</check-content></check></Rule></Group><Group id="V-215821"><title>SRG-APP-000120-NDM-000237</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215821r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-000390</version><title>The Cisco router must be configured to protect audit information from unauthorized deletion.</title><description>&lt;VulnDiscussion&gt;Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
To ensure the veracity of audit data, the network device must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include: ensuring log files receive the proper file system permissions utilizing file system protections, restricting access, and backing up log data to ensure log data is retained.
To ensure the veracity of audit data, the network device must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include: ensuring log files receive the proper file system permissions utilizing file system protections, restricting access, and backing up log data to ensure log data is retained.
Network devices providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys in order to make access decisions regarding the deletion of audit data.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96233</ident><ident system="http://cyber.mil/legacy">SV-105371</ident><ident system="http://cyber.mil/cci">CCI-000164</ident><fixtext fixref="F-17058r287503_fix">If persistent logging is enabled, configure the router to only allow administrators with privilege level "15" access to the file system as shown in the example below.
@@ -246,7 +246,7 @@ logging persistent url disk0:/logfile size 134217728 filesize 16384
Step 2: Verify that the router is not configured with a privilege level other than "15" to allow access to the file system as shown in the example below.
file privilege 10
file privilege 10
Note: The default privilege level required for access to the file system is "15"; hence, the command file privilege "15" will not be shown in the configuration.
@@ -254,11 +254,11 @@ If the router is configured with a privilege level other than "15" to allow acce
R4(config)#file privilege 15</fixtext><fix id="F-17059r287506_fix" /><check system="C-17061r287505_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Verify that the router is not configured with a privilege level other than "15" to allow access to the file system as shown in the example below.
file privilege 10
file privilege 10
Note: The default privilege level required for access to the file system is "15"; hence, the command file privilege "15" will not be shown in the configuration.
If the router is configured with a privilege level other than "15" to allow access to the file system, this is a finding.</check-content></check></Rule></Group><Group id="V-215823"><title>SRG-APP-000142-NDM-000245</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215823r531083_rule" weight="10.0" severity="high"><version>CISC-ND-000470</version><title>The Cisco router must be configured to prohibit the use of all unnecessary and nonsecure functions and services.</title><description>&lt;VulnDiscussion&gt;Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component.
If the router is configured with a privilege level other than "15" to allow access to the file system, this is a finding.</check-content></check></Rule></Group><Group id="V-215823"><title>SRG-APP-000142-NDM-000245</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215823r531083_rule" weight="10.0" severity="high"><version>CISC-ND-000470</version><title>The Cisco router must be configured to prohibit the use of all unnecessary and nonsecure functions and services.</title><description>&lt;VulnDiscussion&gt;Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component.
To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, then it must be documented and approved.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96239</ident><ident system="http://cyber.mil/legacy">SV-105377</ident><ident system="http://cyber.mil/cci">CCI-000382</ident><fixtext fixref="F-17060r287509_fix">Disable the following services if enabled as shown in the example below.
@@ -312,7 +312,7 @@ aaa authentication login default group tacacs+ local
If the Cisco router is not configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable, this is a finding.</check-content></check></Rule></Group><Group id="V-215825"><title>SRG-APP-000156-NDM-000250</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215825r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-000530</version><title>The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.</title><description>&lt;VulnDiscussion&gt;A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96249</ident><ident system="http://cyber.mil/legacy">SV-105387</ident><ident system="http://cyber.mil/cci">CCI-001941</ident><fixtext fixref="F-17062r287515_fix">Configure SSH to use FIPS-140-2 compliant HMACs as shown in the example below.
@@ -324,7 +324,7 @@ Note: An SSH configuration enables a server and client to authorize the negotiat
ip ssh version 2
ip ssh server algorithm encryption aes128-cbc aes192-cbc aes192-ctr
Note: An SSH configuration enables a server and client to authorize the negotiation of only those algorithms that are configured from the allowed list. If a remote party tries to negotiate using an algorithm that is not part of the allowed list, the request is rejected and the session is not established.
Note: An SSH configuration enables a server and client to authorize the negotiation of only those algorithms that are configured from the allowed list. If a remote party tries to negotiate using an algorithm that is not part of the allowed list, the request is rejected and the session is not established.
If the router is not configured to implement replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.</check-content></check></Rule></Group><Group id="V-215826"><title>SRG-APP-000164-NDM-000252</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215826r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-000550</version><title>The Cisco router must be configured to enforce a minimum 15-character password length.</title><description>&lt;VulnDiscussion&gt;Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.
@@ -428,12 +428,12 @@ Performance and time required to access are factors that must be considered, and
In many instances, verifying the user knows a password is performed using a password verifier. In its simplest form, a password verifier is a computational function that is capable of creating a hash of a password and determining if the value provided by the user matches the stored hash.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-105403</ident><ident system="http://cyber.mil/legacy">V-96265</ident><ident system="http://cyber.mil/cci">CCI-000196</ident><fixtext fixref="F-17069r287536_fix">Configure the router to encrypt all passwords.
R4(config)#service password-encryption
R4(config)#service password-encryption
R4(config)#end</fixtext><fix id="F-17069r287536_fix" /><check system="C-17071r287535_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Review the router configuration to determine if passwords are encrypted as shown in the example below.
service password-encryption
If the router is not configured to encrypt passwords, this is a finding.</check-content></check></Rule></Group><Group id="V-215833"><title>SRG-APP-000190-NDM-000267</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215833r531083_rule" weight="10.0" severity="high"><version>CISC-ND-000720</version><title>The Cisco router must be configured to terminate all network connections associated with device management after 10 minutes of inactivity.</title><description>&lt;VulnDiscussion&gt;Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
If the router is not configured to encrypt passwords, this is a finding.</check-content></check></Rule></Group><Group id="V-215833"><title>SRG-APP-000190-NDM-000267</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215833r531083_rule" weight="10.0" severity="high"><version>CISC-ND-000720</version><title>The Cisco router must be configured to terminate all network connections associated with device management after 10 minutes of inactivity.</title><description>&lt;VulnDiscussion&gt;Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-105409</ident><ident system="http://cyber.mil/legacy">V-96271</ident><ident system="http://cyber.mil/cci">CCI-001133</ident><fixtext fixref="F-17070r287539_fix">Set the idle timeout value to "10" minutes or less on all configured login classes as shown in the example below.
@@ -490,7 +490,7 @@ archive
Note: The logging userinfo global configuration command will generate a log when a user increases his or her privilege level.
If the Cisco router is not configured to log all commands entered from the command line interface as well as log all configuration changes, this is a finding.</check-content></check></Rule></Group><Group id="V-215836"><title>SRG-APP-000357-NDM-000293</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215836r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-000980</version><title>The Cisco router must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.</title><description>&lt;VulnDiscussion&gt;In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable.
If the Cisco router is not configured to log all commands entered from the command line interface as well as log all configuration changes, this is a finding.</check-content></check></Rule></Group><Group id="V-215836"><title>SRG-APP-000357-NDM-000293</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215836r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-000980</version><title>The Cisco router must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.</title><description>&lt;VulnDiscussion&gt;In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable.
The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96297</ident><ident system="http://cyber.mil/legacy">SV-105435</ident><ident system="http://cyber.mil/cci">CCI-001849</ident><fixtext fixref="F-17073r287548_fix">Configure the buffer size for logging as shown in the example below.
@@ -500,7 +500,7 @@ logging buffered xxxxxxxx informational
If a logging buffer size is not configured, this is a finding.
If the Cisco router is not configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements, this is a finding.</check-content></check></Rule></Group><Group id="V-215837"><title>SRG-APP-000360-NDM-000295</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215837r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-001000</version><title>The Cisco router must be configured to generate an alert for all audit failure events.</title><description>&lt;VulnDiscussion&gt;It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.
If the Cisco router is not configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements, this is a finding.</check-content></check></Rule></Group><Group id="V-215837"><title>SRG-APP-000360-NDM-000295</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215837r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-001000</version><title>The Cisco router must be configured to generate an alert for all audit failure events.</title><description>&lt;VulnDiscussion&gt;It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.
Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96301</ident><ident system="http://cyber.mil/legacy">SV-105439</ident><ident system="http://cyber.mil/cci">CCI-001858</ident><fixtext fixref="F-17074r287551_fix">Configure the Cisco router to send critical to emergency log messages to the syslog server as shown in the example below.
@@ -514,7 +514,7 @@ logging x.x.x.x
Note: The parameter "critical" can replaced with a lesser severity level (i.e. error, warning, notice, informational). Informational is the default severity level; hence, if the severity level is configured to informational, the logging trap command will not be shown in the configuration.
If the Cisco router is not configured to generate an alert for all audit failure events, this is a finding.</check-content></check></Rule></Group><Group id="V-215838"><title>SRG-APP-000373-NDM-000298</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215838r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-001030</version><title>The Cisco router must be configured to synchronize its clock with the primary and secondary time sources using redundant authoritative time sources.</title><description>&lt;VulnDiscussion&gt;The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions.
If the Cisco router is not configured to generate an alert for all audit failure events, this is a finding.</check-content></check></Rule></Group><Group id="V-215838"><title>SRG-APP-000373-NDM-000298</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215838r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-001030</version><title>The Cisco router must be configured to synchronize its clock with the primary and secondary time sources using redundant authoritative time sources.</title><description>&lt;VulnDiscussion&gt;The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions.
Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891.
@@ -530,7 +530,7 @@ If the Cisco router is not configured to synchronize its clock with redundant au
R2(config)#service timestamps log datetime localtime</fixtext><fix id="F-17076r287557_fix" /><check system="C-17078r287556_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below.
service timestamps log datetime
service timestamps log datetime
If the router is not configured to record time stamps that meet a granularity of one second, this is a finding.</check-content></check></Rule></Group><Group id="V-215840"><title>SRG-APP-000374-NDM-000299</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215840r531083_rule" weight="10.0" severity="medium"><version>CISC-ND-001050</version><title>The Cisco router must be configured to record time stamps for log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).</title><description>&lt;VulnDiscussion&gt;If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
@@ -562,7 +562,7 @@ R4(config)#snmp-server view V3READ iso included
R4(config)#snmp-server view V3WRITE iso included
R4(config)#snmp-server host x.x.x.x version 3 auth V3USER</fixtext><fix id="F-17078r287563_fix" /><check system="C-17080r287562_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below.
snmp-server group V3GROUP v3 auth read V3READ write V3WRITE
snmp-server group V3GROUP v3 auth read V3READ write V3WRITE
snmp-server view V3READ iso included
snmp-server view V3WRITE iso included
snmp-server host x.x.x.x version 3 auth V3USER
@@ -615,7 +615,7 @@ ntp server y.y.y.y key 1
If the Cisco router is not configured to authenticate NTP sources using authentication that is cryptographically based, this is a finding.</check-content></check></Rule></Group><Group id="V-215844"><title>SRG-APP-000411-NDM-000330</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-215844r531083_rule" weight="10.0" severity="high"><version>CISC-ND-001200</version><title>The Cisco router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.</title><description>&lt;VulnDiscussion&gt;Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network.
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network.
Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96327</ident><ident system="http://cyber.mil/legacy">SV-105465</ident><ident system="http://cyber.mil/cci">CCI-002890</ident><fixtext fixref="F-17081r287572_fix">The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured.
@@ -638,7 +638,7 @@ ip ssh server algorithm mac hmac-sha1-96
HTTPS Example
ip http secure-server
ip http secure-ciphersuite aes-128-cbc-sha
ip http secure-ciphersuite aes-128-cbc-sha
ip http secure-client-auth
ip http secure-trustpoint CA_XXX
@@ -661,7 +661,7 @@ ip ssh server algorithm encryption aes128-cbc aes128-ctr aes192-cbc aes192-ctr
HTTPS Example
ip http secure-server
ip http secure-ciphersuite aes-128-cbc-sha
ip http secure-ciphersuite aes-128-cbc-sha
ip http secure-client-auth
ip http secure-trustpoint CA_XXX
@@ -752,85 +752,85 @@ Step 4: Apply the policy map to the control plane.
R1(config)#control-plane
R1(config-cp)#service-policy input CONTROL_PLANE_POLICY
R1(config-cp)#end</fixtext><fix id="F-17083r287578_fix" /><check system="C-17085r287577_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Review the Cisco router configuration to verify that it is compliant with this requirement.
R1(config-cp)#end</fixtext><fix id="F-17083r287578_fix" /><check system="C-17085r287577_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Review the Cisco router configuration to verify that it is compliant with this requirement.
Step 1: Verify traffic types have been classified based on importance levels. The following is an example configuration:
class-map match-all CoPP_CRITICAL
match access-group name CoPP_CRITICAL
class-map match-any CoPP_IMPORTANT
match access-group name CoPP_IMPORTANT
match protocol arp
class-map match-all CoPP_NORMAL
match access-group name CoPP_NORMAL
class-map match-any CoPP_UNDESIRABLE
match access-group name CoPP_UNDESIRABLE
class-map match-all CoPP_DEFAULT
match access-group name CoPP_DEFAULT
class-map match-all CoPP_CRITICAL
match access-group name CoPP_CRITICAL
class-map match-any CoPP_IMPORTANT
match access-group name CoPP_IMPORTANT
match protocol arp
class-map match-all CoPP_NORMAL
match access-group name CoPP_NORMAL
class-map match-any CoPP_UNDESIRABLE
match access-group name CoPP_UNDESIRABLE
class-map match-all CoPP_DEFAULT
match access-group name CoPP_DEFAULT
Step 2: Review the ACLs referenced by the class maps to determine if the traffic is being classified appropriately. The following is an example configuration:
ip access-list extended CoPP_CRITICAL
remark our control plane adjacencies are critical
permit ospf host [OSPF neighbor A] any
permit ospf host [OSPF neighbor B] any
permit pim host [PIM neighbor A] any
permit pim host [PIM neighbor B] any
permit pim host [RP addr] any
permit igmp any 224.0.0.0 15.255.255.255
permit tcp host [BGP neighbor] eq bgp host [local BGP addr]
permit tcp host [BGP neighbor] host [local BGP addr] eq bgp
deny ip any any
ip access-list extended CoPP_CRITICAL
remark our control plane adjacencies are critical
permit ospf host [OSPF neighbor A] any
permit ospf host [OSPF neighbor B] any
permit pim host [PIM neighbor A] any
permit pim host [PIM neighbor B] any
permit pim host [RP addr] any
permit igmp any 224.0.0.0 15.255.255.255
permit tcp host [BGP neighbor] eq bgp host [local BGP addr]
permit tcp host [BGP neighbor] host [local BGP addr] eq bgp
deny ip any any
ip access-list extended CoPP_IMPORTANT
permit tcp host [TACACS server] eq tacacs any
permit tcp [management subnet] 0.0.0.255 any eq 22
permit udp host [SNMP manager] any eq snmp
permit udp host [NTP server] eq ntp any
deny ip any any
ip access-list extended CoPP_IMPORTANT
permit tcp host [TACACS server] eq tacacs any
permit tcp [management subnet] 0.0.0.255 any eq 22
permit udp host [SNMP manager] any eq snmp
permit udp host [NTP server] eq ntp any
deny ip any any
ip access-list extended CoPP_NORMAL
remark we will want to rate limit ICMP traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip any any
ip access-list extended CoPP_NORMAL
remark we will want to rate limit ICMP traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip any any
ip access-list extended CoPP_UNDESIRABLE
remark other management plane traffic that should not be received
permit udp any any eq ntp
ip access-list extended CoPP_UNDESIRABLE
remark other management plane traffic that should not be received
permit udp any any eq ntp
permit udp any any eq snmp
permit tcp any any eq 22
permit tcp any any eq 23
remark other control plane traffic not configured on router
permit eigrp any any
permit udp any any eq rip
deny ip any any
permit tcp any any eq 22
permit tcp any any eq 23
remark other control plane traffic not configured on router
permit eigrp any any
permit udp any any eq rip
deny ip any any
ip access-list extended CoPP_DEFAULT
permit ip any any
ip access-list extended CoPP_DEFAULT
permit ip any any
Note: Explicitly defining undesirable traffic with ACL entries enables the network operator to collect statistics. Excessive ARP packets can potentially monopolize Route Processor resources, starving other important processes. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol command.
Note: Explicitly defining undesirable traffic with ACL entries enables the network operator to collect statistics. Excessive ARP packets can potentially monopolize Route Processor resources, starving other important processes. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol command.
Step 3: Review the policy-map to determine if the traffic is being policed appropriately for each classification. The following is an example configuration:
policy-map CONTROL_PLANE_POLICY
class CoPP_CRITICAL
police 512000 8000 conform-action transmit exceed-action transmit
class CoPP_IMPORTANT
police 256000 4000 conform-action transmit exceed-action drop
class CoPP_NORMAL
police 128000 2000 conform-action transmit exceed-action drop
class CoPP_UNDESIRABLE
police 8000 1000 conform-action drop exceed-action drop
policy-map CONTROL_PLANE_POLICY
class CoPP_CRITICAL
police 512000 8000 conform-action transmit exceed-action transmit
class CoPP_IMPORTANT
police 256000 4000 conform-action transmit exceed-action drop
class CoPP_NORMAL
police 128000 2000 conform-action transmit exceed-action drop
class CoPP_UNDESIRABLE
police 8000 1000 conform-action drop exceed-action drop
class CoPP_DEFAULT
police 64000 1000 conform-action transmit exceed-action drop
police 64000 1000 conform-action transmit exceed-action drop
Step 4: Verify that the CoPP policy is enabled. The following is an example configuration:
control-plane
service-policy input CONTROL_PLANE_POLICY
control-plane
service-policy input CONTROL_PLANE_POLICY
Note: Control Plane Protection (CPPr) can be used to filter as well as police control plane traffic destined to the RP. CPPr is very similar to CoPP and has the ability to filter and police traffic using finer granularity by dividing the aggregate control plane into three separate categories: (1) host, (2) transit, and (3) CEF-exception. Hence, a separate policy-map could be configured for each traffic category.
@@ -838,7 +838,7 @@ If the Cisco router is not configured to protect against known types of DoS atta
Audit records can be generated from various components within the network device (e.g., module or policy filter).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-105471</ident><ident system="http://cyber.mil/legacy">V-96333</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-17084r287581_fix">Configure the Cisco router to generate log records when account privileges are modified as shown in the example below.
R4(config)#logging userinfo
R4(config)#logging userinfo
R4(config)#archive
R4(config-archive)#log config
R4(config-archive-log-cfg)#logging enable
@@ -928,7 +928,7 @@ R4(config-line)#login authentication LOGIN_AUTHENTICATION
R4(config-line)#exit
R4(config)#line con 0
R4(config-line)#login authentication LOGIN_AUTHENTICATION
R4(config-line)#exit
R4(config-line)#exit
R4(config)#ip http authentication aaa login-authentication LOGIN_AUTHENTICATION</fixtext><fix id="F-17091r287602_fix" /><check system="C-17093r287601_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Review the Cisco router configuration to verify that the device is configured to use an authentication server as primary source for authentication as shown in the following example:
aaa new-model
@@ -999,7 +999,7 @@ logging x.x.x.x
Note: Default for sending log messages to the syslog server is informational (level 6); hence, the command logging trap informational will not be seen in the configuration. Level of log messages sent to the syslog server can be verified using the show logging command.
If the router is not configured to send log data to the syslog server, this is a finding.</check-content></check></Rule></Group><Group id="V-220140"><title>SRG-APP-000516-NDM-000351</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-220140r531083_rule" weight="10.0" severity="high"><version>CISC-ND-001470</version><title>The Cisco router must be running an IOS release that is currently supported by Cisco Systems.</title><description>&lt;VulnDiscussion&gt;Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities. Running a supported release also enables operations to maintain a stable and reliable network provided by improved quality of service and security features.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96369</ident><ident system="http://cyber.mil/legacy">SV-105507</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-21847r388871_fix">Upgrade the router to a supported release.</fixtext><fix id="F-21847r388871_fix" /><check system="C-21855r388870_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Verify that the router is in compliance with this requirement by having the router administrator enter the following command:
If the router is not configured to send log data to the syslog server, this is a finding.</check-content></check></Rule></Group><Group id="V-220140"><title>SRG-APP-000516-NDM-000351</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-220140r531083_rule" weight="10.0" severity="high"><version>CISC-ND-001470</version><title>The Cisco router must be running an IOS release that is currently supported by Cisco Systems.</title><description>&lt;VulnDiscussion&gt;Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities. Running a supported release also enables operations to maintain a stable and reliable network provided by improved quality of service and security features.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router NDM</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router NDM</dc:subject><dc:identifier>4020</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96369</ident><ident system="http://cyber.mil/legacy">SV-105507</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-21847r388871_fix">Upgrade the router to a supported release.</fixtext><fix id="F-21847r388871_fix" /><check system="C-21855r388870_chk"><check-content-ref href="Cisco_IOS_XE_Router_NDM_STIG.xml" name="M" /><check-content>Verify that the router is in compliance with this requirement by having the router administrator enter the following command:
show version
@@ -1007,4 +1007,4 @@ Verify that the release is still supported by Cisco. All releases supported by C
www.cisco.com/c/en/us/support/ios-nx-os-software
If the router is not running a supported release, this is a finding.</check-content></check></Rule></Group></Benchmark>
If the router is not running a supported release, this is a finding.</check-content></check></Rule></Group></Benchmark>

316
collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/U_Cisco_IOS-XE_Router_RTR_STIG_V2R1_Manual-xccdf.xml
View File

@@ -71,7 +71,7 @@ router bgp nn
neighbor x.x.x.x remote-as nn
neighbor x.x.x.x password xxxxxxx
Note: BGP authentication uses MD5
Note: BGP authentication uses MD5
EIGRP Example:
@@ -155,7 +155,7 @@ interface GigabitEthernet3
!
interface GigabitEthernet4
shutdown
If an interface is not being used but is configured or enabled, this is a finding.</check-content></check></Rule></Group><Group id="V-216647"><title>SRG-NET-000131-RTR-000035</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216647r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000070</version><title>The Cisco router must be configured to have all non-essential capabilities disabled.</title><description>&lt;VulnDiscussion&gt;A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each router is to enable only the capabilities required for operation.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106005</ident><ident system="http://cyber.mil/legacy">V-96867</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-17878r287902_fix">Disable the following services if enabled as shown in the example below:
R2(config)#no boot network
@@ -199,7 +199,7 @@ R2(config)#no cns config initial
R2(config)#no cns exec
R2(config)#no cns image
R2(config)#no cns trusted-server config x.x.x.x
R2(config)#no cns trusted-server image x.x.x.x</fixtext><fix id="F-17880r287905_fix" /><check system="C-17882r287904_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the device configuration to determine if auto-configuration or zero-touch deployment via Cisco Networking Services (CNS) is enabled.
R2(config)#no cns trusted-server image x.x.x.x</fixtext><fix id="F-17880r287905_fix" /><check system="C-17882r287904_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the device configuration to determine if auto-configuration or zero-touch deployment via Cisco Networking Services (CNS) is enabled.
Auto-configuration example:
@@ -220,7 +220,7 @@ cns config initial x.x.x.x 80
cns exec 80
cns image
If a configuration auto-loading feature or zero-touch deployment feature is enabled, this is a finding.
If a configuration auto-loading feature or zero-touch deployment feature is enabled, this is a finding.
Note: Auto-configuration or zero-touch deployment features can be enabled when the router is offline for the purpose of image loading or building out the configuration. In addition, this would not be applicable to the provisioning of virtual routers via a software-defined network (SDN) orchestration system.</check-content></check></Rule></Group><Group id="V-216650"><title>SRG-NET-000362-RTR-000110</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216650r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000120</version><title>The Cisco router must be configured to protect against or limit the effects of denial of service (DoS) attacks by employing control plane protection.</title><description>&lt;VulnDiscussion&gt;The Route Processor (RP) is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental with ongoing network management functions that keep the routers and links available for providing network services. Any disruption to the RP or the control and management planes can result in mission-critical network outages.
@@ -307,92 +307,92 @@ Step 4: Apply the policy map to the control plane.
R1(config)#control-plane
R1(config-cp)#service-policy input CONTROL_PLANE_POLICY
R1(config-cp)#end</fixtext><fix id="F-17881r287908_fix" /><check system="C-17883r287907_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the Cisco router configuration to verify that it is compliant with this requirement.
R1(config-cp)#end</fixtext><fix id="F-17881r287908_fix" /><check system="C-17883r287907_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the Cisco router configuration to verify that it is compliant with this requirement.
Step 1: Verify traffic types have been classified based on importance levels. The following is an example configuration:
Step 1: Verify traffic types have been classified based on importance levels. The following is an example configuration:
class-map match-all CoPP_CRITICAL
match access-group name CoPP_CRITICAL
class-map match-any CoPP_IMPORTANT
match access-group name CoPP_IMPORTANT
match protocol arp
class-map match-all CoPP_NORMAL
match access-group name CoPP_NORMAL
class-map match-any CoPP_UNDESIRABLE
match access-group name CoPP_UNDESIRABLE
class-map match-all CoPP_DEFAULT
match access-group name CoPP_DEFAULT
class-map match-all CoPP_CRITICAL
match access-group name CoPP_CRITICAL
class-map match-any CoPP_IMPORTANT
match access-group name CoPP_IMPORTANT
match protocol arp
class-map match-all CoPP_NORMAL
match access-group name CoPP_NORMAL
class-map match-any CoPP_UNDESIRABLE
match access-group name CoPP_UNDESIRABLE
class-map match-all CoPP_DEFAULT
match access-group name CoPP_DEFAULT
Step 2: Review the ACLs referenced by the class maps to determine if the traffic is being classified appropriately. The following is an example configuration:
Step 2: Review the ACLs referenced by the class maps to determine if the traffic is being classified appropriately. The following is an example configuration:
ip access-list extended CoPP_CRITICAL
remark our control plane adjacencies are critical
permit ospf host [OSPF neighbor A] any
permit ospf host [OSPF neighbor B] any
permit pim host [PIM neighbor A] any
permit pim host [PIM neighbor B] any
permit pim host [RP addr] any
permit igmp any 224.0.0.0 15.255.255.255
permit tcp host [BGP neighbor] eq bgp host [local BGP addr]
permit tcp host [BGP neighbor] host [local BGP addr] eq bgp
deny ip any any
ip access-list extended CoPP_CRITICAL
remark our control plane adjacencies are critical
permit ospf host [OSPF neighbor A] any
permit ospf host [OSPF neighbor B] any
permit pim host [PIM neighbor A] any
permit pim host [PIM neighbor B] any
permit pim host [RP addr] any
permit igmp any 224.0.0.0 15.255.255.255
permit tcp host [BGP neighbor] eq bgp host [local BGP addr]
permit tcp host [BGP neighbor] host [local BGP addr] eq bgp
deny ip any any
ip access-list extended CoPP_IMPORTANT
permit tcp host [TACACS server] eq tacacs any
permit tcp [management subnet] 0.0.0.255 any eq 22
permit udp host [SNMP manager] any eq snmp
permit udp host [NTP server] eq ntp any
deny ip any any
ip access-list extended CoPP_IMPORTANT
permit tcp host [TACACS server] eq tacacs any
permit tcp [management subnet] 0.0.0.255 any eq 22
permit udp host [SNMP manager] any eq snmp
permit udp host [NTP server] eq ntp any
deny ip any any
ip access-list extended CoPP_NORMAL
remark we will want to rate limit ICMP traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip any any
ip access-list extended CoPP_NORMAL
remark we will want to rate limit ICMP traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip any any
ip access-list extended CoPP_UNDESIRABLE
remark other management plane traffic that should not be received
permit udp any any eq ntp
ip access-list extended CoPP_UNDESIRABLE
remark other management plane traffic that should not be received
permit udp any any eq ntp
permit udp any any eq snmp
permit tcp any any eq 22
permit tcp any any eq 23
remark other control plane traffic not configured on router
permit eigrp any any
permit udp any any eq rip
deny ip any any
permit tcp any any eq 22
permit tcp any any eq 23
remark other control plane traffic not configured on router
permit eigrp any any
permit udp any any eq rip
deny ip any any
ip access-list extended CoPP_DEFAULT
permit ip any any
ip access-list extended CoPP_DEFAULT
permit ip any any
Note: Explicitly defining undesirable traffic with ACL entries enables the network operator to collect statistics. Excessive ARP packets can potentially monopolize Route Processor resources, starving other important processes. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol command.
Note: Explicitly defining undesirable traffic with ACL entries enables the network operator to collect statistics. Excessive ARP packets can potentially monopolize Route Processor resources, starving other important processes. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol command.
Step 3: Review the policy-map to determine if the traffic is being policed appropriately for each classification. The following is an example configuration:
Step 3: Review the policy-map to determine if the traffic is being policed appropriately for each classification. The following is an example configuration:
policy-map CONTROL_PLANE_POLICY
class CoPP_CRITICAL
police 512000 8000 conform-action transmit exceed-action transmit
class CoPP_IMPORTANT
police 256000 4000 conform-action transmit exceed-action drop
class CoPP_NORMAL
police 128000 2000 conform-action transmit exceed-action drop
class CoPP_UNDESIRABLE
police 8000 1000 conform-action drop exceed-action drop
policy-map CONTROL_PLANE_POLICY
class CoPP_CRITICAL
police 512000 8000 conform-action transmit exceed-action transmit
class CoPP_IMPORTANT
police 256000 4000 conform-action transmit exceed-action drop
class CoPP_NORMAL
police 128000 2000 conform-action transmit exceed-action drop
class CoPP_UNDESIRABLE
police 8000 1000 conform-action drop exceed-action drop
class CoPP_DEFAULT
police 64000 1000 conform-action transmit exceed-action drop
police 64000 1000 conform-action transmit exceed-action drop
Step 4: Verify that the CoPP policy is enabled. The following is an example configuration:
Step 4: Verify that the CoPP policy is enabled. The following is an example configuration:
control-plane
service-policy input CONTROL_PLANE_POLICY
control-plane
service-policy input CONTROL_PLANE_POLICY
Note: Control Plane Protection (CPPr) can be used to filter as well as police control plane traffic destined to the RP. CPPr is very similar to CoPP and has the ability to filter and police traffic using finer granularity by dividing the aggregate control plane into three separate categories: (1) host, (2) transit, and (3) CEF-exception. Hence, a separate policy-map could be configured for each traffic category.
If the Cisco router is not configured to protect against known types of DoS attacks by employing organization-defined security safeguards, this is a finding.</check-content></check></Rule></Group><Group id="V-216651"><title>SRG-NET-000205-RTR-000001</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216651r531086_rule" weight="10.0" severity="high"><version>CISC-RT-000130</version><title>The Cisco router must be configured to restrict traffic destined to itself.</title><description>&lt;VulnDiscussion&gt;The route processor handles traffic destined to the router—the key component used to build forwarding paths and is instrumental with all network management functions. Hence, any disruption or denial of service (DoS) attack to the route processor can result in mission critical network outages.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96875</ident><ident system="http://cyber.mil/legacy">SV-106013</ident><ident system="http://cyber.mil/cci">CCI-001097</ident><fixtext fixref="F-17882r287911_fix">Step 1: Configure the ACL for any external interfaces as shown in the example.
R1(config)#ip access-list extended EXTERNAL_ACL
R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2
R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2
R1(config-ext-nacl)#permit tcp host x.11.1.1 host x.11.1.2 eq bgp
R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo
R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo-reply
@@ -459,14 +459,14 @@ ip access-list extended INTERNAL_ACL
Note: For the internal ACL example, all routers within the hypothetical network (10.1.0.0/16) have been configured to use the loopback address to source all management traffic (not shown); hence, the loopbacks are the only allowable destination address for management traffic. In addition, all management traffic destined to the router must originate from the management network (10.2.1.0/24). With the exception of link-local control plane traffic and ICMP, all other traffic destined to any physical interface address will be dropped.
Step 2: Verify that the ACL has been applied to the appropriate interface as shown in the example below:
interface GigabitEthernet0/2
ip address x.11.1.2 255.255.255.254
ip access-group EXTERNAL_ACL in
interface GigabitEthernet0/3
ip address 10.1.12.2 255.255.255.0
ip access-group INTERNAL_ACL in
If the router is not configured to restrict traffic destined to itself, this is a finding.</check-content></check></Rule></Group><Group id="V-216652"><title>SRG-NET-000205-RTR-000002</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216652r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000140</version><title>The Cisco router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.</title><description>&lt;VulnDiscussion&gt;Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96877</ident><ident system="http://cyber.mil/legacy">SV-106015</ident><ident system="http://cyber.mil/cci">CCI-001097</ident><fixtext fixref="F-17883r287914_fix">Configure the external and internal ACLs to drop all fragmented ICMP packets destined to itself as shown in the example below:
R1(config)#ip access-list extended EXTERNAL_ACL
@@ -531,9 +531,9 @@ R4(config)#ip icmp rate-limit unreachable df 100
R4(config)#ip icmp rate-limit unreachable 100000
R4(config)#end
Alternative Non DODIN Backbone.
Alternative Non DODIN Backbone.
An alternative for non-backbone networks (i.e. enclave, base, camp, etc.) is to filter messages generated by the router and silently drop ICMP Administratively Prohibited and Host Unreachable messages using the following configuration steps:
An alternative for non-backbone networks (i.e. enclave, base, camp, etc.) is to filter messages generated by the router and silently drop ICMP Administratively Prohibited and Host Unreachable messages using the following configuration steps:
Step 1: Configure ACL to include ICMP Type 3 Code 1 (Host Unreachable) and Code 13 (Administratively Prohibited) as shown in the example below:
@@ -543,7 +543,7 @@ R2(config-ext-nacl)#permit icmp any any administratively-prohibited
R2(config-ext-nacl)#exit
Step 2: Create a route map to forward these ICMP messages to the Null0 interface.
R2(config)#route-map LOCAL_POLICY
R2(config-route-map)#match ip address ICMP_T3C1C13
R2(config-route-map)#set interface Null0
@@ -578,7 +578,7 @@ Note: In the example above, packet-too-big message (ICMP Type 3 Code 4) can be s
IF the PE router is not configured to rate limit ICMP unreachable messages, this is a finding.</check-content></check></Rule></Group><Group id="V-216656"><title>SRG-NET-000362-RTR-000114</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216656r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000180</version><title>The Cisco router must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces.</title><description>&lt;VulnDiscussion&gt;The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messages are commonly used by attackers for network mapping and diagnosis.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96885</ident><ident system="http://cyber.mil/legacy">SV-106023</ident><ident system="http://cyber.mil/cci">CCI-002385</ident><fixtext fixref="F-17887r287926_fix">Disable ip mask-reply on all external interfaces as shown below:
R4(config)#int g0/1
R4(config-if)#no ip mask-reply</fixtext><fix id="F-17887r287926_fix" /><check system="C-17889r287925_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration and verify that ip mask-reply command is not enabled on any external interfaces as shown in the example below:
R4(config-if)#no ip mask-reply</fixtext><fix id="F-17887r287926_fix" /><check system="C-17889r287925_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration and verify that ip mask-reply command is not enabled on any external interfaces as shown in the example below:
interface GigabitEthernet0/1
ip address x.x.x.x 255.255.255.0
@@ -618,7 +618,7 @@ If packets being dropped at interfaces are not logged, this is a finding.</check
In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as router components, modules, device identifiers, node names, and functionality.
Associating information about where the event occurred within the network provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured router.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106029</ident><ident system="http://cyber.mil/legacy">V-96891</ident><ident system="http://cyber.mil/cci">CCI-000132</ident><fixtext fixref="F-17890r287935_fix">Configure the router to log events containing information to establish where the events occurred as shown in the example below:
R5(config)#ip access-list extended INGRESS_FILTER
@@ -644,7 +644,7 @@ If the router is not configured to produce audit records containing information
In order to compile an accurate risk assessment and provide forensic analysis, security personnel need to know the source of the event.
In addition to logging where events occur within the network, the audit records must also identify sources of events such as IP addresses, processes, and node or device names.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106031</ident><ident system="http://cyber.mil/legacy">V-96893</ident><ident system="http://cyber.mil/cci">CCI-000133</ident><fixtext fixref="F-17891r287938_fix">Configure the router to log events containing information to establish where the events occurred as shown in the example below:
R5(config)#ip access-list extended INGRESS_FILTER
@@ -670,7 +670,7 @@ If the router is not configured to produce audit records containing information
Secured modem devices must be able to authenticate users and must negotiate a key exchange before full encryption takes place. The modem will provide full encryption capability (Triple DES) or stronger. The technician who manages these devices will be authenticated using a key fob and granted access to the appropriate maintenance port; thus, the technician will gain access to the managed device (router, switch, etc.). The token provides a method of strong (two-factor) user authentication. The token works in conjunction with a server to generate one-time user passwords that will change values at second intervals. The user must know a personal identification number (PIN) and possess the token to be allowed access to the device.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96895</ident><ident system="http://cyber.mil/legacy">SV-106033</ident><ident system="http://cyber.mil/cci">CCI-001414</ident><fixtext fixref="F-17892r287941_fix">Disable the auxiliary port.
R2(config)#line aux 0
R2(config-line)#no exec
R2(config-line)#no exec
R2(config-line)#transport input none</fixtext><fix id="F-17892r287941_fix" /><check system="C-17894r287940_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the configuration and verify that the auxiliary port is disabled unless a secured modem providing encryption and authentication is connected to it.
line aux 0
@@ -686,7 +686,7 @@ Step 1: Configure an inbound ACL to deny all other traffic by default as shown i
R1(config)#ip access-list extended EXTERNAL_ACL
R1(config-ext-nacl)#permit tcp any any established
R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2
R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2
R1(config-ext-nacl)#permit tcp host x.11.1.1 host x.11.1.2 eq bgp
R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo
R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo-reply
@@ -762,7 +762,7 @@ Traffic can be restricted directly by an access control list (ACL), which is a f
This requirement is intended to allow network administrators the flexibility to use whatever technique is most effective.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106039</ident><ident system="http://cyber.mil/legacy">V-96901</ident><ident system="http://cyber.mil/cci">CCI-002403</ident><fixtext fixref="F-17895r287950_fix">This requirement is not applicable for the DODIN Backbone.
Configure the router to allow only incoming communications from authorized sources to be routed to authorized destinations.
Configure the router to allow only incoming communications from authorized sources to be routed to authorized destinations.
R1(config)#ip access-list extended FILTER_PERIMETER
R1(config-ext-nacl)#nn permit udp host x.12.1.9 host x.12.1.21 eq ntp
@@ -897,7 +897,7 @@ R5(config)#ip route 0.0.0.0 0.0.0.0 x.22.1.14</fixtext><fix id="F-17898r507574_f
Review the router configuration and verify that it is not BGP peering with an alternate gateway service provider.
Step 1: Determine the ip address of the ISP router.
Step 1: Determine the ip address of the ISP router.
interface GigabitEthernet0/2
description Link to ISP
@@ -979,7 +979,7 @@ Configure the router to use an inbound ACL on all external interfaces as shown i
R1(config)#ip access-list extended EXTERNAL_ACL_INBOUND
R1(config-ext-nacl)#permit tcp any any established
R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2
R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2
R1(config-ext-nacl)#permit tcp host x.11.1.1 host x.11.1.2 eq bgp
R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo
R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo-reply
@@ -1012,7 +1012,7 @@ ip access-list extended EXTERNAL_ACL_INBOUND
deny ip any any log-input
If the router does not filter traffic in accordance with the guidelines contained in DoD 8551.1, this is a finding.</check-content></check></Rule></Group><Group id="V-216671"><title>SRG-NET-000205-RTR-000004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216671r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000330</version><title>The Cisco perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.</title><description>&lt;VulnDiscussion&gt;Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of access lists for restricting access to services on the router itself as well as for filtering traffic passing through the router.
If the router does not filter traffic in accordance with the guidelines contained in DoD 8551.1, this is a finding.</check-content></check></Rule></Group><Group id="V-216671"><title>SRG-NET-000205-RTR-000004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216671r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000330</version><title>The Cisco perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.</title><description>&lt;VulnDiscussion&gt;Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of access lists for restricting access to services on the router itself as well as for filtering traffic passing through the router.
Inbound versus Outbound: It should be noted that some operating systems default access lists are applied to the outbound queue. The more secure solution is to apply the access list to the inbound queue for three reasons:
@@ -1031,7 +1031,7 @@ interface GigabitEthernet0/2
ip address x.11.1.2 255.255.255.254
ip access-group EXTERNAL_ACL_INBOUND in
If the router is not configured to filter traffic entering the network at all external interfaces in an inbound direction, this is a finding.</check-content></check></Rule></Group><Group id="V-216672"><title>SRG-NET-000205-RTR-000005</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216672r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000340</version><title>The Cisco perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.</title><description>&lt;VulnDiscussion&gt;Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of access lists for restricting access to services on the router itself as well as for filtering traffic passing through the router.
If the router is not configured to filter traffic entering the network at all external interfaces in an inbound direction, this is a finding.</check-content></check></Rule></Group><Group id="V-216672"><title>SRG-NET-000205-RTR-000005</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216672r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000340</version><title>The Cisco perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.</title><description>&lt;VulnDiscussion&gt;Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of access lists for restricting access to services on the router itself as well as for filtering traffic passing through the router.
Inbound versus Outbound: It should be noted that some operating systems default access lists are applied to the outbound queue. The more secure solution is to apply the access list to the inbound queue for three reasons:
@@ -1056,7 +1056,7 @@ If the router is not configured to filter traffic leaving the network at the int
R5(config)#int g0/1
R5(config-if)#no lldp transmit</fixtext><fix id="F-17905r287974_fix" /><check system="C-17907r287973_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
Step 1: Verify LLDP is not enabled globally via the command.
Step 1: Verify LLDP is not enabled globally via the command.
lldp run
@@ -1093,7 +1093,7 @@ If CDP is enabled on any external interface, this is a finding.</check-content><
Disable Proxy ARP on all external interfaces as shown in the example below:
R2(config)#int g0/1
R2(config)#int g0/1
R2(config-if)#no ip proxy-arp</fixtext><fix id="F-17907r287980_fix" /><check system="C-17909r287979_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
Review the router configuration to determine if IP Proxy ARP is disabled on all external interfaces as shown in the example below:
@@ -1103,7 +1103,7 @@ interface GigabitEthernet0/1
ip address x.1.12.2 255.255.255.252
no ip proxy-arp
Note: By default Proxy ARP is enabled on all interfaces; hence, if enabled, it will not be shown in the configuration.
Note: By default Proxy ARP is enabled on all interfaces; hence, if enabled, it will not be shown in the configuration.
If IP Proxy ARP is enabled on any external interface, this is a finding.</check-content></check></Rule></Group><Group id="V-216677"><title>SRG-NET-000364-RTR-000113</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216677r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000390</version><title>The Cisco perimeter router must be configured to block all outbound management traffic.</title><description>&lt;VulnDiscussion&gt;For in-band management, the management network must have its own subnet in order to enforce control and access boundaries provided by Layer 3 network nodes, such as routers and firewalls. Management traffic between the managed network elements and the management network is routed via the same links and nodes as that used for production or operational traffic. Safeguards must be implemented to ensure that the management traffic does not leak past the perimeter of the managed network.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96927</ident><ident system="http://cyber.mil/legacy">SV-106065</ident><ident system="http://cyber.mil/cci">CCI-001097</ident><fixtext fixref="F-17908r287983_fix">This requirement is not applicable for the DODIN Backbone.
@@ -1170,7 +1170,7 @@ Step 3: Specify the pre-shared key and the remote peer address.
R4(config)#crypto isakmp key 0 xxxxxx address x.1.12.1
Note: Digital certificates can be utilized as an alternative.
Step 4: Create the IPSec transform set for the data encryption.
R4(config)#crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes
@@ -1185,7 +1185,7 @@ R4(config-crypto-map)#match address MGMT_TRAFFIC_ACL
R4(config-crypto-map)#set transform-set TRANS_SET
R4(config-crypto-map)#end
Step 6: Apply the crypto map to the external interface.
Step 6: Apply the crypto map to the external interface.
R4(config)#int g0/2
R4(config-if)#crypto map IPSEC_MGMT_MAP</fixtext><fix id="F-17909r287986_fix" /><check system="C-17911r287985_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
@@ -1207,7 +1207,7 @@ crypto isakmp policy 10
crypto isakmp key xxxxxx address x.1.12.1
!
!
crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes
crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes
Step 3: Review the crypto map that was bound to the external interface and note the ACL defined that identifies the interesting traffic for the IPsec tunnel.
@@ -1270,7 +1270,7 @@ ip access-list extended MGMT_TRAFFIC_ACL
permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp
permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp-trap
permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq syslog
permit icmp 10.1.34.0 0.0.0.255 10.22.22.0 0.0.0.255
permit icmp 10.1.34.0 0.0.0.255 10.22.22.0 0.0.0.255
deny ip any any log-input
If an IPSec tunnel is used, verify that the only authorized management traffic is transported to the NOC.
@@ -1473,7 +1473,7 @@ R4(config)#int g0/7
R4(config-if)#ip access-group INGRESS_MANAGEMENT_ACL in
R4(config-if)#ip access-group EGRESS_MANAGEMENT_ACL out</fixtext><fix id="F-17914r288001_fix" /><check system="C-17916r288000_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is only applicable where management access to the router is via an OOBM interface which is not a true OOBM interface.
Step 1: Verify that the managed interface has an inbound and outbound ACL configured.
Step 1: Verify that the managed interface has an inbound and outbound ACL configured.
interface GigabitEthernet0/7
description link to OOBM access switch
@@ -1481,7 +1481,7 @@ interface GigabitEthernet0/7
ip access-group INGRESS_MANAGEMENT_ACL in
ip access-group EGRESS_MANAGEMENT_ACL out
Step 2: Verify that the ingress ACL only allows management and ICMP traffic.
Step 2: Verify that the ingress ACL only allows management and ICMP traffic.
ip access-list extended INGRESS_MANAGEMENT_ACL
permit tcp any host 10.11.1.22 eq tacacs
@@ -1521,7 +1521,7 @@ Step 3: Specify the pre-shared key and the remote peer address.
R4(config)#crypto isakmp key 0 xxxxxx address 10.1.12.1
Note: Digital certificates can be utilized as an alternative.
Step 4: Create the Phase 2 policy for the data encryption.
R4(config)#crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes
@@ -1536,7 +1536,7 @@ R4(config-crypto-map)#match address MGMT_TRAFFIC_ACL
R4(config-crypto-map)#set transform-set TRANS_SET
R4(config-crypto-map)#end
Step 6: Apply the crypto map to the external interface.
Step 6: Apply the crypto map to the external interface.
R4(config)#int g0/2
R4(config-if)#crypto map IPSEC_MGMT_MAP</fixtext><fix id="F-17915r288004_fix" /><check system="C-17917r288003_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
@@ -1558,7 +1558,7 @@ crypto isakmp policy 10
crypto isakmp key xxxxxx address x.1.12.1
!
!
crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes
crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes
Step 3: Review the crypto map that was bound to the external interface and note the ACL defined that identifies the interesting traffic for the IPsec tunnel.
@@ -1601,7 +1601,7 @@ R1(config)#router bgp xx
R1(config-router)#neighbor x.1.1.9 prefix-list PREFIX_FILTER in
R1(config-router)#neighbor x.2.1.7 prefix-list PREFIX_FILTER in
Route Map Alternative:
Route Map Alternative:
Step 1: Configure the route map referencing the configured prefix list above.
@@ -1613,7 +1613,7 @@ Step 2: Apply the route-map inbound to each external BGP neighbor as shown in th
R1(config)#router bgp xx
R1(config-router)#neighbor x.1.1.9 route-map FILTER_PREFIX_MAP in
R1(config-router)#neighbor x.2.1.7 route-map FILTER_PREFIX_MAP in
R1(config-router)#neighbor x.2.1.7 route-map FILTER_PREFIX_MAP in
R1(config-router)#end</fixtext><fix id="F-17918r288007_fix" /><check system="C-17920r288006_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to verify that it will reject BGP routes for any Bogon prefixes.
Step 1: Verify a prefix list has been configured containing the current Bogon prefixes as shown in the example below:
@@ -1644,7 +1644,7 @@ router bgp xx
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 prefix-list PREFIX_FILTER in
Route Map Alternative:
Route Map Alternative:
Verify that the route map applied to the external neighbors references the configured Bogon prefix list shown above.
@@ -1703,7 +1703,7 @@ Step 2: Apply the prefix list filter inbound to each CE neighbor as shown in the
R1(config)#router bgp xx
R1(config-router)#neighbor x.12.4.14 prefix-list FILTER_PREFIXES_CUST1 in
R1(config-router)#neighbor x.12.4.16 prefix-list FILTER_PREFIXES_CUST2 in</fixtext><fix id="F-17920r288013_fix" /><check system="C-17922r288012_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to verify that there are ACLs defined to only accept routes for prefixes that belong to specific customers.
R1(config-router)#neighbor x.12.4.16 prefix-list FILTER_PREFIXES_CUST2 in</fixtext><fix id="F-17920r288013_fix" /><check system="C-17922r288012_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to verify that there are ACLs defined to only accept routes for prefixes that belong to specific customers.
Step 1: Verify prefix list has been configured for each customer containing prefixes belonging to each customer as shown in the example below:
@@ -1893,8 +1893,8 @@ router bgp xx
neighbor 10.1.1.1 remote-as xx
neighbor 10.1.1.1 password xxxxxxxx
neighbor 10.1.1.1 update-source Loopback0
If the router does not use its loopback address as the source address for all iBGP sessions, this is a finding.</check-content></check></Rule></Group><Group id="V-216697"><title>SRG-NET-000512-RTR-000002</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216697r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000590</version><title>The Cisco MPLS router must be configured to use its loopback address as the source address for LDP peering sessions.</title><description>&lt;VulnDiscussion&gt;Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of backbone routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of from a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96967</ident><ident system="http://cyber.mil/legacy">SV-106105</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-17928r288037_fix">Configure the router to use their loopback address as the source address for LDP peering sessions. As noted in the check content, the default behavior is to use its loopback address.
If the router does not use its loopback address as the source address for all iBGP sessions, this is a finding.</check-content></check></Rule></Group><Group id="V-216697"><title>SRG-NET-000512-RTR-000002</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216697r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000590</version><title>The Cisco MPLS router must be configured to use its loopback address as the source address for LDP peering sessions.</title><description>&lt;VulnDiscussion&gt;Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of backbone routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of from a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96967</ident><ident system="http://cyber.mil/legacy">SV-106105</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-17928r288037_fix">Configure the router to use their loopback address as the source address for LDP peering sessions. As noted in the check content, the default behavior is to use its loopback address.
R4(config)#mpls ldp router-id lo0</fixtext><fix id="F-17928r288037_fix" /><check system="C-17930r288036_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to determine if it is compliant with this requirement.
@@ -1936,7 +1936,7 @@ When RSVP messages are sent out, they are sent either hop by hop or with the rou
R2(config)#ip rsvp signalling rate-limit burst 9 maxsize 2100 period 30 limit 50</fixtext><fix id="F-17930r288043_fix" /><check system="C-17932r288042_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to determine RSVP messages are rate limited.
Step 1: Determine if MPLS TE is enabled globally and at least one interface as shown in the example below:
Step 1: Determine if MPLS TE is enabled globally and at least one interface as shown in the example below:
mpls traffic-eng tunnels
@@ -1951,7 +1951,7 @@ Step 2: If MPLS TE is enabled, verify that message pacing is enabled.
ip rsvp signalling rate-limit period 30 burst 9 maxsize 2100 limit 50
Note: The command "ip rsvp msg-pacing" has been deprecated by the command "ip rsvp signalling rate-limit"
Note: The command "ip rsvp msg-pacing" has been deprecated by the command "ip rsvp signalling rate-limit"
If the router with RSVP-TE enabled does not rate limit RSVP messages based on the link speed and input queue size of adjacent core routers, this is a finding.</check-content></check></Rule></Group><Group id="V-216700"><title>SRG-NET-000512-RTR-000004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216700r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000620</version><title>The Cisco MPLS router must be configured to have TTL Propagation disabled.</title><description>&lt;VulnDiscussion&gt;The head end of the label-switched path (LSP), the label edge router (LER) will decrement the IP packet's time-to-live (TTL) value by one and then copy the value to the MPLS TTL field. At each label-switched router (LSR) hop, the MPLS TTL value is decremented by one. The MPLS router that pops the label (either the penultimate LSR or the egress LER) will copy the packet's MPLS TTL value to the IP TTL field and decrement it by one.
@@ -2007,9 +2007,9 @@ R5(config)#mpls ldp neighbor 10.1.1.2 password xxxxxxxx</fixtext><fix id="F-1793
mpls ldp neighbor 10.1.1.2 password xxxxxxx
mpls label protocol ldp
If the router is not configured to authenticate targeted LDP sessions using MD5, the finding will remain as a CAT II.</check-content></check></Rule></Group><Group id="V-216705"><title>SRG-NET-000512-RTR-000008</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216705r531086_rule" weight="10.0" severity="high"><version>CISC-RT-000670</version><title>The Cisco PE router providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit.</title><description>&lt;VulnDiscussion&gt;VPWS is an L2VPN technology that provides a virtual circuit between two PE routers to forward Layer 2 frames between two customer-edge routers or switches through an MPLS-enabled IP core. The ingress PE router (virtual circuit head-end) encapsulates Ethernet frames inside MPLS packets using label stacking and forwards them across the MPLS network to the egress PE router (virtual circuit tail-end). During a virtual circuit setup, the PE routers exchange VC label bindings for the specified VC ID. The VC ID specifies a pseudowire associated with an ingress and egress PE router and the customer-facing attachment circuits.
If the router is not configured to authenticate targeted LDP sessions using MD5, the finding will remain as a CAT II.</check-content></check></Rule></Group><Group id="V-216705"><title>SRG-NET-000512-RTR-000008</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216705r531086_rule" weight="10.0" severity="high"><version>CISC-RT-000670</version><title>The Cisco PE router providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit.</title><description>&lt;VulnDiscussion&gt;VPWS is an L2VPN technology that provides a virtual circuit between two PE routers to forward Layer 2 frames between two customer-edge routers or switches through an MPLS-enabled IP core. The ingress PE router (virtual circuit head-end) encapsulates Ethernet frames inside MPLS packets using label stacking and forwards them across the MPLS network to the egress PE router (virtual circuit tail-end). During a virtual circuit setup, the PE routers exchange VC label bindings for the specified VC ID. The VC ID specifies a pseudowire associated with an ingress and egress PE router and the customer-facing attachment circuits.
To guarantee that all frames are forwarded onto the correct pseudowire and to the correct customer and attachment circuits, it is imperative that the correct VC ID is configured for each attachment circuit.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106121</ident><ident system="http://cyber.mil/legacy">V-96983</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-17936r288061_fix">Assign globally unique VC IDs for each virtual circuit and configure the attachment circuits with the appropriate VC ID.
To guarantee that all frames are forwarded onto the correct pseudowire and to the correct customer and attachment circuits, it is imperative that the correct VC ID is configured for each attachment circuit.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106121</ident><ident system="http://cyber.mil/legacy">V-96983</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-17936r288061_fix">Assign globally unique VC IDs for each virtual circuit and configure the attachment circuits with the appropriate VC ID.
R5(config)#int g0/1
R5(config-if)#xconnect x.2.2.12 55 encapsulation mpls</fixtext><fix id="F-17936r288061_fix" /><check system="C-17938r288060_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Verify that the correct and unique VCID has been configured for the appropriate attachment circuit. In the example below, GigabitEthernet0/1 is the CE-facing interface that is configured for VPWS with the VCID of 55.
@@ -2027,13 +2027,13 @@ R1(config-vfi)#neighbor 10.3.3.3 encapsulation mpls
R1(config-vfi)#bridge-domain 100
R1(config-vfi)#exit
R1(config-if)#service instance 10 ethernet
R1(config-if-srv)#encapsulation untagged
R1(config-if-srv)#encapsulation untagged
R1(config-if-srv)#bridge-domain 100
R1(config-if-srv)#end</fixtext><fix id="F-17937r288064_fix" /><check system="C-17939r288063_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the implementation plan and the VPN IDs assigned to customer VLANs for the VPLS deployment.
Review the PE router configuration to verify that customer attachment circuits are associated to the appropriate VFI. In the example below, the attached circuit at interface GigabitEthernet3 is associated to VPN ID 110.
l2 vfi VPLS_A manual
l2 vfi VPLS_A manual
vpn id 110
bridge-domain 100
neighbor 10.3.3.3 encapsulation mpls
@@ -2051,10 +2051,10 @@ If the attachment circuits have not been bound to VFI configured with the assign
The PE routers use the VFI with a unique VPN ID to establish a full mesh of emulated virtual circuits or pseudowires to all the other PE routers in the VPLS instance. The full-mesh configuration allows the PE router to maintain a single broadcast domain. With a full-mesh configuration, signaling and packet replication requirements for each provisioned virtual circuit on a PE can be high. To avoid the problem of a packet looping in the provider core, thereby adding more overhead, the PE devices must enforce a split-horizon principle for the emulated virtual circuits; that is, if a packet is received on an emulated virtual circuit, it is not forwarded on any other virtual circuit.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106125</ident><ident system="http://cyber.mil/legacy">V-96987</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-17938r288067_fix">Enable split horizon on all PE routers deploying VPLS in a full-mesh configuration.
R1(config)#l2 vfi VPLS_A manual
R1(config)#l2 vfi VPLS_A manual
R1(config-vfi)#neighbor 10.3.3.3 encapsulation mpls</fixtext><fix id="F-17938r288067_fix" /><check system="C-17940r288066_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the PE router configuration to verify that split horizon is enabled. By default, split horizon is enabled; hence, the attribute no-split-horizon should not be seen on the neighbor command as shown in the example below:
l2 vfi VPLS_A manual
l2 vfi VPLS_A manual
vpn id 110
bridge-domain 100
neighbor 10.3.3.3 encapsulation mpls no-split-horizon
@@ -2064,7 +2064,7 @@ If split horizon is not enabled, this is a finding.
Note: This requirement is only applicable to a mesh VPLS topology. VPLS solves the loop problem by using a split-horizon rule which states that member PE routers of a VPLS must forward VPLS traffic only to the local attachment circuits when they receive the traffic from the other PE routers. In a ring VPLS, split horizon must be disabled so that a PE router can forward a packet received from one pseudowire to another pseudowire. To prevent the consequential loop, at least one span in the ring would not have a pseudowire for any given VPLS instance.</check-content></check></Rule></Group><Group id="V-216708"><title>SRG-NET-000193-RTR-000002</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216708r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000700</version><title>The Cisco PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.</title><description>&lt;VulnDiscussion&gt;A traffic storm occurs when packets flood a VPLS bridge, creating excessive traffic and degrading network performance. Traffic storm control prevents VPLS bridge disruption by suppressing traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors incoming traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any one-second interval.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106127</ident><ident system="http://cyber.mil/legacy">V-96989</ident><ident system="http://cyber.mil/cci">CCI-001095</ident><fixtext fixref="F-17939r288070_fix">Configure storm control for each CE-facing interface as shown in the example below:
R1(config)#int g3
R1(config-if)#service instance 10 ethernet
R1(config-if)#service instance 10 ethernet
R1(config-if-srv)#storm-control broadcast cir 12000000
R1(config-if-srv)#end
@@ -2075,21 +2075,21 @@ interface GigabitEthernet3
service instance 10 ethernet
encapsulation untagged
bridge-domain 100
storm-control broadcast cir 12000000
storm-control broadcast cir 12000000
!
!
If storm control is not enabled at a minimum for broadcast traffic, this is a finding.</check-content></check></Rule></Group><Group id="V-216709"><title>SRG-NET-000362-RTR-000119</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216709r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000710</version><title>The Cisco PE router must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain.</title><description>&lt;VulnDiscussion&gt;IGMP snooping provides a way to constrain multicast traffic at Layer 2. By monitoring the IGMP membership reports sent by hosts within the bridge domain, the snooping application can set up Layer 2 multicast forwarding tables to deliver traffic only to ports with at least one interested member within the VPLS bridge, thereby significantly reducing the volume of multicast traffic that would otherwise flood an entire VPLS bridge domain. The IGMP snooping operation applies to both access circuits and pseudowires within a VPLS bridge domain.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106129</ident><ident system="http://cyber.mil/legacy">V-96991</ident><ident system="http://cyber.mil/cci">CCI-002385</ident><fixtext fixref="F-17940r288073_fix">Configure IGMP or MLD snooping for IPv4 and IPv6 multicast traffic respectively for each VPLS bridge domain.
R1(config)#bridge-domain 100
R1(config-bdomain)#ip igmp snooping
R1(config-bdomain)#ip igmp snooping
R1(config-bdomain)#end</fixtext><fix id="F-17940r288073_fix" /><check system="C-17942r288072_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to verify that IGMP or MLD snooping has been configured for IPv4 and IPv6 multicast traffic respectively for each VPLS bridge domain. The example below are the steps to verify that IGMP snooping is enabled for a VPLS bridge domain.
Step 1: Verify that IGMP snooping is enabled globally. By default, IGMP snooping is enabled globally; hence, the following command should not be in the router configuration: no ip igmp snooping
Step 2: If IGMP snooping is enabled globally, it will also be enabled by default for each VPLS bridge domain. Hence, the command no ip igmp snooping should not be configured for any VPLS bridge domain as shown in the example below:
bridge-domain 100
bridge-domain 100
no ip igmp snooping
!
@@ -2101,7 +2101,7 @@ A malicious attacker residing in a customer network could launch a source MAC ad
R1(config-bdomain)#mac limit maximum addresses nnnn</fixtext><fix id="F-17941r288076_fix" /><check system="C-17943r288075_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the PE router configuration to determine if a MAC address limit has been set for each VPLS bridge domain.
bridge-domain 100
bridge-domain 100
mac limit maximum addresses nnnnn
If a limit has not been configured, this is a finding.</check-content></check></Rule></Group><Group id="V-216711"><title>SRG-NET-000205-RTR-000007</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216711r531086_rule" weight="10.0" severity="high"><version>CISC-RT-000730</version><title>The Cisco PE router must be configured to block any traffic that is destined to IP core infrastructure.</title><description>&lt;VulnDiscussion&gt;IP/MPLS networks providing VPN and transit services must provide, at the least, the same level of protection against denial of service (DoS) attacks and intrusions as Layer 2 networks. Although the IP core network elements are hidden, security should never rely entirely on obscurity.
@@ -2109,7 +2109,7 @@ If a limit has not been configured, this is a finding.</check-content></check></
IP addresses can be guessed. Core network elements must not be accessible from any external host. Protecting the core from any attack is vital for the integrity and privacy of customer traffic as well as the availability of transit services. A compromise of the IP core can result in an outage or, at a minimum, non-optimized forwarding of customer traffic. Protecting the core from an outside attack also prevents attackers from using the core to attack any customer. Hence, it is imperative that all routers at the edge deny traffic destined to any address belonging to the IP core infrastructure.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96995</ident><ident system="http://cyber.mil/legacy">SV-106133</ident><ident system="http://cyber.mil/cci">CCI-001097</ident><fixtext fixref="F-17942r288079_fix">Configure protection for the IP core to be implemented at the edges by blocking any traffic with a destination address assigned to the IP core infrastructure.
Step 1: Configure an ingress ACL to discard and log packets destined to the IP core address space.
R2(config)#ip access-list extended BLOCK_TO_CORE
R2(config-ext-nacl)#deny ip any 10.1.x.0 0.0.255.255 log-input
R2(config-ext-nacl)#exit
@@ -2118,13 +2118,13 @@ Step 2: Apply the ACL inbound to all external or CE-facing interfaces.
R2(config)#int R4(config)#int g0/2
R2(config-if)#ip access-group BLOCK_TO_CORE in
R2(config-if)#end</fixtext><fix id="F-17942r288079_fix" /><check system="C-17944r288078_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Step 1: Review the router configuration to verify that an ingress ACL is applied to all external or CE-facing interfaces.
R2(config-if)#end</fixtext><fix id="F-17942r288079_fix" /><check system="C-17944r288078_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Step 1: Review the router configuration to verify that an ingress ACL is applied to all external or CE-facing interfaces.
interface GigabitEthernet0/2
ip address x.1.12.2 255.255.255.252
ip access-group BLOCK_TO_CORE in
Step 2: Verify that the ingress ACL discards and logs packets destined to the IP core address space.
Step 2: Verify that the ingress ACL discards and logs packets destined to the IP core address space.
ip access-list extended BLOCK_TO_CORE
deny ip any 10.1.x.0 0.0.255.255 log-input
@@ -2314,7 +2314,7 @@ interface GigabitEthernet1/2
ip address 10.1.15.8 255.255.255.252
service-policy output QOS_POLICY
If the router is not configured to implement a QoS policy in accordance with the QoS DODIN Technical Profile, this is a finding.</check-content></check></Rule></Group><Group id="V-216716"><title>SRG-NET-000193-RTR-000112</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216716r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000780</version><title>The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial of service (DoS) attacks.</title><description>&lt;VulnDiscussion&gt;DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial of service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch using readily available tools such as Low Orbit Ion Cannon or botnets.
If the router is not configured to implement a QoS policy in accordance with the QoS DODIN Technical Profile, this is a finding.</check-content></check></Rule></Group><Group id="V-216716"><title>SRG-NET-000193-RTR-000112</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216716r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000780</version><title>The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial of service (DoS) attacks.</title><description>&lt;VulnDiscussion&gt;DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial of service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch using readily available tools such as Low Orbit Ion Cannon or botnets.
Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, Quality of Service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-97005</ident><ident system="http://cyber.mil/legacy">SV-106143</ident><ident system="http://cyber.mil/cci">CCI-001095</ident><fixtext fixref="F-17947r288091_fix">Step 1: Configure a class map for the SCAVENGER class.
@@ -2336,7 +2336,7 @@ Step 1: Verify that a class map has been configured for the Scavenger class as s
class-map match-all SCAVENGER
match ip dscp cs1
Step 2: Verify that the policy map includes the SCAVENGER class with low priority as shown in the following example below.
Step 2: Verify that the policy map includes the SCAVENGER class with low priority as shown in the following example below.
policy-map QOS_POLICY
class CONTROL_PLANE
@@ -2356,9 +2356,9 @@ class SCAVENGER
Note: Traffic out of profile must be marked at the customer access layer or CE egress edge.
If the router is not configured to enforce a QoS policy to limit the effects of packet flooding DoS attacks, this is a finding.</check-content></check></Rule></Group><Group id="V-216717"><title>SRG-NET-000019-RTR-000003</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216717r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000790</version><title>The Cisco multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.</title><description>&lt;VulnDiscussion&gt;If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Limiting where, within the network, a given multicast group's data is permitted to flow is an important first step in improving multicast security.
If the router is not configured to enforce a QoS policy to limit the effects of packet flooding DoS attacks, this is a finding.</check-content></check></Rule></Group><Group id="V-216717"><title>SRG-NET-000019-RTR-000003</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216717r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000790</version><title>The Cisco multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.</title><description>&lt;VulnDiscussion&gt;If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Limiting where, within the network, a given multicast group's data is permitted to flow is an important first step in improving multicast security.
A scope zone is an instance of a connected region of a given scope. Zones of the same scope cannot overlap while zones of a smaller scope will fit completely within a zone of a larger scope. For example, Admin-local scope is smaller than Site-local scope, so the administratively configured boundary fits within the bounds of a site. According to RFC 4007 IPv6 Scoped Address Architecture (section 5), scope zones are also required to be "convex from a routing perspective"; that is, packets routed within a zone must not pass through any links that are outside of the zone. This requirement forces each zone to be one contiguous island rather than a series of separate islands.
A scope zone is an instance of a connected region of a given scope. Zones of the same scope cannot overlap while zones of a smaller scope will fit completely within a zone of a larger scope. For example, Admin-local scope is smaller than Site-local scope, so the administratively configured boundary fits within the bounds of a site. According to RFC 4007 IPv6 Scoped Address Architecture (section 5), scope zones are also required to be "convex from a routing perspective"; that is, packets routed within a zone must not pass through any links that are outside of the zone. This requirement forces each zone to be one contiguous island rather than a series of separate islands.
As stated in the DoD IPv6 IA Guidance for MO3, "One should be able to identify all interfaces of a zone by drawing a closed loop on their network diagram, engulfing some routers and passing through some routers to include only some of their interfaces." Therefore, it is imperative that the network engineers have documented their multicast topology and thereby knows which interfaces are enabled for multicast. Once this is done, the zones can be scoped as required.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-97007</ident><ident system="http://cyber.mil/legacy">SV-106145</ident><ident system="http://cyber.mil/cci">CCI-001414</ident><fixtext fixref="F-17948r288094_fix">Document all enabled interfaces for PIM in the network's multicast topology diagram. Disable support for PIM on interfaces that are not required to support it.
@@ -2407,7 +2407,7 @@ Admin-Local scope is encouraged for any multicast traffic within a network inten
R2(config)#ip access-list standard MULTICAST_SCOPE
R2(config-std-nacl)#deny 239.0.0.0 0.255.255.255
R2(config-std-nacl)#permit any
R2(config-std-nacl)#exit
R2(config-std-nacl)#exit
Step 2: Apply the multicast boundary at the appropriate interfaces as shown in the example below:
@@ -2428,7 +2428,7 @@ ip access-list standard MULTICAST_SCOPE
If the router is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding.</check-content></check></Rule></Group><Group id="V-216720"><title>SRG-NET-000362-RTR-000120</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216720r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000820</version><title>The Cisco multicast Rendezvous Point (RP) router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.</title><description>&lt;VulnDiscussion&gt;MSDP peering between networks enables sharing of multicast source information. Enclaves with an existing multicast topology using PIM-SM can configure their RP routers to peer with MSDP routers. As a first step of defense against a denial of service (DoS) attack, all RP routers must limit the multicast forwarding cache to ensure that router resources are not saturated managing an overwhelming number of PIM and MSDP source-active entries.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-97013</ident><ident system="http://cyber.mil/legacy">SV-106151</ident><ident system="http://cyber.mil/cci">CCI-002385</ident><fixtext fixref="F-17951r507586_fix">The risk associated with this requirement can be fully mitigated by configuring the router to filter PIM register messages, rate limiting the number of PIM register messages, and accept MSDP packets only from known MSDP peers.
Step 1: Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7.
Step 1: Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7.
R2(config)#ip access-list extended PIM_REGISTER_FILTER
R2(config-ext-nacl)#deny ip any 239.5.0.0 0.0.255.255
@@ -2437,7 +2437,7 @@ R2(config-ext-nacl)#permit ip host 10.1.2.7 any
R2(config-ext-nacl)#deny ip any any
R2(config-ext-nacl)#exit
R2(config)#ip pim accept-register list PIM_REGISTER_FILTER
R2(config)#end
R2(config)#end
Step 2: Configure the RP to rate limit the number of multicast register messages.
@@ -2461,7 +2461,7 @@ R8(config-ext-nacl)#deny ip any any</fixtext><fix id="F-17951r507586_fix" /><che
2. Rate limiting the number of PIM register messages.
3. Accept MSDP packets only from known MSDP peers.
Step 1: Verify that the RP router is configured to filter PIM register messages for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7.
Step 1: Verify that the RP router is configured to filter PIM register messages for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7.
ip pim rp-address 10.1.12.3
ip pim accept-register list PIM_REGISTER_FILTER
@@ -2504,7 +2504,7 @@ ip access-list extended EXTERNAL_ACL_INBOUND
Note: MSDP connections is via TCP port 639
If the RP router is not configured to filter PIM register messages, rate limiting the number of PIM register messages, and accept MSDP packets only from known MSDP peers, this is a finding.</check-content></check></Rule></Group><Group id="V-216721"><title>SRG-NET-000019-RTR-000013</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216721r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000830</version><title>The Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.</title><description>&lt;VulnDiscussion&gt;Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial of service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106153</ident><ident system="http://cyber.mil/legacy">V-97015</ident><ident system="http://cyber.mil/cci">CCI-001414</ident><fixtext fixref="F-17952r288106_fix">Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7.
If the RP router is not configured to filter PIM register messages, rate limiting the number of PIM register messages, and accept MSDP packets only from known MSDP peers, this is a finding.</check-content></check></Rule></Group><Group id="V-216721"><title>SRG-NET-000019-RTR-000013</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216721r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000830</version><title>The Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.</title><description>&lt;VulnDiscussion&gt;Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial of service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106153</ident><ident system="http://cyber.mil/legacy">V-97015</ident><ident system="http://cyber.mil/cci">CCI-001414</ident><fixtext fixref="F-17952r288106_fix">Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7.
R2(config)#ip access-list extended PIM_REGISTER_FILTER
R2(config-ext-nacl)#deny ip any 239.5.0.0 0.0.255.255
@@ -2513,7 +2513,7 @@ R2(config-ext-nacl)#permit ip host 10.1.2.7 any
R2(config-ext-nacl)#deny ip any any
R2(config-ext-nacl)#exit
R2(config)#ip pim accept-register list PIM_REGISTER_FILTER
R2(config)#end</fixtext><fix id="F-17952r288106_fix" /><check system="C-17954r288105_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Verify that the RP router is configured to filter PIM register messages. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7.
R2(config)#end</fixtext><fix id="F-17952r288106_fix" /><check system="C-17954r288105_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Verify that the RP router is configured to filter PIM register messages. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7.
ip pim rp-address 10.1.12.3
ip pim accept-register list PIM_REGISTER_FILTER
@@ -2532,7 +2532,7 @@ R2(config)#ip access-list standard PIM_JOIN_FILTER
R2(config-std-nacl)#deny 239.8.0.0 0.0.255.255
R2(config-std-nacl)#permit any
R2(config-std-nacl)#exit
R2(config)#ip pim accept-rp 10.2.2.2 PIM_JOIN_FILTER
R2(config)#ip pim accept-rp 10.2.2.2 PIM_JOIN_FILTER
R2(config)#end</fixtext><fix id="F-17953r288109_fix" /><check system="C-17955r288108_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Verify that the RP router is configured to filter PIM join messages for any undesirable multicast groups. In the example below, groups from 239.8.0.0/16 are not allowed.
ip pim rp-address 10.2.2.2
@@ -2554,7 +2554,7 @@ ip pim register-rate-limit nn
If the RP is not limiting PIM register messages, this is a finding.</check-content></check></Rule></Group><Group id="V-216724"><title>SRG-NET-000364-RTR-000114</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216724r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000860</version><title>The Cisco multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.</title><description>&lt;VulnDiscussion&gt;Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (i.e., someone doing a file download here or there), whereas multicast can have broader impact on bandwidth consumption, resulting in extreme network congestion. Hence, it is imperative that there is multicast admission control to restrict which multicast groups hosts are allowed to join via IGMP or MLD.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106159</ident><ident system="http://cyber.mil/legacy">V-97021</ident><ident system="http://cyber.mil/cci">CCI-002403</ident><fixtext fixref="F-17955r507589_fix">Configure the DR to filter the IGMP or MLD Membership Report messages to allow hosts to join only those multicast groups that have been approved.
Step 1: Configure the ACL to filter IGMP Membership Report messages as shown in the example.
Step 1: Configure the ACL to filter IGMP Membership Report messages as shown in the example.
R3(config)#ip access-list standard IGMP_JOIN_FILTER
R3(config-std-nacl)#deny 239.8.0.0 0.0.255.255
@@ -2630,7 +2630,7 @@ If the DR is not limiting multicast join requests via IGMP or MLD on a global or
When the last-hop router begins to receive traffic for the group from the source via the SPT, it will send a PIM Prune message to the RP for the (S, G). The RP will then send a Prune message toward the source. The SPT switchover becomes a scaling issue for large multicast topologies that have many receivers and many sources for many groups because (S, G) entries require more memory than (*, G). Hence, it is imperative to minimize the amount of (S, G) state to be maintained by increasing the threshold that determines when the SPT switchover occurs.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106165</ident><ident system="http://cyber.mil/legacy">V-97027</ident><ident system="http://cyber.mil/cci">CCI-002385</ident><fixtext fixref="F-17958r288124_fix">Configure the DR to increase the SPT threshold or set it to infinity to minimalize (S, G) state within the multicast topology where ASM is deployed.
R3(config)#ip pim spt-threshold infinity</fixtext><fix id="F-17958r288124_fix" /><check system="C-17960r288123_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the DR configuration to verify that the SPT switchover threshold is increased (default is "0") or set to infinity (never switch over).
R3(config)#ip pim spt-threshold infinity</fixtext><fix id="F-17958r288124_fix" /><check system="C-17960r288123_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the DR configuration to verify that the SPT switchover threshold is increased (default is "0") or set to infinity (never switch over).
ip pim rp-address 10.2.2.2
ip pim spt-threshold infinity
@@ -2682,7 +2682,7 @@ ip msdp password peer x.1.28.8 xxxxxxxxxxxx
If the router does not require MSDP authentication, this is a finding.</check-content></check></Rule></Group><Group id="V-216730"><title>SRG-NET-000018-RTR-000007</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216730r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000920</version><title>The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.</title><description>&lt;VulnDiscussion&gt;The interoperability of BGP extensions for interdomain multicast routing and MSDP enables seamless connectivity of multicast domains between autonomous systems. MP-BGP advertises the unicast prefixes of the multicast sources used by Protocol Independent Multicast (PIM) routers to perform RPF checks and build multicast distribution trees. MSDP is a mechanism used to connect multiple PIM sparse-mode domains, allowing RPs from different domains to share information about active sources. When RPs in peering multicast domains hear about active sources, they can pass on that information to their local receivers, thereby allowing multicast data to be forwarded between the domains. Configuring an import policy to block multicast advertisements for reserved, Martian, single-source multicast, and any other undesirable multicast groups, as well as any source-group (S, G) states with Bogon source addresses, would assist in avoiding unwanted multicast traffic from traversing the core.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106171</ident><ident system="http://cyber.mil/legacy">V-97033</ident><ident system="http://cyber.mil/cci">CCI-001368</ident><fixtext fixref="F-17961r288133_fix">Configure the MSDP router to filter received source-active multicast advertisements for any undesirable multicast groups and sources as shown in the example below:
R8(config)#ip access-list extended INBOUND_MSDP_SA_FILTER
R8(config-ext-nacl)#deny ip any host 224.0.1.3 ! Rwhod
R8(config-ext-nacl)#deny ip any host 224.0.1.3 ! Rwhod
R8(config-ext-nacl)#deny ip any host 224.0.1.24 ! Microsoft-ds
R8(config-ext-nacl)#deny ip any host 224.0.1.22 ! SVRLOC
R8(config-ext-nacl)#deny ip any host 224.0.1.2 ! SGI-Dogfight
@@ -2698,7 +2698,7 @@ R8(config-ext-nacl)#deny ip 172.16.0.0 0.15.255.255 any ! RFC 1918 address r
R8(config-ext-nacl)#deny ip 192.168.0.0 0.0.255.255 any ! RFC 1918 address range
R8(config-ext-nacl)#permit ip any any
R8(config-ext-nacl)#exit
R8(config)#ip msdp sa-filter in x.1.28.2 list INBOUND_MSDP_SA_FILTER</fixtext><fix id="F-17961r288133_fix" /><check system="C-17963r288132_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to determine if there is import policy to block source-active multicast advertisements for any undesirable multicast groups, as well as any (S, G) states with undesirable source addresses.
R8(config)#ip msdp sa-filter in x.1.28.2 list INBOUND_MSDP_SA_FILTER</fixtext><fix id="F-17961r288133_fix" /><check system="C-17963r288132_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to determine if there is import policy to block source-active multicast advertisements for any undesirable multicast groups, as well as any (S, G) states with undesirable source addresses.
Step 1: Verify that an inbound source-active filter is bound to each MSDP peer.
@@ -2918,11 +2918,11 @@ ip access-list extended EXTERNAL_ACL
deny ip any any option any-options
permit …
deny ip any any log-input
If the router is not configured to drop all packets with IP options, this is a finding.</check-content></check></Rule></Group><Group id="V-216999"><title>SRG-NET-000362-RTR-000124</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216999r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000470</version><title>The Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).</title><description>&lt;VulnDiscussion&gt;As described in RFC 3682, GTSM is designed to protect a router's IP-based control plane from denial of service (DoS) attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol-speaking routers.
If the router is not configured to drop all packets with IP options, this is a finding.</check-content></check></Rule></Group><Group id="V-216999"><title>SRG-NET-000362-RTR-000124</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-216999r531086_rule" weight="10.0" severity="low"><version>CISC-RT-000470</version><title>The Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).</title><description>&lt;VulnDiscussion&gt;As described in RFC 3682, GTSM is designed to protect a router's IP-based control plane from denial of service (DoS) attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol-speaking routers.
GTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers; that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106081</ident><ident system="http://cyber.mil/legacy">V-96943</ident><ident system="http://cyber.mil/cci">CCI-002385</ident><fixtext fixref="F-18227r288160_fix">Configure TTL security on all external BGP neighbors as shown in the example below:
@@ -2943,8 +2943,8 @@ router bgp xx
If the router is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.</check-content></check></Rule></Group><Group id="V-217000"><title>SRG-NET-000230-RTR-000002</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-217000r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000480</version><title>The Cisco BGP router must be configured to use a unique key for each autonomous system (AS) that it peers with.</title><description>&lt;VulnDiscussion&gt;If the same keys are used between eBGP neighbors, the chance of a hacker compromising any of the BGP sessions increases. It is possible that a malicious user exists in one autonomous system who would know the key used for the eBGP session. This user would then be able to hijack BGP sessions with other trusted neighbors.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106083</ident><ident system="http://cyber.mil/legacy">V-96945</ident><ident system="http://cyber.mil/cci">CCI-002205</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-18228r288163_fix">Configure the router to use unique keys for each AS that it peers with as shown in the example below:
R1(config)#router bgp xx
R1(config-router)#neighbor x.1.1.9 password yyyyyyyy
R1(config-router)#neighbor x.2.1.7 password zzzzzzzzz</fixtext><fix id="F-18228r288163_fix" /><check system="C-18230r288162_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the BGP configuration to determine if it is peering with multiple autonomous systems. Interview the ISSM and router administrator to determine if unique keys are being used.
R1(config-router)#neighbor x.1.1.9 password yyyyyyyy
R1(config-router)#neighbor x.2.1.7 password zzzzzzzzz</fixtext><fix id="F-18228r288163_fix" /><check system="C-18230r288162_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the BGP configuration to determine if it is peering with multiple autonomous systems. Interview the ISSM and router administrator to determine if unique keys are being used.
router bgp xx
no synchronization
@@ -2956,7 +2956,7 @@ router bgp xx
If unique keys are not being used, this is a finding.</check-content></check></Rule></Group><Group id="V-217001"><title>SRG-NET-000205-RTR-000016</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-217001r531086_rule" weight="10.0" severity="medium"><version>CISC-RT-000750</version><title>The Cisco PE router must be configured to ignore or drop all packets with any IP options.</title><description>&lt;VulnDiscussion&gt;Packets with IP options are not fast-switched and therefore must be punted to the router processor. Hackers who initiate denial of service (DoS) attacks on routers commonly send large streams of packets with IP options. Dropping the packets with IP options reduces the load of IP options packets on the router. The end result is a reduction in the effects of the DoS attack on the router and on downstream routers.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-96999</ident><ident system="http://cyber.mil/legacy">SV-106137</ident><ident system="http://cyber.mil/cci">CCI-002403</ident><fixtext fixref="F-18229r288166_fix">Configure the router to ignore or drop all packets with IP options as shown in the examples below:
R4(config)#ip options ignore
R4(config)#ip options ignore
or
@@ -2968,23 +2968,23 @@ ip options ignore
If the router is not configured to drop or block all packets with IP options, this is a finding.</check-content></check></Rule></Group><Group id="V-229031"><title>SRG-NET-000512-RTR-000100</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-229031r531380_rule" weight="10.0" severity="medium"><version>CISC-RT-000235</version><title>The Cisco router must be configured to have Cisco Express Forwarding enabled.</title><description>&lt;VulnDiscussion&gt;The Cisco Express Forwarding (CEF) switching mode replaces the traditional Cisco routing cache with a data structure that mirrors the entire system routing table. Because there is no need to build cache entries when traffic starts arriving for new destinations, CEF behaves more predictably when presented with large volumes of traffic addressed to many destinations—such as a SYN flood attacks that. Because many SYN flood attacks use randomized source addresses to which the hosts under attack will reply to, there can be a substantial amount of traffic for a large number of destinations that the router will have to handle. Consequently, routers configured for CEF will perform better under SYN floods directed at hosts inside the network than routers using the traditional cache.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-31322r531380_fix">Enable CEF
IPv4 Example: ip cef
IPv4 Example: ip cef
IPv6 Example: ipv6 cef</fixtext><fix id="F-31322r531380_fix" /><check system="C-31345r519022_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router to verify that CEF is enabled.
IPv4 Example: ip cef
IPv4 Example: ip cef
IPv6 Example: ipv6 cef</check-content></check></Rule></Group><Group id="V-230039"><title>SRG-NET-000512-RTR-000012</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-230039r531455_rule" weight="10.0" severity="low"><version>CISC-RT-000236</version><title>The Cisco router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.</title><description>&lt;VulnDiscussion&gt;The Neighbor Discovery protocol allows a hop limit value to be advertised by routers in a Router Advertisement message being used by hosts instead of the standardized default value. If a very small value was configured and advertised to hosts on the LAN segment, communications would fail due to the hop limit reaching zero before the packets sent by a host reached its destination.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32329r531385_fix">Configure the router to advertise a hop limit of at least 32 in Router Advertisement messages.
R1(config)#ipv6 hop-limit 128</fixtext><fix id="F-32329r531385_fix" /><check system="C-32352r531382_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to determine if the hop limit has been configured for Router Advertisement messages as shown in the example.
ipv6 hop-limit 128
If it has been configured and has not been set to at least 32, it is a finding.</check-content></check></Rule></Group><Group id="V-230042"><title>SRG-NET-000512-RTR-000013</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-230042r532999_rule" weight="10.0" severity="medium"><version>CISC-RT-000237</version><title>The Cisco router must not be configured to use IPv6 Site Local Unicast addresses.</title><description>&lt;VulnDiscussion&gt;As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of site-local addresses has the potential to adversely affect network security through leaks, ambiguity, and potential misrouting as documented in section 2 of RFC3879. RFC3879 formally deprecates the IPv6 site-local unicast prefix FEC0::/10 as defined in RFC3513.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32330r532997_fix">Configure the router using only authorized IPv6 addresses. </fixtext><fix id="F-32330r532997_fix" /><check system="C-32353r532996_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to ensure FEC0::/10 IPv6 addresses are not defined.
If it has been configured and has not been set to at least 32, it is a finding.</check-content></check></Rule></Group><Group id="V-230042"><title>SRG-NET-000512-RTR-000013</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-230042r532999_rule" weight="10.0" severity="medium"><version>CISC-RT-000237</version><title>The Cisco router must not be configured to use IPv6 Site Local Unicast addresses.</title><description>&lt;VulnDiscussion&gt;As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of site-local addresses has the potential to adversely affect network security through leaks, ambiguity, and potential misrouting as documented in section 2 of RFC3879. RFC3879 formally deprecates the IPv6 site-local unicast prefix FEC0::/10 as defined in RFC3513.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32330r532997_fix">Configure the router using only authorized IPv6 addresses. </fixtext><fix id="F-32330r532997_fix" /><check system="C-32353r532996_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>Review the router configuration to ensure FEC0::/10 IPv6 addresses are not defined.
If IPv6 Site Local Unicast addresses are defined, this is a finding.</check-content></check></Rule></Group><Group id="V-230045"><title>SRG-NET-000512-RTR-000014</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-230045r533006_rule" weight="10.0" severity="medium"><version>CISC-RT-000391</version><title>The Cisco perimeter router must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces.</title><description>&lt;VulnDiscussion&gt;Many of the known attacks in stateless autoconfiguration are defined in RFC 3756 were present in IPv4 ARP attacks. To mitigate these vulnerabilities, links that have no hosts connected such as the interface connecting to external gateways must be configured to suppress router advertisements.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-32331r533004_fix">Configure the router to suppress Router Advertisements on all external IPv6-enabled interfaces as shown in the example below.
R1(config)#int g1/0
R1(config-if)#ipv6 nd ra suppress
R1(config-if)#end
</fixtext><fix id="F-32331r533004_fix" /><check system="C-32354r533003_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
</fixtext><fix id="F-32331r533004_fix" /><check system="C-32354r533003_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
Review the router configuration to verify that Router Advertisements are suppressed on all external IPv6-enabled interfaces as shown in the example below.
@@ -3004,7 +3004,7 @@ R1(config-ipv6-acl)#deny ipv6 any any log
R1(config-ipv6-acl)#exit
R1(config)#int g1/0
R1(config-if)#ipv6 traffic-filter FILTER_IPV6 in
</fixtext><fix id="F-32332r533183_fix" /><check system="C-32355r533182_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
</fixtext><fix id="F-32332r533183_fix" /><check system="C-32355r533182_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
Review the router configuration to determine if it is configured to drop IPv6 undetermined transport packets.
@@ -3024,7 +3024,7 @@ ipv6 access-list FILTER_IPV6
deny ipv6 any any log
If the router is not configured to drop IPv6 undetermined transport packets, this is a finding.</check-content></check></Rule></Group><Group id="V-230051"><title>SRG-NET-000364-RTR-000201</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-230051r533193_rule" weight="10.0" severity="medium"><version>CISC-RT-000393</version><title>The Cisco perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3255. </title><description>&lt;VulnDiscussion&gt;The routing header can be used maliciously to send a packet through a path where less robust security is in place, rather than through the presumably preferred path of routing protocols. Use of the routing extension header has few legitimate uses other than as implemented by Mobile IPv6.
If the router is not configured to drop IPv6 undetermined transport packets, this is a finding.</check-content></check></Rule></Group><Group id="V-230051"><title>SRG-NET-000364-RTR-000201</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-230051r533193_rule" weight="10.0" severity="medium"><version>CISC-RT-000393</version><title>The Cisco perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3255. </title><description>&lt;VulnDiscussion&gt;The routing header can be used maliciously to send a packet through a path where less robust security is in place, rather than through the presumably preferred path of routing protocols. Use of the routing extension header has few legitimate uses other than as implemented by Mobile IPv6.
The Type 0 Routing Header (RFC 5095) is dangerous because it allows attackers to spoof source addresses and obtain traffic in response, rather than the real owner of the address. Secondly, a packet with an allowed destination address could be sent through a Firewall using the Routing Header functionality, only to bounce to a different node once inside. The Type 1 Routing Header is defined by a specification called "Nimrod Routing", a discontinued project funded by DARPA. Assuming that most implementations will not recognize the Type 1 Routing Header, it must be dropped. The Type 3255 Routing Header values in the routing type field are currently undefined and should be dropped inbound and outbound.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Cisco IOS XE Router RTR</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Cisco IOS XE Router RTR</dc:subject><dc:identifier>4028</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002403</ident><fixtext fixref="F-32335r533191_fix">Configure the router to drop IPv6 packets with Routing Header of type 0, 1, or 3-255 as shown in the example below.
R1(config)#ipv6 access-list FILTER_IPV6
@@ -3038,7 +3038,7 @@ R1(config-ipv6-acl)#deny ipv6 any any log
R1(config-ipv6-acl)#exit
R1(config)#int g1/0
R1(config-if)#ipv6 traffic-filter FILTER_IPV6
</fixtext><fix id="F-32335r533191_fix" /><check system="C-32357r533190_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
</fixtext><fix id="F-32335r533191_fix" /><check system="C-32357r533190_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
Review the router configuration to determine if it is configured to drop IPv6 packets containing a Routing Header of type 0, 1, or 3-255.
@@ -3076,9 +3076,9 @@ R1(config-ipv6-acl)#exit
R1(config)#int g1/0
R1(config-if)#ipv6 traffic-filter FILTER_IPV6
R1(config-if)#end
</fixtext><fix id="F-32440r538504_fix" /><check system="C-32462r538501_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
</fixtext><fix id="F-32440r538504_fix" /><check system="C-32462r538501_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
Review the router configuration to determine if it is compliant with this requirement.
Review the router configuration to determine if it is compliant with this requirement.
Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface.
@@ -3090,7 +3090,7 @@ Step 2: Verify that the ACL drops IPv6 packets containing a Hop-by-Hop header wi
ipv6 access-list FILTER_IPV6
deny hbh any any dest-option-type 4 log
deny hbh any any dest-option-type 195 log
deny hbh any any dest-option-type home-address log
deny hbh any any dest-option-type home-address log
permit ipv6 …
@@ -3110,9 +3110,9 @@ R1(config-ipv6-acl)#exit
R1(config)#int g1/0
R1(config-if)#ipv6 traffic-filter FILTER_IPV6
R1(config-if)#end
</fixtext><fix id="F-32443r538591_fix" /><check system="C-32465r538590_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
</fixtext><fix id="F-32443r538591_fix" /><check system="C-32465r538590_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
Review the router configuration to determine if it is compliant with this requirement.
Review the router configuration to determine if it is compliant with this requirement.
Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface.
@@ -3144,9 +3144,9 @@ R1(config-ipv6-acl)#exit
R1(config)#int g1/0
R1(config-if)#ipv6 traffic-filter FILTER_IPV6
R1(config-if)#end
</fixtext><fix id="F-32445r538598_fix" /><check system="C-32467r538597_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
</fixtext><fix id="F-32445r538598_fix" /><check system="C-32467r538597_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
Review the router configuration to determine if it is compliant with this requirement.
Review the router configuration to determine if it is compliant with this requirement.
Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface.
@@ -3177,9 +3177,9 @@ R1(config-ipv6-acl)#exit
R1(config)#int g1/0
R1(config-if)#ipv6 traffic-filter FILTER_IPV6
R1(config-if)#end
</fixtext><fix id="F-32447r538606_fix" /><check system="C-32469r538605_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
</fixtext><fix id="F-32447r538606_fix" /><check system="C-32469r538605_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
Review the router configuration and determine if filters are bound to the applicable interfaces to drop IPv6 packets containing a Destination Option header with option type value of 0xC3 (NSAP address).
Review the router configuration and determine if filters are bound to the applicable interfaces to drop IPv6 packets containing a Destination Option header with option type value of 0xC3 (NSAP address).
Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface.
@@ -3218,7 +3218,7 @@ R1(config-ipv6-acl)#deny any any dest-option-type 39
R1(config-ipv6-acl)#deny any any dest-option-type 47
R1(config-ipv6-acl)#deny any any dest-option-type 49
R1(config-ipv6-acl)#deny any any dest-option-type 255
R1(config-ipv6-acl)#permit …
@@ -3228,7 +3228,7 @@ R1(config-ipv6-acl)#deny ipv6 any any log
R1(config-ipv6-acl)#exit
R1(config)#int g1/0
R1(config-if)#ipv6 traffic-filter FILTER_IPV6
</fixtext><fix id="F-32449r538613_fix" /><check system="C-32471r538612_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
</fixtext><fix id="F-32449r538613_fix" /><check system="C-32471r538612_chk"><check-content-ref href="Cisco_IOS_XE_Router_RTR_STIG.xml" name="M" /><check-content>This requirement is not applicable for the DODIN Backbone.
Review the router configuration and determine if filters are bound to the applicable interfaces to drop all inbound IPv6 packets containing an undefined option type value regardless of whether they appear in a Hop-by-Hop or Destination Option header. Undefined values are 0x02, 0x03, 0x06, 0x9 0xE, 0x10 0x22, 0x24, 0x25, 0x27 0x2F, and 0x31 0xFF.
@@ -3259,7 +3259,7 @@ ipv6 access-list FILTER_IPV6
deny any any dest-option-type 47
deny any any dest-option-type 49
deny any any dest-option-type 255
permit …
@@ -3269,4 +3269,4 @@ ipv6 access-list FILTER_IPV6
Note: Because hop-by-hop and destination options have the same exact header format, they can be combined under the dest-option-type keyword. Since Hop-by-Hop and Destination Option headers have non-overlapping types, you can use dest-option-type to match either.
If the router is not configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type, this is a finding.</check-content></check></Rule></Group></Benchmark>
If the router is not configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type, this is a finding.</check-content></check></Rule></Group></Benchmark>

32
collections/ansible_collections/demo/compliance/roles/iosxeSTIG/tasks/main.yml
View File

@@ -137,14 +137,14 @@
- (cmd_result.stdout|join('\n')).find('ip dns server') != -1
- iosxeSTIG_stigrule_215823_Manage
# R-215823 CISC-ND-000470
- name : stigrule_215823_disable_identd
ignore_errors: "{{ ignore_all_errors }}"
notify: "save configuration"
ios_config:
defaults: yes
lines: "{{ iosxeSTIG_stigrule_215823_disable_identd_Lines }}"
when:
- iosxeSTIG_stigrule_215823_Manage
# - name : stigrule_215823_disable_identd
# ignore_errors: "{{ ignore_all_errors }}"
# notify: "save configuration"
# ios_config:
# defaults: yes
# lines: "{{ iosxeSTIG_stigrule_215823_disable_identd_Lines }}"
# when:
# - iosxeSTIG_stigrule_215823_Manage
# R-215823 CISC-ND-000470
- name : stigrule_215823_disable_finger
ignore_errors: "{{ ignore_all_errors }}"
@@ -378,9 +378,9 @@
- name : stigrule_215837_host
ignore_errors: "{{ ignore_all_errors }}"
notify: "save configuration"
ios_logging:
dest: host
name: "{{ iosxeSTIG_stigrule_215837_host_Name }}"
ios_config:
lines:
- "logging {{ iosxeSTIG_stigrule_215837_host_Name }}"
when: iosxeSTIG_stigrule_215837_Manage
# R-215837 CISC-ND-001000
# Please configure name IP address to a valid one.
@@ -397,16 +397,18 @@
- name : stigrule_215838_ntp_server_1
ignore_errors: "{{ ignore_all_errors }}"
notify: "save configuration"
ios_ntp:
server: "{{ iosxeSTIG_stigrule_215838_ntp_server_1_Server }}"
cisco.ios.ios_config:
lines:
- "ntp server {{ iosxeSTIG_stigrule_215838_ntp_server_1_Server }}"
when: iosxeSTIG_stigrule_215838_Manage
# R-215838 CISC-ND-001030
# Replace ntp servers' IP address before enabling.
- name : stigrule_215838_ntp_server_2
ignore_errors: "{{ ignore_all_errors }}"
notify: "save configuration"
ios_ntp:
server: "{{ iosxeSTIG_stigrule_215838_ntp_server_2_Server }}"
cisco.ios.ios_config:
lines:
- "ntp server {{ iosxeSTIG_stigrule_215838_ntp_server_2_Server }}"
when: iosxeSTIG_stigrule_215838_Manage
# R-215840 CISC-ND-001050
# service timestamps log datetime localtime is set in 215817.

67
collections/ansible_collections/demo/compliance/roles/rhel7STIG/callback_plugins/stig_xml.py
View File

@@ -1,4 +1,5 @@
from __future__ import (absolute_import, division, print_function)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
from ansible.plugins.callback import CallbackBase
@@ -11,76 +12,82 @@ import os
import xml.etree.ElementTree as ET
import xml.dom.minidom
class CallbackModule(CallbackBase):
CALLBACK_VERSION = 2.0
CALLBACK_TYPE = 'xml'
CALLBACK_NAME = 'stig_xml'
CALLBACK_TYPE = "xml"
CALLBACK_NAME = "stig_xml"
CALLBACK_NEEDS_WHITELIST = True
def _get_STIG_path(self):
cwd = os.path.abspath('.')
cwd = os.path.abspath(".")
for dirpath, dirs, files in os.walk(cwd):
if os.path.sep + 'files' in dirpath and '.xml' in files[0]:
if os.path.sep + "files" in dirpath and ".xml" in files[0]:
return os.path.join(cwd, dirpath, files[0])
def __init__(self):
super(CallbackModule, self).__init__()
self.rules = {}
self.stig_path = os.environ.get('STIG_PATH')
self.XML_path = os.environ.get('XML_PATH')
self.stig_path = os.environ.get("STIG_PATH")
self.XML_path = os.environ.get("XML_PATH")
if self.stig_path is None:
self.stig_path = self._get_STIG_path()
self._display.display('Using STIG_PATH: {}'.format(self.stig_path))
self._display.display("Using STIG_PATH: {}".format(self.stig_path))
if self.XML_path is None:
self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml"
self._display.display('Using XML_PATH: {}'.format(self.XML_path))
self._display.display("Using XML_PATH: {}".format(self.XML_path))
print("Writing: {}".format(self.XML_path))
STIG_name = os.path.basename(self.stig_path)
ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2')
self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult')
self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name))
ET.register_namespace("cdf", "http://checklists.nist.gov/xccdf/1.2")
self.tr = ET.Element("{http://checklists.nist.gov/xccdf/1.2}TestResult")
self.tr.set(
"id",
"xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}".format(STIG_name),
)
endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
self.tr.set('end-time', endtime)
tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target')
self.tr.set("end-time", endtime)
tg = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}target")
tg.text = platform.node()
def _get_rev(self, nid):
with open(self.stig_path, 'r') as f:
r = 'SV-{}r(?P<rev>\d+)_rule'.format(nid)
with open(self.stig_path, "r") as f:
r = "SV-{}r(?P<rev>\d+)_rule".format(nid)
m = re.search(r, f.read())
if m:
rev = m.group('rev')
rev = m.group("rev")
else:
rev = '0'
rev = "0"
return rev
def v2_runner_on_ok(self, result):
name = result._task.get_name()
m = re.search('stigrule_(?P<id>\d+)', name)
m = re.search("stigrule_(?P<id>\d+)", name)
if m:
nid = m.group('id')
nid = m.group("id")
else:
return
rev = self._get_rev(nid)
key = "{}r{}".format(nid, rev)
if self.rules.get(key, 'Unknown') != False:
if self.rules.get(key, "Unknown") != False:
self.rules[key] = result.is_changed()
def v2_playbook_on_stats(self, stats):
for rule, changed in self.rules.items():
state = 'fail' if changed else 'pass'
rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result')
rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule))
rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result')
state = "fail" if changed else "pass"
rr = ET.SubElement(
self.tr, "{http://checklists.nist.gov/xccdf/1.2}rule-result"
)
rr.set("idref", "xccdf_mil.disa.stig_rule_SV-{}_rule".format(rule))
rs = ET.SubElement(rr, "{http://checklists.nist.gov/xccdf/1.2}result")
rs.text = state
passing = len(self.rules) - sum(self.rules.values())
sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score')
sc.set('maximum', str(len(self.rules)))
sc.set('system', 'urn:xccdf:scoring:flat-unweighted')
sc = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}score")
sc.set("maximum", str(len(self.rules)))
sc.set("system", "urn:xccdf:scoring:flat-unweighted")
sc.text = str(passing)
with open(self.XML_path, 'wb') as f:
with open(self.XML_path, "wb") as f:
out = ET.tostring(self.tr)
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8')
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding="utf-8")
f.write(pretty)

426
collections/ansible_collections/demo/compliance/roles/rhel7STIG/files/U_RHEL_7_STIG_V3R10_Manual-xccdf.xml
View File

File diff suppressed because it is too large Load Diff

34
collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml
View File

@@ -3,7 +3,7 @@ rhel8STIG_stigrule_230225_Manage: True
rhel8STIG_stigrule_230225_banner_Line: banner /etc/issue
# R-230226 RHEL-08-010050
rhel8STIG_stigrule_230226_Manage: True
rhel8STIG_stigrule_230226__etc_dconf_db_local_d_01_banner_message_Value: '''You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'''
rhel8STIG_stigrule_230226__etc_dconf_db_local_d_01_banner_message_Value: "''You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.''"
# R-230227 RHEL-08-010060
rhel8STIG_stigrule_230227_Manage: True
rhel8STIG_stigrule_230227__etc_issue_Dest: /etc/issue
@@ -43,9 +43,6 @@ rhel8STIG_stigrule_230241_policycoreutils_State: installed
# R-230244 RHEL-08-010200
rhel8STIG_stigrule_230244_Manage: True
rhel8STIG_stigrule_230244_ClientAliveCountMax_Line: ClientAliveCountMax 1
# R-230252 RHEL-08-010291
rhel8STIG_stigrule_230252_Manage: True
rhel8STIG_stigrule_230252__etc_sysconfig_sshd_Line: '# CRYPTO_POLICY='
# R-230255 RHEL-08-010294
rhel8STIG_stigrule_230255_Manage: True
rhel8STIG_stigrule_230255__etc_crypto_policies_back_ends_opensslcnf_config_Line: 'MinProtocol = TLSv1.2'
@@ -138,19 +135,9 @@ rhel8STIG_stigrule_230346__etc_security_limits_conf_Line: '* hard maxlogins 10'
# R-230347 RHEL-08-020030
rhel8STIG_stigrule_230347_Manage: True
rhel8STIG_stigrule_230347__etc_dconf_db_local_d_00_screensaver_Value: 'true'
# R-230348 RHEL-08-020040
rhel8STIG_stigrule_230348_Manage: True
rhel8STIG_stigrule_230348_ensure_tmux_is_installed_State: installed
rhel8STIG_stigrule_230348__etc_tmux_conf_Line: 'set -g lock-command vlock'
# R-230349 RHEL-08-020041
rhel8STIG_stigrule_230349_Manage: True
rhel8STIG_stigrule_230349__etc_bashrc_Line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux'
# R-230352 RHEL-08-020060
rhel8STIG_stigrule_230352_Manage: True
rhel8STIG_stigrule_230352__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 900'
# R-230353 RHEL-08-020070
rhel8STIG_stigrule_230353_Manage: True
rhel8STIG_stigrule_230353__etc_tmux_conf_Line: 'set -g lock-after-time 900'
# R-230354 RHEL-08-020080
rhel8STIG_stigrule_230354_Manage: True
rhel8STIG_stigrule_230354__etc_dconf_db_local_d_locks_session_Line: '/org/gnome/desktop/screensaver/lock-delay'
@@ -232,9 +219,6 @@ rhel8STIG_stigrule_230394__etc_audit_auditd_conf_Line: 'name_format = hostname'
# R-230395 RHEL-08-030063
rhel8STIG_stigrule_230395_Manage: True
rhel8STIG_stigrule_230395__etc_audit_auditd_conf_Line: 'log_format = ENRICHED'
# R-230396 RHEL-08-030070
rhel8STIG_stigrule_230396_Manage: True
rhel8STIG_stigrule_230396__etc_audit_auditd_conf_Line: 'log_group = root'
# R-230398 RHEL-08-030090
# A duplicate of 230396
# duplicate of 230396
@@ -341,8 +325,8 @@ rhel8STIG_stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b32_Line: '
rhel8STIG_stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b64_Line: '-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng'
# R-230439 RHEL-08-030361
rhel8STIG_stigrule_230439_Manage: True
rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32_Line: '-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k module_chng'
rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64_Line: '-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k module_chng'
rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32_Line: '-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete'
rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64_Line: '-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete'
# R-230444 RHEL-08-030370
rhel8STIG_stigrule_230444_Manage: True
rhel8STIG_stigrule_230444__etc_audit_rules_d_audit_rules__usr_bin_gpasswd_Line: '-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd'
@@ -438,7 +422,8 @@ rhel8STIG_stigrule_230527_Manage: True
rhel8STIG_stigrule_230527_RekeyLimit_Line: RekeyLimit 1G 1h
# R-230529 RHEL-08-040170
rhel8STIG_stigrule_230529_Manage: True
rhel8STIG_stigrule_230529_systemctl_mask_ctrl_alt_del_target_Command: systemctl mask ctrl-alt-del.target
rhel8STIG_stigrule_230529_ctrl_alt_del_target_disable_Enabled: false
rhel8STIG_stigrule_230529_ctrl_alt_del_target_mask_Masked: true
# R-230531 RHEL-08-040172
rhel8STIG_stigrule_230531_Manage: True
rhel8STIG_stigrule_230531__etc_systemd_system_conf_Value: 'none'
@@ -520,6 +505,9 @@ rhel8STIG_stigrule_244523__usr_lib_systemd_system_emergency_service_Value: '-/us
# R-244525 RHEL-08-010201
rhel8STIG_stigrule_244525_Manage: True
rhel8STIG_stigrule_244525_ClientAliveInterval_Line: ClientAliveInterval 600
# R-244526 RHEL-08-010287
rhel8STIG_stigrule_244526_Manage: True
rhel8STIG_stigrule_244526__etc_sysconfig_sshd_Line: '# CRYPTO_POLICY='
# R-244527 RHEL-08-010472
rhel8STIG_stigrule_244527_Manage: True
rhel8STIG_stigrule_244527_rng_tools_State: installed
@@ -532,9 +520,6 @@ rhel8STIG_stigrule_244535__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 5'
# R-244536 RHEL-08-020032
rhel8STIG_stigrule_244536_Manage: True
rhel8STIG_stigrule_244536__etc_dconf_db_local_d_02_login_screen_Value: 'true'
# R-244537 RHEL-08-020039
rhel8STIG_stigrule_244537_Manage: True
rhel8STIG_stigrule_244537_tmux_State: installed
# R-244538 RHEL-08-020081
rhel8STIG_stigrule_244538_Manage: True
rhel8STIG_stigrule_244538__etc_dconf_db_local_d_locks_session_idle_delay_Line: '/org/gnome/desktop/session/idle-delay'
@@ -569,3 +554,6 @@ rhel8STIG_stigrule_244553_net_ipv4_conf_all_accept_redirects_Value: 0
# R-244554 RHEL-08-040286
rhel8STIG_stigrule_244554_Manage: True
rhel8STIG_stigrule_244554__etc_sysctl_d_99_sysctl_conf_Line: 'net.core.bpf_jit_harden = 2'
# R-256974 RHEL-08-010358
rhel8STIG_stigrule_256974_Manage: True
rhel8STIG_stigrule_256974_mailx_State: installed

2135
collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml → collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V2R3_Manual-xccdf.xml
View File

File diff suppressed because one or more lines are too long

19
collections/ansible_collections/demo/compliance/roles/rhel8STIG/handlers/main.yml
View File

@@ -6,6 +6,25 @@
service:
name: sshd
state: restarted
- name: rsyslog_restart
service:
name: rsyslog
state: restarted
- name: sysctl_load_settings
command: sysctl --system
- name: daemon_reload
systemd:
daemon_reload: true
- name: networkmanager_reload
service:
name: NetworkManager
state: reloaded
- name: logind_restart
service:
name: systemd-logind
state: restarted
- name: with_faillock_enable
command: authselect enable-feature with-faillock
- name: do_reboot
reboot:
pre_reboot_delay: 60

272
collections/ansible_collections/demo/compliance/roles/rhel8STIG/tasks/main.yml
View File

@@ -4,7 +4,7 @@
- name: stigrule_230225_banner
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)banner\s+'
regexp: '(?i)^\s*banner\s+'
line: "{{ rhel8STIG_stigrule_230225_banner_Line }}"
notify: ssh_restart
when:
@@ -82,22 +82,12 @@
- name: stigrule_230244_ClientAliveCountMax
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)ClientAliveCountMax\s+'
regexp: '(?i)^\s*ClientAliveCountMax\s+'
line: "{{ rhel8STIG_stigrule_230244_ClientAliveCountMax_Line }}"
notify: ssh_restart
when:
- rhel8STIG_stigrule_230244_Manage
- "'openssh-server' in packages"
# R-230252 RHEL-08-010291
- name: stigrule_230252__etc_sysconfig_sshd
lineinfile:
path: /etc/sysconfig/sshd
regexp: '^# CRYPTO_POLICY='
line: "{{ rhel8STIG_stigrule_230252__etc_sysconfig_sshd_Line }}"
create: yes
notify: do_reboot
when:
- rhel8STIG_stigrule_230252_Manage
# R-230255 RHEL-08-010294
- name: stigrule_230255__etc_crypto_policies_back_ends_opensslcnf_config
lineinfile:
@@ -111,6 +101,7 @@
- name: stigrule_230256__etc_crypto_policies_back_ends_gnutls_config
lineinfile:
path: /etc/crypto-policies/back-ends/gnutls.config
regexp: '^\+VERS'
line: "{{ rhel8STIG_stigrule_230256__etc_crypto_policies_back_ends_gnutls_config_Line }}"
create: yes
when:
@@ -249,7 +240,7 @@
- name: stigrule_230288_StrictModes
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)StrictModes\s+'
regexp: '(?i)^\s*StrictModes\s+'
line: "{{ rhel8STIG_stigrule_230288_StrictModes_Line }}"
notify: ssh_restart
when:
@@ -259,7 +250,7 @@
- name: stigrule_230290_IgnoreUserKnownHosts
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)IgnoreUserKnownHosts\s+'
regexp: '(?i)^\s*IgnoreUserKnownHosts\s+'
line: "{{ rhel8STIG_stigrule_230290_IgnoreUserKnownHosts_Line }}"
notify: ssh_restart
when:
@@ -269,7 +260,7 @@
- name: stigrule_230291_KerberosAuthentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)KerberosAuthentication\s+'
regexp: '(?i)^\s*KerberosAuthentication\s+'
line: "{{ rhel8STIG_stigrule_230291_KerberosAuthentication_Line }}"
notify: ssh_restart
when:
@@ -279,7 +270,7 @@
- name: stigrule_230296_PermitRootLogin
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)PermitRootLogin\s+'
regexp: '(?i)^\s*PermitRootLogin\s+'
line: "{{ rhel8STIG_stigrule_230296_PermitRootLogin_Line }}"
notify: ssh_restart
when:
@@ -395,7 +386,7 @@
- name: stigrule_230330_PermitUserEnvironment
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)PermitUserEnvironment\s+'
regexp: '(?i)^\s*PermitUserEnvironment\s+'
line: "{{ rhel8STIG_stigrule_230330_PermitUserEnvironment_Line }}"
notify: ssh_restart
when:
@@ -422,28 +413,6 @@
when:
- rhel8STIG_stigrule_230347_Manage
- "'dconf' in packages"
# R-230348 RHEL-08-020040
- name: stigrule_230348_ensure_tmux_is_installed
yum:
name: tmux
state: "{{ rhel8STIG_stigrule_230348_ensure_tmux_is_installed_State }}"
when: rhel8STIG_stigrule_230348_Manage
# R-230348 RHEL-08-020040
- name: stigrule_230348__etc_tmux_conf
lineinfile:
path: /etc/tmux.conf
line: "{{ rhel8STIG_stigrule_230348__etc_tmux_conf_Line }}"
create: yes
when:
- rhel8STIG_stigrule_230348_Manage
# R-230349 RHEL-08-020041
- name: stigrule_230349__etc_bashrc
lineinfile:
path: /etc/bashrc
line: "{{ rhel8STIG_stigrule_230349__etc_bashrc_Line }}"
create: yes
when:
- rhel8STIG_stigrule_230349_Manage
# R-230352 RHEL-08-020060
- name: stigrule_230352__etc_dconf_db_local_d_00_screensaver
ini_file:
@@ -456,20 +425,13 @@
when:
- rhel8STIG_stigrule_230352_Manage
- "'dconf' in packages"
# R-230353 RHEL-08-020070
- name: stigrule_230353__etc_tmux_conf
lineinfile:
path: /etc/tmux.conf
line: "{{ rhel8STIG_stigrule_230353__etc_tmux_conf_Line }}"
create: yes
when:
- rhel8STIG_stigrule_230353_Manage
# R-230354 RHEL-08-020080
- name: stigrule_230354__etc_dconf_db_local_d_locks_session
lineinfile:
path: /etc/dconf/db/local.d/locks/session
line: "{{ rhel8STIG_stigrule_230354__etc_dconf_db_local_d_locks_session_Line }}"
create: yes
notify: dconf_update
when:
- rhel8STIG_stigrule_230354_Manage
# R-230357 RHEL-08-020110
@@ -602,7 +564,7 @@
- name: stigrule_230382_PrintLastLog
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)PrintLastLog\s+'
regexp: '(?i)^\s*PrintLastLog\s+'
line: "{{ rhel8STIG_stigrule_230382_PrintLastLog_Line }}"
notify: ssh_restart
when:
@@ -618,7 +580,7 @@
when:
- rhel8STIG_stigrule_230383_Manage
# R-230386 RHEL-08-030000
- name : stigrule_230386__etc_audit_rules_d_audit_rules_execve_euid_b32
- name: stigrule_230386__etc_audit_rules_d_audit_rules_execve_euid_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv$'
@@ -626,7 +588,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230386_Manage
# R-230386 RHEL-08-030000
- name : stigrule_230386__etc_audit_rules_d_audit_rules_execve_euid_b64
- name: stigrule_230386__etc_audit_rules_d_audit_rules_execve_euid_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv$'
@@ -634,7 +596,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230386_Manage
# R-230386 RHEL-08-030000
- name : stigrule_230386__etc_audit_rules_d_audit_rules_execve_egid_b32
- name: stigrule_230386__etc_audit_rules_d_audit_rules_execve_egid_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv$'
@@ -642,7 +604,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230386_Manage
# R-230386 RHEL-08-030000
- name : stigrule_230386__etc_audit_rules_d_audit_rules_execve_egid_b64
- name: stigrule_230386__etc_audit_rules_d_audit_rules_execve_egid_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv$'
@@ -726,18 +688,8 @@
notify: auditd_restart
when:
- rhel8STIG_stigrule_230395_Manage
# R-230396 RHEL-08-030070
- name: stigrule_230396__etc_audit_auditd_conf
lineinfile:
path: /etc/audit/auditd.conf
regexp: '^log_group = '
line: "{{ rhel8STIG_stigrule_230396__etc_audit_auditd_conf_Line }}"
create: yes
notify: auditd_restart
when:
- rhel8STIG_stigrule_230396_Manage
# R-230402 RHEL-08-030121
- name : stigrule_230402__etc_audit_rules_d_audit_rules_e2
- name: stigrule_230402__etc_audit_rules_d_audit_rules_e2
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-e 2$'
@@ -745,7 +697,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230402_Manage
# R-230403 RHEL-08-030122
- name : stigrule_230403__etc_audit_rules_d_audit_rules_loginuid_immutable
- name: stigrule_230403__etc_audit_rules_d_audit_rules_loginuid_immutable
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^--loginuid-immutable$'
@@ -753,7 +705,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230403_Manage
# R-230404 RHEL-08-030130
- name : stigrule_230404__etc_audit_rules_d_audit_rules__etc_shadow
- name: stigrule_230404__etc_audit_rules_d_audit_rules__etc_shadow
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-w /etc/shadow -p wa -k identity$'
@@ -761,7 +713,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230404_Manage
# R-230405 RHEL-08-030140
- name : stigrule_230405__etc_audit_rules_d_audit_rules__etc_security_opasswd
- name: stigrule_230405__etc_audit_rules_d_audit_rules__etc_security_opasswd
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-w /etc/security/opasswd -p wa -k identity$'
@@ -769,7 +721,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230405_Manage
# R-230406 RHEL-08-030150
- name : stigrule_230406__etc_audit_rules_d_audit_rules__etc_passwd
- name: stigrule_230406__etc_audit_rules_d_audit_rules__etc_passwd
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-w /etc/passwd -p wa -k identity$'
@@ -777,7 +729,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230406_Manage
# R-230407 RHEL-08-030160
- name : stigrule_230407__etc_audit_rules_d_audit_rules__etc_gshadow
- name: stigrule_230407__etc_audit_rules_d_audit_rules__etc_gshadow
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-w /etc/gshadow -p wa -k identity$'
@@ -785,7 +737,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230407_Manage
# R-230408 RHEL-08-030170
- name : stigrule_230408__etc_audit_rules_d_audit_rules__etc_group
- name: stigrule_230408__etc_audit_rules_d_audit_rules__etc_group
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-w /etc/group -p wa -k identity$'
@@ -793,7 +745,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230408_Manage
# R-230409 RHEL-08-030171
- name : stigrule_230409__etc_audit_rules_d_audit_rules__etc_sudoers
- name: stigrule_230409__etc_audit_rules_d_audit_rules__etc_sudoers
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-w /etc/sudoers -p wa -k identity$'
@@ -801,7 +753,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230409_Manage
# R-230410 RHEL-08-030172
- name : stigrule_230410__etc_audit_rules_d_audit_rules__etc_sudoers_d_
- name: stigrule_230410__etc_audit_rules_d_audit_rules__etc_sudoers_d_
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-w /etc/sudoers.d/ -p wa -k identity$'
@@ -815,7 +767,7 @@
state: "{{ rhel8STIG_stigrule_230411_audit_State }}"
when: rhel8STIG_stigrule_230411_Manage
# R-230412 RHEL-08-030190
- name : stigrule_230412__etc_audit_rules_d_audit_rules__usr_bin_su
- name: stigrule_230412__etc_audit_rules_d_audit_rules__usr_bin_su
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change$'
@@ -823,7 +775,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230412_Manage
# R-230413 RHEL-08-030200
- name : stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b32_unset
- name: stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b32_unset
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -831,7 +783,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230413_Manage
# R-230413 RHEL-08-030200
- name : stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b64_unset
- name: stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b64_unset
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -839,7 +791,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230413_Manage
# R-230413 RHEL-08-030200
- name : stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b32
- name: stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod$'
@@ -847,7 +799,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230413_Manage
# R-230413 RHEL-08-030200
- name : stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b64
- name: stigrule_230413__etc_audit_rules_d_audit_rules_lremovexattr_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod$'
@@ -855,7 +807,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230413_Manage
# R-230418 RHEL-08-030250
- name : stigrule_230418__etc_audit_rules_d_audit_rules__usr_bin_chage
- name: stigrule_230418__etc_audit_rules_d_audit_rules__usr_bin_chage
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage$'
@@ -863,7 +815,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230418_Manage
# R-230419 RHEL-08-030260
- name : stigrule_230419__etc_audit_rules_d_audit_rules__usr_bin_chcon
- name: stigrule_230419__etc_audit_rules_d_audit_rules__usr_bin_chcon
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -871,7 +823,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230419_Manage
# R-230421 RHEL-08-030280
- name : stigrule_230421__etc_audit_rules_d_audit_rules__usr_bin_ssh_agent
- name: stigrule_230421__etc_audit_rules_d_audit_rules__usr_bin_ssh_agent
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh$'
@@ -879,7 +831,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230421_Manage
# R-230422 RHEL-08-030290
- name : stigrule_230422__etc_audit_rules_d_audit_rules__usr_bin_passwd
- name: stigrule_230422__etc_audit_rules_d_audit_rules__usr_bin_passwd
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd$'
@@ -887,7 +839,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230422_Manage
# R-230423 RHEL-08-030300
- name : stigrule_230423__etc_audit_rules_d_audit_rules__usr_bin_mount
- name: stigrule_230423__etc_audit_rules_d_audit_rules__usr_bin_mount
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount$'
@@ -895,7 +847,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230423_Manage
# R-230424 RHEL-08-030301
- name : stigrule_230424__etc_audit_rules_d_audit_rules__usr_bin_umount
- name: stigrule_230424__etc_audit_rules_d_audit_rules__usr_bin_umount
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount$'
@@ -903,7 +855,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230424_Manage
# R-230425 RHEL-08-030302
- name : stigrule_230425__etc_audit_rules_d_audit_rules_mount_b32
- name: stigrule_230425__etc_audit_rules_d_audit_rules_mount_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount$'
@@ -911,7 +863,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230425_Manage
# R-230425 RHEL-08-030302
- name : stigrule_230425__etc_audit_rules_d_audit_rules_mount_b64
- name: stigrule_230425__etc_audit_rules_d_audit_rules_mount_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount$'
@@ -919,7 +871,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230425_Manage
# R-230426 RHEL-08-030310
- name : stigrule_230426__etc_audit_rules_d_audit_rules__usr_sbin_unix_update
- name: stigrule_230426__etc_audit_rules_d_audit_rules__usr_sbin_unix_update
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -927,7 +879,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230426_Manage
# R-230427 RHEL-08-030311
- name : stigrule_230427__etc_audit_rules_d_audit_rules__usr_sbin_postdrop
- name: stigrule_230427__etc_audit_rules_d_audit_rules__usr_sbin_postdrop
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -935,7 +887,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230427_Manage
# R-230428 RHEL-08-030312
- name : stigrule_230428__etc_audit_rules_d_audit_rules__usr_sbin_postqueue
- name: stigrule_230428__etc_audit_rules_d_audit_rules__usr_sbin_postqueue
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -943,7 +895,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230428_Manage
# R-230429 RHEL-08-030313
- name : stigrule_230429__etc_audit_rules_d_audit_rules__usr_sbin_semanage
- name: stigrule_230429__etc_audit_rules_d_audit_rules__usr_sbin_semanage
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -951,7 +903,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230429_Manage
# R-230430 RHEL-08-030314
- name : stigrule_230430__etc_audit_rules_d_audit_rules__usr_sbin_setfiles
- name: stigrule_230430__etc_audit_rules_d_audit_rules__usr_sbin_setfiles
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -959,7 +911,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230430_Manage
# R-230431 RHEL-08-030315
- name : stigrule_230431__etc_audit_rules_d_audit_rules__usr_sbin_userhelper
- name: stigrule_230431__etc_audit_rules_d_audit_rules__usr_sbin_userhelper
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -967,7 +919,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230431_Manage
# R-230432 RHEL-08-030316
- name : stigrule_230432__etc_audit_rules_d_audit_rules__usr_sbin_setsebool
- name: stigrule_230432__etc_audit_rules_d_audit_rules__usr_sbin_setsebool
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -975,7 +927,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230432_Manage
# R-230433 RHEL-08-030317
- name : stigrule_230433__etc_audit_rules_d_audit_rules__usr_sbin_unix_chkpwd
- name: stigrule_230433__etc_audit_rules_d_audit_rules__usr_sbin_unix_chkpwd
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update$'
@@ -983,7 +935,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230433_Manage
# R-230434 RHEL-08-030320
- name : stigrule_230434__etc_audit_rules_d_audit_rules__usr_libexec_openssh_ssh_keysign
- name: stigrule_230434__etc_audit_rules_d_audit_rules__usr_libexec_openssh_ssh_keysign
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh$'
@@ -991,7 +943,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230434_Manage
# R-230435 RHEL-08-030330
- name : stigrule_230435__etc_audit_rules_d_audit_rules__usr_bin_setfacl
- name: stigrule_230435__etc_audit_rules_d_audit_rules__usr_bin_setfacl
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -999,7 +951,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230435_Manage
# R-230436 RHEL-08-030340
- name : stigrule_230436__etc_audit_rules_d_audit_rules__usr_sbin_pam_timestamp_check
- name: stigrule_230436__etc_audit_rules_d_audit_rules__usr_sbin_pam_timestamp_check
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check$'
@@ -1007,7 +959,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230436_Manage
# R-230437 RHEL-08-030350
- name : stigrule_230437__etc_audit_rules_d_audit_rules__usr_bin_newgrp
- name: stigrule_230437__etc_audit_rules_d_audit_rules__usr_bin_newgrp
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd$'
@@ -1015,7 +967,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230437_Manage
# R-230438 RHEL-08-030360
- name : stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b32
- name: stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng$'
@@ -1023,7 +975,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230438_Manage
# R-230438 RHEL-08-030360
- name : stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b64
- name: stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng$'
@@ -1031,23 +983,23 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230438_Manage
# R-230439 RHEL-08-030361
- name : stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32
- name: stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k module_chng$'
regexp: '^-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete$'
line: "{{ rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32_Line }}"
notify: auditd_restart
when: rhel8STIG_stigrule_230439_Manage
# R-230439 RHEL-08-030361
- name : stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64
- name: stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k module_chng$'
regexp: '^-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete$'
line: "{{ rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64_Line }}"
notify: auditd_restart
when: rhel8STIG_stigrule_230439_Manage
# R-230444 RHEL-08-030370
- name : stigrule_230444__etc_audit_rules_d_audit_rules__usr_bin_gpasswd
- name: stigrule_230444__etc_audit_rules_d_audit_rules__usr_bin_gpasswd
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd$'
@@ -1055,7 +1007,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230444_Manage
# R-230446 RHEL-08-030390
- name : stigrule_230446__etc_audit_rules_d_audit_rules_delete_module_b32
- name: stigrule_230446__etc_audit_rules_d_audit_rules_delete_module_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng$'
@@ -1063,7 +1015,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230446_Manage
# R-230446 RHEL-08-030390
- name : stigrule_230446__etc_audit_rules_d_audit_rules_delete_module_b64
- name: stigrule_230446__etc_audit_rules_d_audit_rules_delete_module_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng$'
@@ -1071,7 +1023,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230446_Manage
# R-230447 RHEL-08-030400
- name : stigrule_230447__etc_audit_rules_d_audit_rules__usr_bin_crontab
- name: stigrule_230447__etc_audit_rules_d_audit_rules__usr_bin_crontab
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab$'
@@ -1079,7 +1031,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230447_Manage
# R-230448 RHEL-08-030410
- name : stigrule_230448__etc_audit_rules_d_audit_rules__usr_bin_chsh
- name: stigrule_230448__etc_audit_rules_d_audit_rules__usr_bin_chsh
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd$'
@@ -1087,7 +1039,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230448_Manage
# R-230449 RHEL-08-030420
- name : stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EPERM_b32
- name: stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EPERM_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access$'
@@ -1095,7 +1047,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230449_Manage
# R-230449 RHEL-08-030420
- name : stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EPERM_b64
- name: stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EPERM_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access$'
@@ -1103,7 +1055,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230449_Manage
# R-230449 RHEL-08-030420
- name : stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EACCES_b32
- name: stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EACCES_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access$'
@@ -1111,7 +1063,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230449_Manage
# R-230449 RHEL-08-030420
- name : stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EACCES_b64
- name: stigrule_230449__etc_audit_rules_d_audit_rules_truncate_EACCES_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access$'
@@ -1119,7 +1071,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230449_Manage
# R-230455 RHEL-08-030480
- name : stigrule_230455__etc_audit_rules_d_audit_rules_chown_b32
- name: stigrule_230455__etc_audit_rules_d_audit_rules_chown_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -1127,7 +1079,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230455_Manage
# R-230455 RHEL-08-030480
- name : stigrule_230455__etc_audit_rules_d_audit_rules_chown_b64
- name: stigrule_230455__etc_audit_rules_d_audit_rules_chown_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -1135,7 +1087,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230455_Manage
# R-230456 RHEL-08-030490
- name : stigrule_230456__etc_audit_rules_d_audit_rules_chmod_b32
- name: stigrule_230456__etc_audit_rules_d_audit_rules_chmod_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -1143,7 +1095,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230456_Manage
# R-230456 RHEL-08-030490
- name : stigrule_230456__etc_audit_rules_d_audit_rules_chmod_b64
- name: stigrule_230456__etc_audit_rules_d_audit_rules_chmod_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -1151,7 +1103,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230456_Manage
# R-230462 RHEL-08-030550
- name : stigrule_230462__etc_audit_rules_d_audit_rules__usr_bin_sudo
- name: stigrule_230462__etc_audit_rules_d_audit_rules__usr_bin_sudo
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd$'
@@ -1159,7 +1111,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230462_Manage
# R-230463 RHEL-08-030560
- name : stigrule_230463__etc_audit_rules_d_audit_rules__usr_sbin_usermod
- name: stigrule_230463__etc_audit_rules_d_audit_rules__usr_sbin_usermod
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod$'
@@ -1167,7 +1119,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230463_Manage
# R-230464 RHEL-08-030570
- name : stigrule_230464__etc_audit_rules_d_audit_rules__usr_bin_chacl
- name: stigrule_230464__etc_audit_rules_d_audit_rules__usr_bin_chacl
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod$'
@@ -1175,7 +1127,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230464_Manage
# R-230465 RHEL-08-030580
- name : stigrule_230465__etc_audit_rules_d_audit_rules__usr_bin_kmod
- name: stigrule_230465__etc_audit_rules_d_audit_rules__usr_bin_kmod
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules$'
@@ -1183,7 +1135,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230465_Manage
# R-230466 RHEL-08-030590
- name : stigrule_230466__etc_audit_rules_d_audit_rules__var_log_faillock
- name: stigrule_230466__etc_audit_rules_d_audit_rules__var_log_faillock
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-w /var/log/faillock -p wa -k logins$'
@@ -1191,7 +1143,7 @@
notify: auditd_restart
when: rhel8STIG_stigrule_230466_Manage
# R-230467 RHEL-08-030600
- name : stigrule_230467__etc_audit_rules_d_audit_rules__var_log_lastlog
- name: stigrule_230467__etc_audit_rules_d_audit_rules__var_log_lastlog
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-w /var/log/lastlog -p wa -k logins$'
@@ -1314,7 +1266,7 @@
when: rhel8STIG_stigrule_230505_Manage
# R-230506 RHEL-08-040110
- name: check if wireless network adapters are disabled
shell: "[[ $(nmcli radio wifi) == 'enabled' ]]"
shell: "[[ $(nmcli radio wifi) == 'enabled' ]]"
changed_when: False
check_mode: no
register: cmd_result
@@ -1348,20 +1300,40 @@
- name: stigrule_230527_RekeyLimit
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)RekeyLimit\s+'
regexp: '(?i)^\s*RekeyLimit\s+'
line: "{{ rhel8STIG_stigrule_230527_RekeyLimit_Line }}"
notify: ssh_restart
when:
- rhel8STIG_stigrule_230527_Manage
- "'openssh-server' in packages"
# R-230529 RHEL-08-040170
- name: stigrule_230529_systemctl_mask_ctrl_alt_del_target
systemd:
- name: check if ctrl-alt-del.target is installed
shell: ! systemctl list-unit-files | grep "^ctrl-alt-del.target[ \t]\+"
changed_when: False
check_mode: no
register: result
failed_when: result.rc > 1
- name: stigrule_230529_ctrl_alt_del_target_disable
systemd_service:
name: ctrl-alt-del.target
enabled: no
masked: yes
enabled: "{{ rhel8STIG_stigrule_230529_ctrl_alt_del_target_disable_Enabled }}"
when:
- rhel8STIG_stigrule_230529_Manage
- result.rc == 0
# R-230529 RHEL-08-040170
- name: check if ctrl-alt-del.target is installed
shell: ! systemctl list-unit-files | grep "^ctrl-alt-del.target[ \t]\+"
changed_when: False
check_mode: no
register: result
failed_when: result.rc > 1
- name: stigrule_230529_ctrl_alt_del_target_mask
systemd_service:
name: ctrl-alt-del.target
masked: "{{ rhel8STIG_stigrule_230529_ctrl_alt_del_target_mask_Masked }}"
when:
- rhel8STIG_stigrule_230529_Manage
- result.rc == 0
# R-230531 RHEL-08-040172
- name: stigrule_230531__etc_systemd_system_conf
ini_file:
@@ -1382,7 +1354,7 @@
when: rhel8STIG_stigrule_230533_Manage
# R-230535 RHEL-08-040210
- name: check if ipv6 is enabled
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
changed_when: False
check_mode: no
register: cmd_result
@@ -1410,7 +1382,7 @@
- rhel8STIG_stigrule_230537_Manage
# R-230538 RHEL-08-040240
- name: check if ipv6 is enabled
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
changed_when: False
check_mode: no
register: cmd_result
@@ -1424,7 +1396,7 @@
- cmd_result.rc == 0
# R-230539 RHEL-08-040250
- name: check if ipv6 is enabled
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
changed_when: False
check_mode: no
register: cmd_result
@@ -1445,7 +1417,7 @@
- rhel8STIG_stigrule_230540_Manage
# R-230540 RHEL-08-040260
- name: check if ipv6 is enabled
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
changed_when: False
check_mode: no
register: cmd_result
@@ -1459,7 +1431,7 @@
- cmd_result.rc == 0
# R-230541 RHEL-08-040261
- name: check if ipv6 is enabled
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
changed_when: False
check_mode: no
register: cmd_result
@@ -1473,7 +1445,7 @@
- cmd_result.rc == 0
# R-230542 RHEL-08-040262
- name: check if ipv6 is enabled
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
changed_when: False
check_mode: no
register: cmd_result
@@ -1494,7 +1466,7 @@
- rhel8STIG_stigrule_230543_Manage
# R-230544 RHEL-08-040280
- name: check if ipv6 is enabled
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
shell: "[[ $(cat /sys/module/ipv6/parameters/disable) == '0' ]]"
changed_when: False
check_mode: no
register: cmd_result
@@ -1569,7 +1541,7 @@
- name: stigrule_230555_X11Forwarding
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)X11Forwarding\s+'
regexp: '(?i)^\s*X11Forwarding\s+'
line: "{{ rhel8STIG_stigrule_230555_X11Forwarding_Line }}"
notify: ssh_restart
when:
@@ -1579,7 +1551,7 @@
- name: stigrule_230556_X11UseLocalhost
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)X11UseLocalhost\s+'
regexp: '(?i)^\s*X11UseLocalhost\s+'
line: "{{ rhel8STIG_stigrule_230556_X11UseLocalhost_Line }}"
notify: ssh_restart
when:
@@ -1635,12 +1607,22 @@
- name: stigrule_244525_ClientAliveInterval
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)ClientAliveInterval\s+'
regexp: '(?i)^\s*ClientAliveInterval\s+'
line: "{{ rhel8STIG_stigrule_244525_ClientAliveInterval_Line }}"
notify: ssh_restart
when:
- rhel8STIG_stigrule_244525_Manage
- "'openssh-server' in packages"
# R-244526 RHEL-08-010287
- name: stigrule_244526__etc_sysconfig_sshd
lineinfile:
path: /etc/sysconfig/sshd
regexp: '^# CRYPTO_POLICY='
line: "{{ rhel8STIG_stigrule_244526__etc_sysconfig_sshd_Line }}"
create: yes
notify: do_reboot
when:
- rhel8STIG_stigrule_244526_Manage
# R-244527 RHEL-08-010472
- name: stigrule_244527_rng_tools
yum:
@@ -1651,7 +1633,7 @@
- name: stigrule_244528_GSSAPIAuthentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^\s*(?i)GSSAPIAuthentication\s+'
regexp: '(?i)^\s*GSSAPIAuthentication\s+'
line: "{{ rhel8STIG_stigrule_244528_GSSAPIAuthentication_Line }}"
notify: ssh_restart
when:
@@ -1681,18 +1663,13 @@
when:
- rhel8STIG_stigrule_244536_Manage
- "'dconf' in packages"
# R-244537 RHEL-08-020039
- name: stigrule_244537_tmux
yum:
name: tmux
state: "{{ rhel8STIG_stigrule_244537_tmux_State }}"
when: rhel8STIG_stigrule_244537_Manage
# R-244538 RHEL-08-020081
- name: stigrule_244538__etc_dconf_db_local_d_locks_session_idle_delay
lineinfile:
path: /etc/dconf/db/local.d/locks/session
line: "{{ rhel8STIG_stigrule_244538__etc_dconf_db_local_d_locks_session_idle_delay_Line }}"
create: yes
notify: dconf_update
when:
- rhel8STIG_stigrule_244538_Manage
# R-244539 RHEL-08-020082
@@ -1701,6 +1678,7 @@
path: /etc/dconf/db/local.d/locks/session
line: "{{ rhel8STIG_stigrule_244539__etc_dconf_db_local_d_locks_session_lock_enabled_Line }}"
create: yes
notify: dconf_update
when:
- rhel8STIG_stigrule_244539_Manage
# R-244542 RHEL-08-030181
@@ -1798,3 +1776,9 @@
create: yes
when:
- rhel8STIG_stigrule_244554_Manage
# R-256974 RHEL-08-010358
- name: stigrule_256974_mailx
yum:
name: mailx
state: "{{ rhel8STIG_stigrule_256974_mailx_State }}"
when: rhel8STIG_stigrule_256974_Manage

86
collections/ansible_collections/demo/compliance/roles/rhel9STIG/callback_plugins/stig_xml.py Normal file
View File

@@ -0,0 +1,86 @@
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
from ansible.plugins.callback import CallbackBase
from time import gmtime, strftime
import platform
import tempfile
import re
import sys
import os
import xml.etree.ElementTree as ET
import xml.dom.minidom
class CallbackModule(CallbackBase):
CALLBACK_VERSION = 2.0
CALLBACK_TYPE = 'xml'
CALLBACK_NAME = 'stig_xml'
CALLBACK_NEEDS_WHITELIST = True
def _get_STIG_path(self):
cwd = os.path.abspath('.')
for dirpath, dirs, files in os.walk(cwd):
if os.path.sep + 'files' in dirpath and '.xml' in files[0]:
return os.path.join(cwd, dirpath, files[0])
def __init__(self):
super(CallbackModule, self).__init__()
self.rules = {}
self.stig_path = os.environ.get('STIG_PATH')
self.XML_path = os.environ.get('XML_PATH')
if self.stig_path is None:
self.stig_path = self._get_STIG_path()
self._display.display('Using STIG_PATH: {}'.format(self.stig_path))
if self.XML_path is None:
self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml"
self._display.display('Using XML_PATH: {}'.format(self.XML_path))
print("Writing: {}".format(self.XML_path))
STIG_name = os.path.basename(self.stig_path)
ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2')
self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult')
self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name))
endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
self.tr.set('end-time', endtime)
tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target')
tg.text = platform.node()
def _get_rev(self, nid):
with open(self.stig_path, 'r') as f:
r = 'SV-{}r(?P<rev>\d+)_rule'.format(nid)
m = re.search(r, f.read())
if m:
rev = m.group('rev')
else:
rev = '0'
return rev
def v2_runner_on_ok(self, result):
name = result._task.get_name()
m = re.search('stigrule_(?P<id>\d+)', name)
if m:
nid = m.group('id')
else:
return
rev = self._get_rev(nid)
key = "{}r{}".format(nid, rev)
if self.rules.get(key, 'Unknown') != False:
self.rules[key] = result.is_changed()
def v2_playbook_on_stats(self, stats):
for rule, changed in self.rules.items():
state = 'fail' if changed else 'pass'
rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result')
rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule))
rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result')
rs.text = state
passing = len(self.rules) - sum(self.rules.values())
sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score')
sc.set('maximum', str(len(self.rules)))
sc.set('system', 'urn:xccdf:scoring:flat-unweighted')
sc.text = str(passing)
with open(self.XML_path, 'wb') as f:
out = ET.tostring(self.tr)
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8')
f.write(pretty)

984
collections/ansible_collections/demo/compliance/roles/rhel9STIG/defaults/main.yml Normal file
View File

@@ -0,0 +1,984 @@
# R-257779 RHEL-09-211020
rhel9STIG_stigrule_257779_Manage: True
rhel9STIG_stigrule_257779__etc_issue_Dest: /etc/issue
rhel9STIG_stigrule_257779__etc_issue_Content: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
'
# R-257783 RHEL-09-211040
rhel9STIG_stigrule_257783_Manage: True
rhel9STIG_stigrule_257783_systemd_journald_enable_Enabled: yes
rhel9STIG_stigrule_257783_systemd_journald_start_State: started
# R-257784 RHEL-09-211045
rhel9STIG_stigrule_257784_Manage: True
rhel9STIG_stigrule_257784__etc_systemd_system_conf_Value: 'none'
# R-257785 RHEL-09-211050
rhel9STIG_stigrule_257785_Manage: True
rhel9STIG_stigrule_257785_ctrl_alt_del_target_disable_Enabled: false
rhel9STIG_stigrule_257785_ctrl_alt_del_target_mask_Masked: true
# R-257786 RHEL-09-211055
rhel9STIG_stigrule_257786_Manage: True
rhel9STIG_stigrule_257786_debug_shell_service_disable_Enabled: false
rhel9STIG_stigrule_257786_debug_shell_service_mask_Masked: true
# R-257790 RHEL-09-212025
rhel9STIG_stigrule_257790_Manage: True
rhel9STIG_stigrule_257790__boot_grub2_grub_cfg_group_owner_Dest: /boot/grub2/grub.cfg
rhel9STIG_stigrule_257790__boot_grub2_grub_cfg_group_owner_Group: root
# R-257791 RHEL-09-212030
rhel9STIG_stigrule_257791_Manage: True
rhel9STIG_stigrule_257791__boot_grub2_grub_cfg_owner_Dest: /boot/grub2/grub.cfg
rhel9STIG_stigrule_257791__boot_grub2_grub_cfg_owner_Owner: root
# R-257797 RHEL-09-213010
rhel9STIG_stigrule_257797_Manage: True
rhel9STIG_stigrule_257797_kernel_dmesg_restrict_Value: 1
rhel9STIG_stigrule_257797_kernel_dmesg_restrict_File: /etc/sysctl.d/99-sysctl.conf
# R-257798 RHEL-09-213015
rhel9STIG_stigrule_257798_Manage: True
rhel9STIG_stigrule_257798_kernel_perf_event_paranoid_Value: 2
rhel9STIG_stigrule_257798_kernel_perf_event_paranoid_File: /etc/sysctl.d/99-sysctl.conf
# R-257799 RHEL-09-213020
rhel9STIG_stigrule_257799_Manage: True
rhel9STIG_stigrule_257799_kernel_kexec_load_disabled_Value: 1
rhel9STIG_stigrule_257799_kernel_kexec_load_disabled_File: /etc/sysctl.d/99-sysctl.conf
# R-257800 RHEL-09-213025
rhel9STIG_stigrule_257800_Manage: True
rhel9STIG_stigrule_257800_kernel_kptr_restrict_Value: 1
rhel9STIG_stigrule_257800_kernel_kptr_restrict_File: /etc/sysctl.d/99-sysctl.conf
# R-257801 RHEL-09-213030
rhel9STIG_stigrule_257801_Manage: True
rhel9STIG_stigrule_257801_fs_protected_hardlinks_Value: 1
rhel9STIG_stigrule_257801_fs_protected_hardlinks_File: /etc/sysctl.d/99-sysctl.conf
# R-257802 RHEL-09-213035
rhel9STIG_stigrule_257802_Manage: True
rhel9STIG_stigrule_257802_fs_protected_symlinks_Value: 1
rhel9STIG_stigrule_257802_fs_protected_symlinks_File: /etc/sysctl.d/99-sysctl.conf
# R-257803 RHEL-09-213040
rhel9STIG_stigrule_257803_Manage: True
rhel9STIG_stigrule_257803_kernel_core_pattern_Value: '|/bin/false'
rhel9STIG_stigrule_257803_kernel_core_pattern_File: /etc/sysctl.d/99-sysctl.conf
# R-257804 RHEL-09-213045
rhel9STIG_stigrule_257804_Manage: True
rhel9STIG_stigrule_257804__etc_modprobe_d_atm_conf_install_atm__bin_false_Line: 'install atm /bin/false'
rhel9STIG_stigrule_257804__etc_modprobe_d_atm_conf_blacklist_atm_Line: 'blacklist atm'
# R-257805 RHEL-09-213050
rhel9STIG_stigrule_257805_Manage: True
rhel9STIG_stigrule_257805__etc_modprobe_d_can_conf_install_can__bin_false_Line: 'install can /bin/false'
rhel9STIG_stigrule_257805__etc_modprobe_d_can_conf_blacklist_can_Line: 'blacklist can'
# R-257806 RHEL-09-213055
rhel9STIG_stigrule_257806_Manage: True
rhel9STIG_stigrule_257806__etc_modprobe_d_firewire_core_conf_install_firewire_core__bin_false_Line: 'install firewire-core /bin/false'
rhel9STIG_stigrule_257806__etc_modprobe_d_firewire_core_conf_blacklist_firewire_core_Line: 'blacklist firewire-core'
# R-257807 RHEL-09-213060
rhel9STIG_stigrule_257807_Manage: True
rhel9STIG_stigrule_257807__etc_modprobe_d_sctp_conf_install_sctp__bin_false_Line: 'install sctp /bin/false'
rhel9STIG_stigrule_257807__etc_modprobe_d_sctp_conf_blacklist_sctp_Line: 'blacklist sctp'
# R-257808 RHEL-09-213065
rhel9STIG_stigrule_257808_Manage: True
rhel9STIG_stigrule_257808__etc_modprobe_d_tipc_conf_install_tipc__bin_false_Line: 'install tipc /bin/false'
rhel9STIG_stigrule_257808__etc_modprobe_d_tipc_conf_blacklist_tipc_Line: 'blacklist tipc'
# R-257809 RHEL-09-213070
rhel9STIG_stigrule_257809_Manage: True
rhel9STIG_stigrule_257809_kernel_randomize_va_space_Value: 2
rhel9STIG_stigrule_257809_kernel_randomize_va_space_File: /etc/sysctl.d/99-sysctl.conf
# R-257810 RHEL-09-213075
rhel9STIG_stigrule_257810_Manage: True
rhel9STIG_stigrule_257810_kernel_unprivileged_bpf_disabled_Value: 1
rhel9STIG_stigrule_257810_kernel_unprivileged_bpf_disabled_File: /etc/sysctl.d/99-sysctl.conf
# R-257811 RHEL-09-213080
rhel9STIG_stigrule_257811_Manage: True
rhel9STIG_stigrule_257811_kernel_yama_ptrace_scope_Value: 1
rhel9STIG_stigrule_257811_kernel_yama_ptrace_scope_File: /etc/sysctl.d/99-sysctl.conf
# R-257812 RHEL-09-213085
rhel9STIG_stigrule_257812_Manage: True
rhel9STIG_stigrule_257812__etc_systemd_coredump_conf_Line: 'ProcessSizeMax=0'
# R-257813 RHEL-09-213090
rhel9STIG_stigrule_257813_Manage: True
rhel9STIG_stigrule_257813__etc_systemd_coredump_conf_Line: 'Storage=none'
# R-257814 RHEL-09-213095
rhel9STIG_stigrule_257814_Manage: True
rhel9STIG_stigrule_257814__etc_security_limits_conf_Line: '* hard core 0'
# R-257815 RHEL-09-213100
rhel9STIG_stigrule_257815_Manage: True
rhel9STIG_stigrule_257815_systemd_coredump_socket_disable_Enabled: false
rhel9STIG_stigrule_257815_systemd_coredump_socket_mask_Daemon_Reload: true
rhel9STIG_stigrule_257815_systemd_coredump_socket_mask_Masked: true
# R-257816 RHEL-09-213105
rhel9STIG_stigrule_257816_Manage: True
rhel9STIG_stigrule_257816_user_max_user_namespaces_Value: 0
rhel9STIG_stigrule_257816_user_max_user_namespaces_File: /etc/sysctl.d/99-sysctl.conf
# R-257818 RHEL-09-213115
rhel9STIG_stigrule_257818_Manage: True
rhel9STIG_stigrule_257818_kdump_disable_Enabled: false
rhel9STIG_stigrule_257818_kdump_mask_Masked: true
# R-257820 RHEL-09-214015
rhel9STIG_stigrule_257820_Manage: True
rhel9STIG_stigrule_257820__etc_dnf_dnf_conf_Value: '1'
# R-257821 RHEL-09-214020
rhel9STIG_stigrule_257821_Manage: True
rhel9STIG_stigrule_257821__etc_dnf_dnf_conf_Value: '1'
# R-257824 RHEL-09-214035
rhel9STIG_stigrule_257824_Manage: True
rhel9STIG_stigrule_257824__etc_dnf_dnf_conf_Value: '1'
# R-257825 RHEL-09-215010
rhel9STIG_stigrule_257825_Manage: True
rhel9STIG_stigrule_257825_subscription_manager_State: installed
# R-257827 RHEL-09-215020
rhel9STIG_stigrule_257827_Manage: True
rhel9STIG_stigrule_257827_sendmail_State: removed
# R-257828 RHEL-09-215025
rhel9STIG_stigrule_257828_Manage: True
rhel9STIG_stigrule_257828_nfs_utils_State: removed
# R-257829 RHEL-09-215030
rhel9STIG_stigrule_257829_Manage: True
rhel9STIG_stigrule_257829_ypserv_State: removed
# R-257830 RHEL-09-215035
rhel9STIG_stigrule_257830_Manage: True
rhel9STIG_stigrule_257830_rsh_server_State: removed
# R-257831 RHEL-09-215040
rhel9STIG_stigrule_257831_Manage: True
rhel9STIG_stigrule_257831_telnet_server_State: removed
# R-257832 RHEL-09-215045
rhel9STIG_stigrule_257832_Manage: True
rhel9STIG_stigrule_257832_gssproxy_State: removed
# R-257833 RHEL-09-215050
rhel9STIG_stigrule_257833_Manage: True
rhel9STIG_stigrule_257833_iprutils_State: removed
# R-257834 RHEL-09-215055
rhel9STIG_stigrule_257834_Manage: True
rhel9STIG_stigrule_257834_tuned_State: removed
# R-257835 RHEL-09-215060
rhel9STIG_stigrule_257835_Manage: True
rhel9STIG_stigrule_257835_tftp_server_State: removed
# R-257836 RHEL-09-215065
rhel9STIG_stigrule_257836_Manage: True
rhel9STIG_stigrule_257836_quagga_State: removed
# R-257838 RHEL-09-215075
rhel9STIG_stigrule_257838_Manage: True
rhel9STIG_stigrule_257838_openssl_pkcs11_State: installed
# R-257839 RHEL-09-215080
rhel9STIG_stigrule_257839_Manage: True
rhel9STIG_stigrule_257839_gnutls_utils_State: installed
# R-257840 RHEL-09-215085
rhel9STIG_stigrule_257840_Manage: True
rhel9STIG_stigrule_257840_nss_tools_State: installed
# R-257841 RHEL-09-215090
rhel9STIG_stigrule_257841_Manage: True
rhel9STIG_stigrule_257841_rng_tools_State: installed
# R-257842 RHEL-09-215095
rhel9STIG_stigrule_257842_Manage: True
rhel9STIG_stigrule_257842_s_nail_State: installed
# R-257849 RHEL-09-231040
rhel9STIG_stigrule_257849_Manage: True
rhel9STIG_stigrule_257849_autofs_service_disable_Enabled: false
rhel9STIG_stigrule_257849_autofs_service_mask_Masked: true
# R-257880 RHEL-09-231195
rhel9STIG_stigrule_257880_Manage: True
rhel9STIG_stigrule_257880__etc_modprobe_d_cramfs_conf_install_cramfs__bin_false_Line: 'install cramfs /bin/false'
rhel9STIG_stigrule_257880__etc_modprobe_d_cramfs_conf_blacklist_cramfs_Line: 'blacklist cramfs'
# R-257885 RHEL-09-232025
rhel9STIG_stigrule_257885_Manage: True
rhel9STIG_stigrule_257885__var_log_mode_Dest: /var/log
rhel9STIG_stigrule_257885__var_log_mode_Mode: '0755'
# R-257886 RHEL-09-232030
rhel9STIG_stigrule_257886_Manage: True
rhel9STIG_stigrule_257886__var_log_messages_mode_Dest: /var/log/messages
rhel9STIG_stigrule_257886__var_log_messages_mode_Mode: '0640'
# R-257891 RHEL-09-232055
rhel9STIG_stigrule_257891_Manage: True
rhel9STIG_stigrule_257891__etc_group_mode_Dest: /etc/group
rhel9STIG_stigrule_257891__etc_group_mode_Mode: '0644'
# R-257892 RHEL-09-232060
rhel9STIG_stigrule_257892_Manage: True
rhel9STIG_stigrule_257892__etc_group__mode_Dest: /etc/group-
rhel9STIG_stigrule_257892__etc_group__mode_Mode: '0644'
# R-257893 RHEL-09-232065
rhel9STIG_stigrule_257893_Manage: True
rhel9STIG_stigrule_257893__etc_gshadow_mode_Dest: /etc/gshadow
rhel9STIG_stigrule_257893__etc_gshadow_mode_Mode: '0000'
# R-257894 RHEL-09-232070
rhel9STIG_stigrule_257894_Manage: True
rhel9STIG_stigrule_257894__etc_gshadow__mode_Dest: /etc/gshadow-
rhel9STIG_stigrule_257894__etc_gshadow__mode_Mode: '0000'
# R-257895 RHEL-09-232075
rhel9STIG_stigrule_257895_Manage: True
rhel9STIG_stigrule_257895__etc_passwd_mode_Dest: /etc/passwd
rhel9STIG_stigrule_257895__etc_passwd_mode_Mode: '0644'
# R-257896 RHEL-09-232080
rhel9STIG_stigrule_257896_Manage: True
rhel9STIG_stigrule_257896__etc_passwd__mode_Dest: /etc/passwd-
rhel9STIG_stigrule_257896__etc_passwd__mode_Mode: '0644'
# R-257897 RHEL-09-232085
rhel9STIG_stigrule_257897_Manage: True
rhel9STIG_stigrule_257897__etc_shadow__mode_Dest: /etc/shadow-
rhel9STIG_stigrule_257897__etc_shadow__mode_Mode: '0000'
# R-257898 RHEL-09-232090
rhel9STIG_stigrule_257898_Manage: True
rhel9STIG_stigrule_257898__etc_group_owner_Dest: /etc/group
rhel9STIG_stigrule_257898__etc_group_owner_Owner: root
# R-257899 RHEL-09-232095
rhel9STIG_stigrule_257899_Manage: True
rhel9STIG_stigrule_257899__etc_group_group_owner_Dest: /etc/group
rhel9STIG_stigrule_257899__etc_group_group_owner_Group: root
# R-257900 RHEL-09-232100
rhel9STIG_stigrule_257900_Manage: True
rhel9STIG_stigrule_257900__etc_group__owner_Dest: /etc/group-
rhel9STIG_stigrule_257900__etc_group__owner_Owner: root
# R-257901 RHEL-09-232105
rhel9STIG_stigrule_257901_Manage: True
rhel9STIG_stigrule_257901__etc_group__group_owner_Dest: /etc/group-
rhel9STIG_stigrule_257901__etc_group__group_owner_Group: root
# R-257902 RHEL-09-232110
rhel9STIG_stigrule_257902_Manage: True
rhel9STIG_stigrule_257902__etc_gshadow_owner_Dest: /etc/gshadow
rhel9STIG_stigrule_257902__etc_gshadow_owner_Owner: root
# R-257903 RHEL-09-232115
rhel9STIG_stigrule_257903_Manage: True
rhel9STIG_stigrule_257903__etc_gshadow_group_owner_Dest: /etc/gshadow
rhel9STIG_stigrule_257903__etc_gshadow_group_owner_Group: root
# R-257904 RHEL-09-232120
rhel9STIG_stigrule_257904_Manage: True
rhel9STIG_stigrule_257904__etc_gshadow__owner_Dest: /etc/gshadow-
rhel9STIG_stigrule_257904__etc_gshadow__owner_Owner: root
# R-257905 RHEL-09-232125
rhel9STIG_stigrule_257905_Manage: True
rhel9STIG_stigrule_257905__etc_gshadow__group_owner_Dest: /etc/gshadow-
rhel9STIG_stigrule_257905__etc_gshadow__group_owner_Group: root
# R-257906 RHEL-09-232130
rhel9STIG_stigrule_257906_Manage: True
rhel9STIG_stigrule_257906__etc_passwd_owner_Dest: /etc/passwd
rhel9STIG_stigrule_257906__etc_passwd_owner_Owner: root
# R-257907 RHEL-09-232135
rhel9STIG_stigrule_257907_Manage: True
rhel9STIG_stigrule_257907__etc_passwd_group_owner_Dest: /etc/passwd
rhel9STIG_stigrule_257907__etc_passwd_group_owner_Group: root
# R-257908 RHEL-09-232140
rhel9STIG_stigrule_257908_Manage: True
rhel9STIG_stigrule_257908__etc_passwd__owner_Dest: /etc/passwd-
rhel9STIG_stigrule_257908__etc_passwd__owner_Owner: root
# R-257909 RHEL-09-232145
rhel9STIG_stigrule_257909_Manage: True
rhel9STIG_stigrule_257909__etc_passwd__group_owner_Dest: /etc/passwd-
rhel9STIG_stigrule_257909__etc_passwd__group_owner_Group: root
# R-257910 RHEL-09-232150
rhel9STIG_stigrule_257910_Manage: True
rhel9STIG_stigrule_257910__etc_shadow_owner_Dest: /etc/shadow
rhel9STIG_stigrule_257910__etc_shadow_owner_Owner: root
# R-257911 RHEL-09-232155
rhel9STIG_stigrule_257911_Manage: True
rhel9STIG_stigrule_257911__etc_shadow_group_owner_Dest: /etc/shadow
rhel9STIG_stigrule_257911__etc_shadow_group_owner_Group: root
# R-257912 RHEL-09-232160
rhel9STIG_stigrule_257912_Manage: True
rhel9STIG_stigrule_257912__etc_shadow__owner_Dest: /etc/shadow-
rhel9STIG_stigrule_257912__etc_shadow__owner_Owner: root
# R-257913 RHEL-09-232165
rhel9STIG_stigrule_257913_Manage: True
rhel9STIG_stigrule_257913__etc_shadow__group_owner_Dest: /etc/shadow-
rhel9STIG_stigrule_257913__etc_shadow__group_owner_Group: root
# R-257914 RHEL-09-232170
rhel9STIG_stigrule_257914_Manage: True
rhel9STIG_stigrule_257914__var_log_owner_Dest: /var/log
rhel9STIG_stigrule_257914__var_log_owner_Owner: root
# R-257915 RHEL-09-232175
rhel9STIG_stigrule_257915_Manage: True
rhel9STIG_stigrule_257915__var_log_group_owner_Dest: /var/log
rhel9STIG_stigrule_257915__var_log_group_owner_Group: root
# R-257916 RHEL-09-232180
rhel9STIG_stigrule_257916_Manage: True
rhel9STIG_stigrule_257916__var_log_messages_owner_Dest: /var/log/messages
rhel9STIG_stigrule_257916__var_log_messages_owner_Owner: root
# R-257917 RHEL-09-232185
rhel9STIG_stigrule_257917_Manage: True
rhel9STIG_stigrule_257917__var_log_messages_group_owner_Dest: /var/log/messages
rhel9STIG_stigrule_257917__var_log_messages_group_owner_Group: root
# R-257934 RHEL-09-232270
rhel9STIG_stigrule_257934_Manage: True
rhel9STIG_stigrule_257934__etc_shadow_mode_Dest: /etc/shadow
rhel9STIG_stigrule_257934__etc_shadow_mode_Mode: '0000'
# R-257935 RHEL-09-251010
rhel9STIG_stigrule_257935_Manage: True
rhel9STIG_stigrule_257935_firewalld_State: installed
# R-257936 RHEL-09-251015
rhel9STIG_stigrule_257936_Manage: True
rhel9STIG_stigrule_257936_firewalld_enable_Enabled: yes
rhel9STIG_stigrule_257936_firewalld_start_State: started
# R-257939 RHEL-09-251030
rhel9STIG_stigrule_257939_Manage: True
rhel9STIG_stigrule_257939__etc_firewalld_firewalld_conf_Line: 'FirewallBackend=nftables'
# R-257942 RHEL-09-251045
rhel9STIG_stigrule_257942_Manage: True
rhel9STIG_stigrule_257942_net_core_bpf_jit_harden_Value: 2
rhel9STIG_stigrule_257942_net_core_bpf_jit_harden_File: /etc/sysctl.d/99-sysctl.conf
# R-257943 RHEL-09-252010
rhel9STIG_stigrule_257943_Manage: True
rhel9STIG_stigrule_257943_chrony_State: installed
# R-257944 RHEL-09-252015
rhel9STIG_stigrule_257944_Manage: True
rhel9STIG_stigrule_257944_chronyd_enable_Enabled: yes
rhel9STIG_stigrule_257944_chronyd_start_State: started
# R-257946 RHEL-09-252025
rhel9STIG_stigrule_257946_Manage: True
rhel9STIG_stigrule_257946__etc_chrony_conf_Line: 'port 0'
# R-257947 RHEL-09-252030
rhel9STIG_stigrule_257947_Manage: True
rhel9STIG_stigrule_257947__etc_chrony_conf_Line: 'cmdport 0'
# R-257949 RHEL-09-252040
rhel9STIG_stigrule_257949_Manage: True
rhel9STIG_stigrule_257949__etc_NetworkManager_NetworkManager_conf_Value: 'none'
# R-257954 RHEL-09-252065
rhel9STIG_stigrule_257954_Manage: True
rhel9STIG_stigrule_257954_libreswan_State: installed
# R-257957 RHEL-09-253010
rhel9STIG_stigrule_257957_Manage: True
rhel9STIG_stigrule_257957_net_ipv4_tcp_syncookies_Value: 1
rhel9STIG_stigrule_257957_net_ipv4_tcp_syncookies_File: /etc/sysctl.d/99-sysctl.conf
# R-257958 RHEL-09-253015
rhel9STIG_stigrule_257958_Manage: True
rhel9STIG_stigrule_257958_net_ipv4_conf_all_accept_redirects_Value: 0
rhel9STIG_stigrule_257958_net_ipv4_conf_all_accept_redirects_File: /etc/sysctl.d/99-sysctl.conf
# R-257959 RHEL-09-253020
rhel9STIG_stigrule_257959_Manage: True
rhel9STIG_stigrule_257959_net_ipv4_conf_all_accept_source_route_Value: 0
rhel9STIG_stigrule_257959_net_ipv4_conf_all_accept_source_route_File: /etc/sysctl.d/99-sysctl.conf
# R-257960 RHEL-09-253025
rhel9STIG_stigrule_257960_Manage: True
rhel9STIG_stigrule_257960_net_ipv4_conf_all_log_martians_Value: 1
rhel9STIG_stigrule_257960_net_ipv4_conf_all_log_martians_File: /etc/sysctl.d/99-sysctl.conf
# R-257961 RHEL-09-253030
rhel9STIG_stigrule_257961_Manage: True
rhel9STIG_stigrule_257961_net_ipv4_conf_default_log_martians_Value: 1
rhel9STIG_stigrule_257961_net_ipv4_conf_default_log_martians_File: /etc/sysctl.d/99-sysctl.conf
# R-257962 RHEL-09-253035
rhel9STIG_stigrule_257962_Manage: True
rhel9STIG_stigrule_257962_net_ipv4_conf_all_rp_filter_Value: 1
rhel9STIG_stigrule_257962_net_ipv4_conf_all_rp_filter_File: /etc/sysctl.d/99-sysctl.conf
# R-257963 RHEL-09-253040
rhel9STIG_stigrule_257963_Manage: True
rhel9STIG_stigrule_257963_net_ipv4_conf_default_accept_redirects_Value: 0
rhel9STIG_stigrule_257963_net_ipv4_conf_default_accept_redirects_File: /etc/sysctl.d/99-sysctl.conf
# R-257964 RHEL-09-253045
rhel9STIG_stigrule_257964_Manage: True
rhel9STIG_stigrule_257964_net_ipv4_conf_default_accept_source_route_Value: 0
rhel9STIG_stigrule_257964_net_ipv4_conf_default_accept_source_route_File: /etc/sysctl.d/99-sysctl.conf
# R-257965 RHEL-09-253050
rhel9STIG_stigrule_257965_Manage: True
rhel9STIG_stigrule_257965_net_ipv4_conf_default_rp_filter_Value: 1
rhel9STIG_stigrule_257965_net_ipv4_conf_default_rp_filter_File: /etc/sysctl.d/99-sysctl.conf
# R-257966 RHEL-09-253055
rhel9STIG_stigrule_257966_Manage: True
rhel9STIG_stigrule_257966_net_ipv4_icmp_echo_ignore_broadcasts_Value: 1
rhel9STIG_stigrule_257966_net_ipv4_icmp_echo_ignore_broadcasts_File: /etc/sysctl.d/99-sysctl.conf
# R-257967 RHEL-09-253060
rhel9STIG_stigrule_257967_Manage: True
rhel9STIG_stigrule_257967_net_ipv4_icmp_ignore_bogus_error_responses_Value: 1
rhel9STIG_stigrule_257967_net_ipv4_icmp_ignore_bogus_error_responses_File: /etc/sysctl.d/99-sysctl.conf
# R-257968 RHEL-09-253065
rhel9STIG_stigrule_257968_Manage: True
rhel9STIG_stigrule_257968_net_ipv4_conf_all_send_redirects_Value: 0
rhel9STIG_stigrule_257968_net_ipv4_conf_all_send_redirects_File: /etc/sysctl.d/99-sysctl.conf
# R-257969 RHEL-09-253070
rhel9STIG_stigrule_257969_Manage: True
rhel9STIG_stigrule_257969_net_ipv4_conf_default_send_redirects_Value: 0
rhel9STIG_stigrule_257969_net_ipv4_conf_default_send_redirects_File: /etc/sysctl.d/99-sysctl.conf
# R-257970 RHEL-09-253075
rhel9STIG_stigrule_257970_Manage: True
rhel9STIG_stigrule_257970_net_ipv4_conf_all_forwarding_Value: 0
rhel9STIG_stigrule_257970_net_ipv4_conf_all_forwarding_File: /etc/sysctl.d/99-sysctl.conf
# R-257971 RHEL-09-254010
rhel9STIG_stigrule_257971_Manage: True
rhel9STIG_stigrule_257971_net_ipv6_conf_all_accept_ra_Value: 0
rhel9STIG_stigrule_257971_net_ipv6_conf_all_accept_ra_File: /etc/sysctl.d/99-sysctl.conf
# R-257972 RHEL-09-254015
rhel9STIG_stigrule_257972_Manage: True
rhel9STIG_stigrule_257972_net_ipv6_conf_all_accept_redirects_Value: 0
rhel9STIG_stigrule_257972_net_ipv6_conf_all_accept_redirects_File: /etc/sysctl.d/99-sysctl.conf
# R-257973 RHEL-09-254020
rhel9STIG_stigrule_257973_Manage: True
rhel9STIG_stigrule_257973_net_ipv6_conf_all_accept_source_route_Value: 0
rhel9STIG_stigrule_257973_net_ipv6_conf_all_accept_source_route_File: /etc/sysctl.d/99-sysctl.conf
# R-257974 RHEL-09-254025
rhel9STIG_stigrule_257974_Manage: True
rhel9STIG_stigrule_257974_net_ipv6_conf_all_forwarding_Value: 0
rhel9STIG_stigrule_257974_net_ipv6_conf_all_forwarding_File: /etc/sysctl.d/99-sysctl.conf
# R-257975 RHEL-09-254030
rhel9STIG_stigrule_257975_Manage: True
rhel9STIG_stigrule_257975_net_ipv6_conf_default_accept_ra_Value: 0
rhel9STIG_stigrule_257975_net_ipv6_conf_default_accept_ra_File: /etc/sysctl.d/99-sysctl.conf
# R-257976 RHEL-09-254035
rhel9STIG_stigrule_257976_Manage: True
rhel9STIG_stigrule_257976_net_ipv6_conf_default_accept_redirects_Value: 0
rhel9STIG_stigrule_257976_net_ipv6_conf_default_accept_redirects_File: /etc/sysctl.d/99-sysctl.conf
# R-257977 RHEL-09-254040
rhel9STIG_stigrule_257977_Manage: True
rhel9STIG_stigrule_257977_net_ipv6_conf_default_accept_source_route_Value: 0
rhel9STIG_stigrule_257977_net_ipv6_conf_default_accept_source_route_File: /etc/sysctl.d/99-sysctl.conf
# R-257978 RHEL-09-255010
rhel9STIG_stigrule_257978_Manage: True
rhel9STIG_stigrule_257978_openssh_server_State: installed
# R-257979 RHEL-09-255015
rhel9STIG_stigrule_257979_Manage: True
rhel9STIG_stigrule_257979_sshd_enable_Enabled: yes
rhel9STIG_stigrule_257979_sshd_start_State: started
# R-257980 RHEL-09-255020
rhel9STIG_stigrule_257980_Manage: True
rhel9STIG_stigrule_257980_openssh_clients_State: installed
# R-257981 RHEL-09-255025
rhel9STIG_stigrule_257981_Manage: True
rhel9STIG_stigrule_257981_Banner_Line: Banner /etc/issue
# R-257982 RHEL-09-255030
rhel9STIG_stigrule_257982_Manage: True
rhel9STIG_stigrule_257982_LogLevel_Line: LogLevel VERBOSE
# R-257983 RHEL-09-255035
rhel9STIG_stigrule_257983_Manage: True
rhel9STIG_stigrule_257983_PubkeyAuthentication_Line: PubkeyAuthentication yes
# R-257984 RHEL-09-255040
rhel9STIG_stigrule_257984_Manage: True
rhel9STIG_stigrule_257984_PermitEmptyPasswords_Line: PermitEmptyPasswords no
# R-257985 RHEL-09-255045
rhel9STIG_stigrule_257985_Manage: True
rhel9STIG_stigrule_257985_PermitRootLogin_Line: PermitRootLogin no
# R-257986 RHEL-09-255050
rhel9STIG_stigrule_257986_Manage: True
rhel9STIG_stigrule_257986_UsePAM_Line: UsePAM yes
# R-257992 RHEL-09-255080
rhel9STIG_stigrule_257992_Manage: True
rhel9STIG_stigrule_257992_HostbasedAuthentication_Line: HostbasedAuthentication no
# R-257993 RHEL-09-255085
rhel9STIG_stigrule_257993_Manage: True
rhel9STIG_stigrule_257993_PermitUserEnvironment_Line: PermitUserEnvironment no
# R-257994 RHEL-09-255090
rhel9STIG_stigrule_257994_Manage: True
rhel9STIG_stigrule_257994_RekeyLimit_Line: RekeyLimit 1G 1h
# R-257995 RHEL-09-255095
rhel9STIG_stigrule_257995_Manage: True
rhel9STIG_stigrule_257995_ClientAliveCountMax_Line: ClientAliveCountMax 1
# R-257996 RHEL-09-255100
rhel9STIG_stigrule_257996_Manage: True
rhel9STIG_stigrule_257996_ClientAliveInterval_Line: ClientAliveInterval 600
# R-257997 RHEL-09-255105
rhel9STIG_stigrule_257997_Manage: True
rhel9STIG_stigrule_257997__etc_ssh_sshd_config_group_owner_Dest: /etc/ssh/sshd_config
rhel9STIG_stigrule_257997__etc_ssh_sshd_config_group_owner_Group: root
# R-257998 RHEL-09-255110
rhel9STIG_stigrule_257998_Manage: True
rhel9STIG_stigrule_257998__etc_ssh_sshd_config_owner_Dest: /etc/ssh/sshd_config
rhel9STIG_stigrule_257998__etc_ssh_sshd_config_owner_Owner: root
# R-257999 RHEL-09-255115
rhel9STIG_stigrule_257999_Manage: True
rhel9STIG_stigrule_257999__etc_ssh_sshd_config_mode_Dest: /etc/ssh/sshd_config
rhel9STIG_stigrule_257999__etc_ssh_sshd_config_mode_Mode: '0600'
# R-258002 RHEL-09-255130
rhel9STIG_stigrule_258002_Manage: True
rhel9STIG_stigrule_258002_Compression_Line: Compression no
# R-258003 RHEL-09-255135
rhel9STIG_stigrule_258003_Manage: True
rhel9STIG_stigrule_258003_GSSAPIAuthentication_Line: GSSAPIAuthentication no
# R-258004 RHEL-09-255140
rhel9STIG_stigrule_258004_Manage: True
rhel9STIG_stigrule_258004_KerberosAuthentication_Line: KerberosAuthentication no
# R-258005 RHEL-09-255145
rhel9STIG_stigrule_258005_Manage: True
rhel9STIG_stigrule_258005_IgnoreRhosts_Line: IgnoreRhosts yes
# R-258006 RHEL-09-255150
rhel9STIG_stigrule_258006_Manage: True
rhel9STIG_stigrule_258006_IgnoreUserKnownHosts_Line: IgnoreUserKnownHosts yes
# R-258007 RHEL-09-255155
rhel9STIG_stigrule_258007_Manage: True
rhel9STIG_stigrule_258007_X11Forwarding_Line: X11Forwarding no
# R-258008 RHEL-09-255160
rhel9STIG_stigrule_258008_Manage: True
rhel9STIG_stigrule_258008_StrictModes_Line: StrictModes yes
# R-258009 RHEL-09-255165
rhel9STIG_stigrule_258009_Manage: True
rhel9STIG_stigrule_258009_PrintLastLog_Line: PrintLastLog yes
# R-258011 RHEL-09-255175
rhel9STIG_stigrule_258011_Manage: True
rhel9STIG_stigrule_258011_X11UseLocalhost_Line: X11UseLocalhost yes
# R-258012 RHEL-09-271010
rhel9STIG_stigrule_258012_Manage: True
rhel9STIG_stigrule_258012__etc_dconf_db_local_d_01_banner_message_Value: 'true'
# R-258013 RHEL-09-271015
rhel9STIG_stigrule_258013_Manage: True
rhel9STIG_stigrule_258013__etc_dconf_db_local_d_locks_session_banner_message_enable_Line: '/org/gnome/login-screen/banner-message-enable'
# R-258014 RHEL-09-271020
rhel9STIG_stigrule_258014_Manage: True
rhel9STIG_stigrule_258014__etc_dconf_db_local_d_00_security_settings_Value: 'false'
# R-258015 RHEL-09-271025
rhel9STIG_stigrule_258015_Manage: True
rhel9STIG_stigrule_258015__etc_dconf_db_local_d_locks_00_security_settings_lock_automount_open_Line: '/org/gnome/desktop/media-handling/automount-open'
# R-258016 RHEL-09-271030
rhel9STIG_stigrule_258016_Manage: True
rhel9STIG_stigrule_258016__etc_dconf_db_local_d_00_security_settings_Value: 'true'
# R-258017 RHEL-09-271035
rhel9STIG_stigrule_258017_Manage: True
rhel9STIG_stigrule_258017__etc_dconf_db_local_d_locks_00_security_settings_lock_autorun_never_Line: '/org/gnome/desktop/media-handling/autorun-never'
# R-258019 RHEL-09-271045
rhel9STIG_stigrule_258019_Manage: True
rhel9STIG_stigrule_258019__etc_dconf_db_local_d_00_security_settings_Value: "'lock-screen'"
# R-258020 RHEL-09-271050
rhel9STIG_stigrule_258020_Manage: True
rhel9STIG_stigrule_258020__etc_dconf_db_local_d_locks_00_security_settings_lock_removal_action_Line: '/org/gnome/settings-daemon/peripherals/smartcard/removal-action'
# R-258021 RHEL-09-271055
rhel9STIG_stigrule_258021_Manage: True
rhel9STIG_stigrule_258021__etc_dconf_db_local_d_00_screensaver_Value: 'true'
# R-258022 RHEL-09-271060
rhel9STIG_stigrule_258022_Manage: True
rhel9STIG_stigrule_258022__etc_dconf_db_local_d_locks_session_lock_enabled_Line: '/org/gnome/desktop/screensaver/lock-enabled'
# R-258023 RHEL-09-271065
rhel9STIG_stigrule_258023_Manage: True
rhel9STIG_stigrule_258023__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 900'
# R-258024 RHEL-09-271070
rhel9STIG_stigrule_258024_Manage: True
rhel9STIG_stigrule_258024__etc_dconf_db_local_d_locks_session_idle_delay_Line: '/org/gnome/desktop/session/idle-delay'
# R-258025 RHEL-09-271075
rhel9STIG_stigrule_258025_Manage: True
rhel9STIG_stigrule_258025__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 5'
# R-258026 RHEL-09-271080
rhel9STIG_stigrule_258026_Manage: True
rhel9STIG_stigrule_258026__etc_dconf_db_local_d_locks_session_lock_delay_Line: '/org/gnome/desktop/screensaver/lock-delay'
# R-258027 RHEL-09-271085
rhel9STIG_stigrule_258027_Manage: True
rhel9STIG_stigrule_258027__etc_dconf_db_local_d_00_security_settings_Value: "''"
# R-258027 RHEL-09-271085
rhel9STIG_stigrule_258027_Manage: True
rhel9STIG_stigrule_258027__etc_dconf_db_local_d_locks_00_security_settings_lock_picture_uri_Line: '/org/gnome/desktop/screensaver/picture-uri'
# R-258030 RHEL-09-271100
rhel9STIG_stigrule_258030_Manage: True
rhel9STIG_stigrule_258030__etc_dconf_db_local_d_locks_session_disable_restart_buttons_Line: '/org/gnome/login-screen/disable-restart-buttons'
# R-258031 RHEL-09-271105
rhel9STIG_stigrule_258031_Manage: True
rhel9STIG_stigrule_258031__etc_dconf_db_local_d_00_security_settings_Value: "['']"
# R-258032 RHEL-09-271110
rhel9STIG_stigrule_258032_Manage: True
rhel9STIG_stigrule_258032__etc_dconf_db_local_d_locks_session_logout_Line: '/org/gnome/settings-daemon/plugins/media-keys/logout'
# R-258033 RHEL-09-271115
rhel9STIG_stigrule_258033_Manage: True
rhel9STIG_stigrule_258033__etc_dconf_db_local_d_02_login_screen_Value: 'true'
# R-258034 RHEL-09-291010
rhel9STIG_stigrule_258034_Manage: True
rhel9STIG_stigrule_258034__etc_modprobe_d_usb_storage_conf_install_usb_storage__bin_false_Line: 'install usb-storage /bin/false'
rhel9STIG_stigrule_258034__etc_modprobe_d_usb_storage_conf_blacklist_usb_storage_Line: 'blacklist usb-storage'
# R-258035 RHEL-09-291015
rhel9STIG_stigrule_258035_Manage: True
rhel9STIG_stigrule_258035_usbguard_State: installed
rhel9STIG_stigrule_258035_usbguard_enable_Enabled: yes
rhel9STIG_stigrule_258035_usbguard_start_State: started
# R-258036 RHEL-09-291020
rhel9STIG_stigrule_258036_Manage: True
rhel9STIG_stigrule_258036_usbguard_enable_Enabled: yes
rhel9STIG_stigrule_258036_usbguard_start_State: started
# R-258037 RHEL-09-291025
rhel9STIG_stigrule_258037_Manage: True
rhel9STIG_stigrule_258037__etc_usbguard_usbguard_daemon_conf_Line: 'AuditBackend=LinuxAudit'
# R-258039 RHEL-09-291035
rhel9STIG_stigrule_258039_Manage: True
rhel9STIG_stigrule_258039__etc_modprobe_d_bluetooth_conf_install_bluetooth__bin_false_Line: 'install bluetooth /bin/false'
rhel9STIG_stigrule_258039__etc_modprobe_d_bluetooth_conf_blacklist_bluetooth_Line: 'blacklist bluetooth'
# R-258040 RHEL-09-291040
rhel9STIG_stigrule_258040_Manage: True
rhel9STIG_stigrule_258040_nmcli_radio_wifi_off_Command: nmcli radio wifi off
# R-258041 RHEL-09-411010
rhel9STIG_stigrule_258041_Manage: True
rhel9STIG_stigrule_258041__etc_login_defs_Line: 'PASS_MAX_DAYS 60'
# R-258043 RHEL-09-411020
rhel9STIG_stigrule_258043_Manage: True
rhel9STIG_stigrule_258043__etc_login_defs_Line: 'CREATE_HOME yes'
# R-258049 RHEL-09-411050
rhel9STIG_stigrule_258049_Manage: True
rhel9STIG_stigrule_258049_sudo_useradd__D__f_35_Command: sudo useradd -D -f 35
# R-258054 RHEL-09-411075
rhel9STIG_stigrule_258054_Manage: True
rhel9STIG_stigrule_258054__etc_security_faillock_conf_Line: 'deny = 3'
# R-258055 RHEL-09-411080
rhel9STIG_stigrule_258055_Manage: True
rhel9STIG_stigrule_258055__etc_security_faillock_conf_Line: 'even_deny_root'
# R-258056 RHEL-09-411085
rhel9STIG_stigrule_258056_Manage: True
rhel9STIG_stigrule_258056__etc_security_faillock_conf_Line: 'fail_interval = 900'
# R-258057 RHEL-09-411090
rhel9STIG_stigrule_258057_Manage: True
rhel9STIG_stigrule_258057__etc_security_faillock_conf_Line: 'unlock_time = 0'
# R-258060 RHEL-09-411105
rhel9STIG_stigrule_258060_Manage: True
rhel9STIG_stigrule_258060__etc_security_faillock_conf_Line: 'dir = /var/log/faillock'
# R-258069 RHEL-09-412040
rhel9STIG_stigrule_258069_Manage: True
rhel9STIG_stigrule_258069__etc_security_limits_conf_Line: '* hard maxlogins 10'
# R-258070 RHEL-09-412045
rhel9STIG_stigrule_258070_Manage: True
rhel9STIG_stigrule_258070__etc_security_faillock_conf_Line: 'audit'
# R-258071 RHEL-09-412050
rhel9STIG_stigrule_258071_Manage: True
rhel9STIG_stigrule_258071__etc_login_defs_Line: 'FAIL_DELAY 4'
# R-258072 RHEL-09-412055
rhel9STIG_stigrule_258072_Manage: True
rhel9STIG_stigrule_258072__etc_bashrc_Line: 'umask 077'
# R-258073 RHEL-09-412060
rhel9STIG_stigrule_258073_Manage: True
rhel9STIG_stigrule_258073__etc_csh_cshrc_Line: 'umask 077'
# R-258074 RHEL-09-412065
rhel9STIG_stigrule_258074_Manage: True
rhel9STIG_stigrule_258074__etc_login_defs_Line: 'UMASK 077'
# R-258075 RHEL-09-412070
rhel9STIG_stigrule_258075_Manage: True
rhel9STIG_stigrule_258075__etc_profile_Line: 'umask 077'
# R-258078 RHEL-09-431010
rhel9STIG_stigrule_258078_Manage: True
rhel9STIG_stigrule_258078__etc_selinux_config_Line: 'SELINUX=enforcing'
# R-258079 RHEL-09-431015
rhel9STIG_stigrule_258079_Manage: True
rhel9STIG_stigrule_258079__etc_selinux_config_Line: 'SELINUXTYPE=targeted'
# R-258081 RHEL-09-431025
rhel9STIG_stigrule_258081_Manage: True
rhel9STIG_stigrule_258081_policycoreutils_State: installed
# R-258082 RHEL-09-431030
rhel9STIG_stigrule_258082_Manage: True
rhel9STIG_stigrule_258082_policycoreutils_python_utils_State: installed
# R-258083 RHEL-09-432010
rhel9STIG_stigrule_258083_Manage: True
rhel9STIG_stigrule_258083_sudo_State: installed
# R-258084 RHEL-09-432015
rhel9STIG_stigrule_258084_Manage: True
rhel9STIG_stigrule_258084__etc_sudoers_Line: 'Defaults timestamp_timeout=0'
# R-258089 RHEL-09-433010
rhel9STIG_stigrule_258089_Manage: True
rhel9STIG_stigrule_258089_fapolicyd_State: installed
# R-258090 RHEL-09-433015
rhel9STIG_stigrule_258090_Manage: True
rhel9STIG_stigrule_258090_fapolicyd_enable_Enabled: yes
rhel9STIG_stigrule_258090_fapolicyd_start_State: started
# R-258101 RHEL-09-611060
rhel9STIG_stigrule_258101_Manage: True
rhel9STIG_stigrule_258101__etc_security_pwquality_conf_Line: 'enforce_for_root'
# R-258102 RHEL-09-611065
rhel9STIG_stigrule_258102_Manage: True
rhel9STIG_stigrule_258102__etc_security_pwquality_conf_Line: 'lcredit = -1'
# R-258103 RHEL-09-611070
rhel9STIG_stigrule_258103_Manage: True
rhel9STIG_stigrule_258103__etc_security_pwquality_conf_Line: 'dcredit = -1'
# R-258104 RHEL-09-611075
rhel9STIG_stigrule_258104_Manage: True
rhel9STIG_stigrule_258104__etc_login_defs_Line: 'PASS_MIN_DAYS 1'
# R-258107 RHEL-09-611090
rhel9STIG_stigrule_258107_Manage: True
rhel9STIG_stigrule_258107__etc_security_pwquality_conf_Line: 'minlen = 15'
# R-258109 RHEL-09-611100
rhel9STIG_stigrule_258109_Manage: True
rhel9STIG_stigrule_258109__etc_security_pwquality_conf_Line: 'ocredit = -1'
# R-258110 RHEL-09-611105
rhel9STIG_stigrule_258110_Manage: True
rhel9STIG_stigrule_258110__etc_security_pwquality_conf_Line: 'dictcheck = 1'
# R-258111 RHEL-09-611110
rhel9STIG_stigrule_258111_Manage: True
rhel9STIG_stigrule_258111__etc_security_pwquality_conf_Line: 'ucredit = -1'
# R-258112 RHEL-09-611115
rhel9STIG_stigrule_258112_Manage: True
rhel9STIG_stigrule_258112__etc_security_pwquality_conf_Line: 'difok = 8'
# R-258113 RHEL-09-611120
rhel9STIG_stigrule_258113_Manage: True
rhel9STIG_stigrule_258113__etc_security_pwquality_conf_Line: 'maxclassrepeat = 4'
# R-258114 RHEL-09-611125
rhel9STIG_stigrule_258114_Manage: True
rhel9STIG_stigrule_258114__etc_security_pwquality_conf_Line: 'maxrepeat = 3'
# R-258115 RHEL-09-611130
rhel9STIG_stigrule_258115_Manage: True
rhel9STIG_stigrule_258115__etc_security_pwquality_conf_Line: 'minclass = 4'
# R-258116 RHEL-09-611135
rhel9STIG_stigrule_258116_Manage: True
rhel9STIG_stigrule_258116__etc_libuser_conf_Value: 'sha512'
# R-258117 RHEL-09-611140
rhel9STIG_stigrule_258117_Manage: True
rhel9STIG_stigrule_258117__etc_login_defs_Line: 'ENCRYPT_METHOD SHA512'
# R-258121 RHEL-09-611160
rhel9STIG_stigrule_258121_Manage: True
rhel9STIG_stigrule_258121__etc_opensc_conf_Line: 'card_drivers = cac;'
# R-258122 RHEL-09-611165
rhel9STIG_stigrule_258122_Manage: True
rhel9STIG_stigrule_258122__etc_sssd_sssd_conf_Value: 'True'
# R-258124 RHEL-09-611175
rhel9STIG_stigrule_258124_Manage: True
rhel9STIG_stigrule_258124_pcsc_lite_State: installed
# R-258125 RHEL-09-611180
rhel9STIG_stigrule_258125_Manage: True
rhel9STIG_stigrule_258125_pcscd_enable_Enabled: yes
rhel9STIG_stigrule_258125_pcscd_start_State: started
# R-258126 RHEL-09-611185
rhel9STIG_stigrule_258126_Manage: True
rhel9STIG_stigrule_258126_opensc_State: installed
# R-258128 RHEL-09-611195
rhel9STIG_stigrule_258128_Manage: True
rhel9STIG_stigrule_258128__usr_lib_systemd_system_emergency_service_Value: '-/usr/lib/systemd/systemd-sulogin-shell emergency'
# R-258129 RHEL-09-611200
rhel9STIG_stigrule_258129_Manage: True
rhel9STIG_stigrule_258129__usr_lib_systemd_system_rescue_service_Value: '-/usr/lib/systemd/systemd-sulogin-shell rescue'
# R-258133 RHEL-09-631020
rhel9STIG_stigrule_258133_Manage: True
rhel9STIG_stigrule_258133__etc_sssd_sssd_conf_Value: '1'
# R-258140 RHEL-09-652010
rhel9STIG_stigrule_258140_Manage: True
rhel9STIG_stigrule_258140_rsyslog_State: installed
# R-258141 RHEL-09-652015
rhel9STIG_stigrule_258141_Manage: True
rhel9STIG_stigrule_258141_rsyslog_gnutls_State: installed
# R-258142 RHEL-09-652020
rhel9STIG_stigrule_258142_Manage: True
rhel9STIG_stigrule_258142_rsyslog_enable_Enabled: yes
rhel9STIG_stigrule_258142_rsyslog_start_State: started
# R-258144 RHEL-09-652030
rhel9STIG_stigrule_258144_Manage: True
rhel9STIG_stigrule_258144__etc_rsyslog_conf_Line: 'auth.*;authpriv.*;daemon.* /var/log/secure'
# R-258146 RHEL-09-652040
rhel9STIG_stigrule_258146_Manage: True
rhel9STIG_stigrule_258146__etc_rsyslog_conf_Line: '$ActionSendStreamDriverAuthMode x509/name'
# R-258147 RHEL-09-652045
rhel9STIG_stigrule_258147_Manage: True
rhel9STIG_stigrule_258147__etc_rsyslog_conf_Line: '$ActionSendStreamDriverMode 1'
# R-258148 RHEL-09-652050
rhel9STIG_stigrule_258148_Manage: True
rhel9STIG_stigrule_258148__etc_rsyslog_conf_Line: '$DefaultNetstreamDriver gtls'
# R-258150 RHEL-09-652060
rhel9STIG_stigrule_258150_Manage: True
rhel9STIG_stigrule_258150__etc_rsyslog_conf_Line: 'cron.* /var/log/cron'
# R-258151 RHEL-09-653010
rhel9STIG_stigrule_258151_Manage: True
rhel9STIG_stigrule_258151_audit_State: installed
# R-258152 RHEL-09-653015
rhel9STIG_stigrule_258152_Manage: True
rhel9STIG_stigrule_258152_auditd_enable_Enabled: yes
rhel9STIG_stigrule_258152_auditd_start_State: started
# R-258153 RHEL-09-653020
rhel9STIG_stigrule_258153_Manage: True
rhel9STIG_stigrule_258153__etc_audit_auditd_conf_Line: 'disk_error_action = HALT'
# R-258154 RHEL-09-653025
rhel9STIG_stigrule_258154_Manage: True
rhel9STIG_stigrule_258154__etc_audit_auditd_conf_Line: 'disk_full_action = HALT'
# R-258156 RHEL-09-653035
rhel9STIG_stigrule_258156_Manage: True
rhel9STIG_stigrule_258156__etc_audit_auditd_conf_Line: 'space_left = 25%'
# R-258157 RHEL-09-653040
rhel9STIG_stigrule_258157_Manage: True
rhel9STIG_stigrule_258157__etc_audit_auditd_conf_Line: 'space_left_action = email'
# R-258158 RHEL-09-653045
rhel9STIG_stigrule_258158_Manage: True
rhel9STIG_stigrule_258158__etc_audit_auditd_conf_Line: 'admin_space_left = 5%'
# R-258159 RHEL-09-653050
rhel9STIG_stigrule_258159_Manage: True
rhel9STIG_stigrule_258159__etc_audit_auditd_conf_Line: 'admin_space_left_action = single'
# R-258160 RHEL-09-653055
rhel9STIG_stigrule_258160_Manage: True
rhel9STIG_stigrule_258160__etc_audit_auditd_conf_Line: 'max_log_file_action = ROTATE'
# R-258161 RHEL-09-653060
rhel9STIG_stigrule_258161_Manage: True
rhel9STIG_stigrule_258161__etc_audit_auditd_conf_Line: 'name_format = hostname'
# R-258162 RHEL-09-653065
rhel9STIG_stigrule_258162_Manage: True
rhel9STIG_stigrule_258162__etc_audit_auditd_conf_Line: 'overflow_action = syslog'
# R-258163 RHEL-09-653070
rhel9STIG_stigrule_258163_Manage: True
rhel9STIG_stigrule_258163__etc_audit_auditd_conf_Line: 'action_mail_acct = root'
# R-258164 RHEL-09-653075
rhel9STIG_stigrule_258164_Manage: True
rhel9STIG_stigrule_258164__etc_audit_auditd_conf_Line: 'local_events = yes'
# R-258168 RHEL-09-653095
rhel9STIG_stigrule_258168_Manage: True
rhel9STIG_stigrule_258168__etc_audit_auditd_conf_Line: 'freq = 100'
# R-258169 RHEL-09-653100
rhel9STIG_stigrule_258169_Manage: True
rhel9STIG_stigrule_258169__etc_audit_auditd_conf_Line: 'log_format = ENRICHED'
# R-258170 RHEL-09-653105
rhel9STIG_stigrule_258170_Manage: True
rhel9STIG_stigrule_258170__etc_audit_auditd_conf_Line: 'write_logs = yes'
# R-258172 RHEL-09-653115
rhel9STIG_stigrule_258172_Manage: True
rhel9STIG_stigrule_258172__etc_audit_auditd_conf_mode_Dest: /etc/audit/auditd.conf
rhel9STIG_stigrule_258172__etc_audit_auditd_conf_mode_Mode: '0640'
# R-258175 RHEL-09-653130
rhel9STIG_stigrule_258175_Manage: True
rhel9STIG_stigrule_258175_audispd_plugins_State: installed
# R-258176 RHEL-09-654010
rhel9STIG_stigrule_258176_Manage: True
rhel9STIG_stigrule_258176__etc_audit_rules_d_audit_rules_execve_euid_b32_Line: '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv'
rhel9STIG_stigrule_258176__etc_audit_rules_d_audit_rules_execve_euid_b64_Line: '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv'
rhel9STIG_stigrule_258176__etc_audit_rules_d_audit_rules_execve_egid_b32_Line: '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv'
rhel9STIG_stigrule_258176__etc_audit_rules_d_audit_rules_execve_egid_b64_Line: '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv'
# R-258177 RHEL-09-654015
rhel9STIG_stigrule_258177_Manage: True
rhel9STIG_stigrule_258177__etc_audit_rules_d_audit_rules_chmod_b32_Line: '-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod'
rhel9STIG_stigrule_258177__etc_audit_rules_d_audit_rules_chmod_b64_Line: '-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod'
# R-258178 RHEL-09-654020
rhel9STIG_stigrule_258178_Manage: True
rhel9STIG_stigrule_258178__etc_audit_rules_d_audit_rules_chown_b32_Line: '-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod'
rhel9STIG_stigrule_258178__etc_audit_rules_d_audit_rules_chown_b64_Line: '-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod'
# R-258179 RHEL-09-654025
rhel9STIG_stigrule_258179_Manage: True
rhel9STIG_stigrule_258179__etc_audit_rules_d_audit_rules_lremovexattr_b32_unset_Line: '-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod'
rhel9STIG_stigrule_258179__etc_audit_rules_d_audit_rules_lremovexattr_b64_unset_Line: '-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod'
rhel9STIG_stigrule_258179__etc_audit_rules_d_audit_rules_lremovexattr_b32_Line: '-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod'
rhel9STIG_stigrule_258179__etc_audit_rules_d_audit_rules_lremovexattr_b64_Line: '-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod'
# R-258180 RHEL-09-654030
rhel9STIG_stigrule_258180_Manage: True
rhel9STIG_stigrule_258180__etc_audit_rules_d_audit_rules__usr_bin_umount_Line: '-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount'
# R-258181 RHEL-09-654035
rhel9STIG_stigrule_258181_Manage: True
rhel9STIG_stigrule_258181__etc_audit_rules_d_audit_rules__usr_bin_chacl_Line: '-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod'
# R-258182 RHEL-09-654040
rhel9STIG_stigrule_258182_Manage: True
rhel9STIG_stigrule_258182__etc_audit_rules_d_audit_rules__usr_bin_setfacl_Line: '-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod'
# R-258183 RHEL-09-654045
rhel9STIG_stigrule_258183_Manage: True
rhel9STIG_stigrule_258183__etc_audit_rules_d_audit_rules__usr_bin_chcon_Line: '-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod'
# R-258184 RHEL-09-654050
rhel9STIG_stigrule_258184_Manage: True
rhel9STIG_stigrule_258184__etc_audit_rules_d_audit_rules__usr_sbin_semanage_Line: '-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
# R-258185 RHEL-09-654055
rhel9STIG_stigrule_258185_Manage: True
rhel9STIG_stigrule_258185__etc_audit_rules_d_audit_rules__usr_sbin_setfiles_Line: '-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
# R-258186 RHEL-09-654060
rhel9STIG_stigrule_258186_Manage: True
rhel9STIG_stigrule_258186__etc_audit_rules_d_audit_rules__usr_sbin_setsebool_Line: '-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged'
# R-258187 RHEL-09-654065
rhel9STIG_stigrule_258187_Manage: True
rhel9STIG_stigrule_258187__etc_audit_rules_d_audit_rules_rename_b32_Line: '-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete'
rhel9STIG_stigrule_258187__etc_audit_rules_d_audit_rules_rename_b64_Line: '-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete'
# R-258188 RHEL-09-654070
rhel9STIG_stigrule_258188_Manage: True
rhel9STIG_stigrule_258188__etc_audit_rules_d_audit_rules_truncate_EPERM_b32_Line: '-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access'
rhel9STIG_stigrule_258188__etc_audit_rules_d_audit_rules_truncate_EPERM_b64_Line: '-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access'
rhel9STIG_stigrule_258188__etc_audit_rules_d_audit_rules_truncate_EACCES_b32_Line: '-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access'
rhel9STIG_stigrule_258188__etc_audit_rules_d_audit_rules_truncate_EACCES_b64_Line: '-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access'
# R-258189 RHEL-09-654075
rhel9STIG_stigrule_258189_Manage: True
rhel9STIG_stigrule_258189__etc_audit_rules_d_audit_rules_delete_module_b32_Line: '-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng'
rhel9STIG_stigrule_258189__etc_audit_rules_d_audit_rules_delete_module_b64_Line: '-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng'
# R-258190 RHEL-09-654080
rhel9STIG_stigrule_258190_Manage: True
rhel9STIG_stigrule_258190__etc_audit_rules_d_audit_rules_init_module_b32_Line: '-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng'
rhel9STIG_stigrule_258190__etc_audit_rules_d_audit_rules_init_module_b64_Line: '-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng'
# R-258191 RHEL-09-654085
rhel9STIG_stigrule_258191_Manage: True
rhel9STIG_stigrule_258191__etc_audit_rules_d_audit_rules__usr_bin_chage_Line: '-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage'
# R-258192 RHEL-09-654090
rhel9STIG_stigrule_258192_Manage: True
rhel9STIG_stigrule_258192__etc_audit_rules_d_audit_rules__usr_bin_chsh_Line: '-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd'
# R-258193 RHEL-09-654095
rhel9STIG_stigrule_258193_Manage: True
rhel9STIG_stigrule_258193__etc_audit_rules_d_audit_rules__usr_bin_crontab_Line: '-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab'
# R-258194 RHEL-09-654100
rhel9STIG_stigrule_258194_Manage: True
rhel9STIG_stigrule_258194__etc_audit_rules_d_audit_rules__usr_bin_gpasswd_Line: '-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd'
# R-258195 RHEL-09-654105
rhel9STIG_stigrule_258195_Manage: True
rhel9STIG_stigrule_258195__etc_audit_rules_d_audit_rules__usr_bin_kmod_Line: '-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules'
# R-258196 RHEL-09-654110
rhel9STIG_stigrule_258196_Manage: True
rhel9STIG_stigrule_258196__etc_audit_rules_d_audit_rules__usr_bin_newgrp_Line: '-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd'
# R-258197 RHEL-09-654115
rhel9STIG_stigrule_258197_Manage: True
rhel9STIG_stigrule_258197__etc_audit_rules_d_audit_rules__usr_sbin_pam_timestamp_check_Line: '-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check'
# R-258198 RHEL-09-654120
rhel9STIG_stigrule_258198_Manage: True
rhel9STIG_stigrule_258198__etc_audit_rules_d_audit_rules__usr_bin_passwd_Line: '-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd'
# R-258199 RHEL-09-654125
rhel9STIG_stigrule_258199_Manage: True
rhel9STIG_stigrule_258199__etc_audit_rules_d_audit_rules__usr_sbin_postdrop_Line: '-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
# R-258200 RHEL-09-654130
rhel9STIG_stigrule_258200_Manage: True
rhel9STIG_stigrule_258200__etc_audit_rules_d_audit_rules__usr_sbin_postqueue_Line: '-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
# R-258201 RHEL-09-654135
rhel9STIG_stigrule_258201_Manage: True
rhel9STIG_stigrule_258201__etc_audit_rules_d_audit_rules__usr_bin_ssh_agent_Line: '-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh'
# R-258202 RHEL-09-654140
rhel9STIG_stigrule_258202_Manage: True
rhel9STIG_stigrule_258202__etc_audit_rules_d_audit_rules__usr_libexec_openssh_ssh_keysign_Line: '-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh'
# R-258203 RHEL-09-654145
rhel9STIG_stigrule_258203_Manage: True
rhel9STIG_stigrule_258203__etc_audit_rules_d_audit_rules__usr_bin_su_Line: '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change'
# R-258204 RHEL-09-654150
rhel9STIG_stigrule_258204_Manage: True
rhel9STIG_stigrule_258204__etc_audit_rules_d_audit_rules__usr_bin_sudo_Line: '-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd'
# R-258205 RHEL-09-654155
rhel9STIG_stigrule_258205_Manage: True
rhel9STIG_stigrule_258205__etc_audit_rules_d_audit_rules__usr_bin_sudoedit_Line: '-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd'
# R-258206 RHEL-09-654160
rhel9STIG_stigrule_258206_Manage: True
rhel9STIG_stigrule_258206__etc_audit_rules_d_audit_rules__usr_sbin_unix_chkpwd_Line: '-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
# R-258207 RHEL-09-654165
rhel9STIG_stigrule_258207_Manage: True
rhel9STIG_stigrule_258207__etc_audit_rules_d_audit_rules__usr_sbin_unix_update_Line: '-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
# R-258208 RHEL-09-654170
rhel9STIG_stigrule_258208_Manage: True
rhel9STIG_stigrule_258208__etc_audit_rules_d_audit_rules__usr_sbin_userhelper_Line: '-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update'
# R-258209 RHEL-09-654175
rhel9STIG_stigrule_258209_Manage: True
rhel9STIG_stigrule_258209__etc_audit_rules_d_audit_rules__usr_sbin_usermod_Line: '-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod'
# R-258210 RHEL-09-654180
rhel9STIG_stigrule_258210_Manage: True
rhel9STIG_stigrule_258210__etc_audit_rules_d_audit_rules__usr_bin_mount_Line: '-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount'
# R-258211 RHEL-09-654185
rhel9STIG_stigrule_258211_Manage: True
rhel9STIG_stigrule_258211__etc_audit_rules_d_audit_rules__usr_sbin_init_Line: '-a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init'
# R-258212 RHEL-09-654190
rhel9STIG_stigrule_258212_Manage: True
rhel9STIG_stigrule_258212__etc_audit_rules_d_audit_rules__usr_sbin_poweroff_Line: '-a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged-poweroff'
# R-258213 RHEL-09-654195
rhel9STIG_stigrule_258213_Manage: True
rhel9STIG_stigrule_258213__etc_audit_rules_d_audit_rules__usr_sbin_reboot_Line: '-a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot'
# R-258214 RHEL-09-654200
rhel9STIG_stigrule_258214_Manage: True
rhel9STIG_stigrule_258214__etc_audit_rules_d_audit_rules__usr_sbin_shutdown_Line: '-a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown'
# R-258217 RHEL-09-654215
rhel9STIG_stigrule_258217_Manage: True
rhel9STIG_stigrule_258217__etc_audit_rules_d_audit_rules__etc_sudoers_Line: '-w /etc/sudoers -p wa -k identity'
# R-258218 RHEL-09-654220
rhel9STIG_stigrule_258218_Manage: True
rhel9STIG_stigrule_258218__etc_audit_rules_d_audit_rules__etc_sudoers_d__Line: '-w /etc/sudoers.d/ -p wa -k identity'
# R-258219 RHEL-09-654225
rhel9STIG_stigrule_258219_Manage: True
rhel9STIG_stigrule_258219__etc_audit_rules_d_audit_rules__etc_group_Line: '-w /etc/group -p wa -k identity'
# R-258220 RHEL-09-654230
rhel9STIG_stigrule_258220_Manage: True
rhel9STIG_stigrule_258220__etc_audit_rules_d_audit_rules__etc_gshadow_Line: '-w /etc/gshadow -p wa -k identity'
# R-258221 RHEL-09-654235
rhel9STIG_stigrule_258221_Manage: True
rhel9STIG_stigrule_258221__etc_audit_rules_d_audit_rules__etc_security_opasswd_Line: '-w /etc/security/opasswd -p wa -k identity'
# R-258222 RHEL-09-654240
rhel9STIG_stigrule_258222_Manage: True
rhel9STIG_stigrule_258222__etc_audit_rules_d_audit_rules__etc_passwd_Line: '-w /etc/passwd -p wa -k identity'
# R-258223 RHEL-09-654245
rhel9STIG_stigrule_258223_Manage: True
rhel9STIG_stigrule_258223__etc_audit_rules_d_audit_rules__etc_shadow_Line: '-w /etc/shadow -p wa -k identity'
# R-258224 RHEL-09-654250
rhel9STIG_stigrule_258224_Manage: True
rhel9STIG_stigrule_258224__etc_audit_rules_d_audit_rules__var_log_faillock_Line: '-w /var/log/faillock -p wa -k logins'
# R-258225 RHEL-09-654255
rhel9STIG_stigrule_258225_Manage: True
rhel9STIG_stigrule_258225__etc_audit_rules_d_audit_rules__var_log_lastlog_Line: '-w /var/log/lastlog -p wa -k logins'
# R-258226 RHEL-09-654260
rhel9STIG_stigrule_258226_Manage: True
rhel9STIG_stigrule_258226__etc_audit_rules_d_audit_rules__var_log_tallylog_Line: '-w /var/log/tallylog -p wa -k logins'
# R-258227 RHEL-09-654265
rhel9STIG_stigrule_258227_Manage: True
rhel9STIG_stigrule_258227__etc_audit_rules_d_audit_rules_f2_Line: '-f 2'
# R-258228 RHEL-09-654270
rhel9STIG_stigrule_258228_Manage: True
rhel9STIG_stigrule_258228__etc_audit_rules_d_audit_rules_loginuid_immutable_Line: '--loginuid-immutable'
# R-258229 RHEL-09-654275
rhel9STIG_stigrule_258229_Manage: True
rhel9STIG_stigrule_258229__etc_audit_rules_d_audit_rules_e2_Line: '-e 2'
# R-258234 RHEL-09-215100
rhel9STIG_stigrule_258234_Manage: True
rhel9STIG_stigrule_258234_crypto_policies_State: installed
# R-272488 RHEL-09-215101
rhel9STIG_stigrule_272488_Manage: True
rhel9STIG_stigrule_272488_postfix_State: installed

7150
collections/ansible_collections/demo/compliance/roles/rhel9STIG/files/U_RHEL_9_STIG_V2R4_Manual-xccdf.xml Normal file
View File

File diff suppressed because one or more lines are too long

30
collections/ansible_collections/demo/compliance/roles/rhel9STIG/handlers/main.yml Normal file
View File

@@ -0,0 +1,30 @@
- name: dconf_update
command: dconf update
- name: auditd_restart
command: /usr/sbin/service auditd restart
- name: ssh_restart
service:
name: sshd
state: restarted
- name: rsyslog_restart
service:
name: rsyslog
state: restarted
- name: sysctl_load_settings
command: sysctl --system
- name: daemon_reload
systemd:
daemon_reload: true
- name: networkmanager_reload
service:
name: NetworkManager
state: reloaded
- name: logind_restart
service:
name: systemd-logind
state: restarted
- name: with_faillock_enable
command: authselect enable-feature with-faillock
- name: do_reboot
reboot:
pre_reboot_delay: 60

2990
collections/ansible_collections/demo/compliance/roles/rhel9STIG/tasks/main.yml Normal file
View File

File diff suppressed because it is too large Load Diff

67
collections/ansible_collections/demo/compliance/roles/win2022STIG/callback_plugins/stig_xml.py
View File

@@ -1,4 +1,5 @@
from __future__ import (absolute_import, division, print_function)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
from ansible.plugins.callback import CallbackBase
@@ -11,76 +12,82 @@ import os
import xml.etree.ElementTree as ET
import xml.dom.minidom
class CallbackModule(CallbackBase):
CALLBACK_VERSION = 2.0
CALLBACK_TYPE = 'xml'
CALLBACK_NAME = 'stig_xml'
CALLBACK_TYPE = "xml"
CALLBACK_NAME = "stig_xml"
CALLBACK_NEEDS_WHITELIST = True
def _get_STIG_path(self):
cwd = os.path.abspath('.')
cwd = os.path.abspath(".")
for dirpath, dirs, files in os.walk(cwd):
if os.path.sep + 'files' in dirpath and '.xml' in files[0]:
if os.path.sep + "files" in dirpath and ".xml" in files[0]:
return os.path.join(cwd, dirpath, files[0])
def __init__(self):
super(CallbackModule, self).__init__()
self.rules = {}
self.stig_path = os.environ.get('STIG_PATH')
self.XML_path = os.environ.get('XML_PATH')
self.stig_path = os.environ.get("STIG_PATH")
self.XML_path = os.environ.get("XML_PATH")
if self.stig_path is None:
self.stig_path = self._get_STIG_path()
self._display.display('Using STIG_PATH: {}'.format(self.stig_path))
self._display.display("Using STIG_PATH: {}".format(self.stig_path))
if self.XML_path is None:
self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml"
self._display.display('Using XML_PATH: {}'.format(self.XML_path))
self._display.display("Using XML_PATH: {}".format(self.XML_path))
print("Writing: {}".format(self.XML_path))
STIG_name = os.path.basename(self.stig_path)
ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2')
self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult')
self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name))
ET.register_namespace("cdf", "http://checklists.nist.gov/xccdf/1.2")
self.tr = ET.Element("{http://checklists.nist.gov/xccdf/1.2}TestResult")
self.tr.set(
"id",
"xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}".format(STIG_name),
)
endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime())
self.tr.set('end-time', endtime)
tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target')
self.tr.set("end-time", endtime)
tg = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}target")
tg.text = platform.node()
def _get_rev(self, nid):
with open(self.stig_path, 'r') as f:
r = 'SV-{}r(?P<rev>\d+)_rule'.format(nid)
with open(self.stig_path, "r") as f:
r = "SV-{}r(?P<rev>\d+)_rule".format(nid)
m = re.search(r, f.read())
if m:
rev = m.group('rev')
rev = m.group("rev")
else:
rev = '0'
rev = "0"
return rev
def v2_runner_on_ok(self, result):
name = result._task.get_name()
m = re.search('stigrule_(?P<id>\d+)', name)
m = re.search("stigrule_(?P<id>\d+)", name)
if m:
nid = m.group('id')
nid = m.group("id")
else:
return
rev = self._get_rev(nid)
key = "{}r{}".format(nid, rev)
if self.rules.get(key, 'Unknown') != False:
if self.rules.get(key, "Unknown") != False:
self.rules[key] = result.is_changed()
def v2_playbook_on_stats(self, stats):
for rule, changed in self.rules.items():
state = 'fail' if changed else 'pass'
rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result')
rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule))
rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result')
state = "fail" if changed else "pass"
rr = ET.SubElement(
self.tr, "{http://checklists.nist.gov/xccdf/1.2}rule-result"
)
rr.set("idref", "xccdf_mil.disa.stig_rule_SV-{}_rule".format(rule))
rs = ET.SubElement(rr, "{http://checklists.nist.gov/xccdf/1.2}result")
rs.text = state
passing = len(self.rules) - sum(self.rules.values())
sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score')
sc.set('maximum', str(len(self.rules)))
sc.set('system', 'urn:xccdf:scoring:flat-unweighted')
sc = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}score")
sc.set("maximum", str(len(self.rules)))
sc.set("system", "urn:xccdf:scoring:flat-unweighted")
sc.text = str(passing)
with open(self.XML_path, 'wb') as f:
with open(self.XML_path, "wb") as f:
out = ET.tostring(self.tr)
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8')
pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding="utf-8")
f.write(pretty)

242
collections/ansible_collections/demo/compliance/roles/win2022STIG/files/U_MS_Windows_Server_2022_STIG_V1R1_Manual-xccdf.xml
View File

File diff suppressed because one or more lines are too long

131
collections/ansible_collections/demo/openshift/roles/cluster_config/README.md Normal file
View File

@@ -0,0 +1,131 @@
Role Name
=========
This Ansible role helps configure Operators on the Openshift Cluster to support VM migrations. Tasks include
- Configure Catalog Sources to use mirroring repository for Operators
- Create and configure Operators
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
The task `operators/catalog_sources.yml` needs following variables:
- **Variable Name**: `cluster_config_catalog_sources`
- **Type**: List
- **Description**: A list of custom CatalogSources configurations used as loop variables to generate Kubernetes manifest files from the template `catalog_source.j2` for CatalogSource. If the variable is not available, no manifest is created.
- **Example**:
```yaml
cluster_config_catalog_sources:
- name: redhat-marketplace2
source_type: grpc
display_name: Mirror to Red Hat Marketplace
image_path: internal-registry.example.com/operator:v1
priority: '-300'
icon:
base64data: ''
mediatype: ''
publisher: redhat
address: ''
grpc_pod_config: |
nodeSelector:
kubernetes.io/os: linux
node-role.kubernetes.io/master: ''
priorityClassName: system-cluster-critical
securityContextConfig: restricted
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 120
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 120
registry_poll_interval: 10m
```
The task `operators/operator_config.yaml` needs following variables:
- **Variable Name**: `cluster_config_operators`
- **Type**: List
- **Description**: A list of operators to be installed on OCP cluster
- **Variable Name**: `cluster_config_[OPERATOR_NAME]`
- **Type**: Dict
- **Description**: Configuration specific to each operator listed in `cluster_config_operators`. Includes settings for namespace, operator group, subscription, and any extra resources
- **Example**: Assume the `cluster_config_operators` specifies these operators:
```yaml
cluster_config_operators:
- cnv
- oadp
```
then the corresponding `cluster_config_mtv` and `cluster_config_cnv` can be configured as following:
```yaml
cluster_config_cnv_namespace: openshift-cnv
cluster_config_cnv:
namespace:
name: "{{ cluster_config_cnv_namespace }}"
operator_group:
name: kubevirt-hyperconverged-group
target_namespaces:
- "{{ cluster_config_cnv_namespace }}"
subscription:
name: kubevirt-hyperconverged
starting_csv: kubevirt-hyperconverged-operator.v4.13.8
extra_resources:
- apiVersion: hco.kubevirt.io/v1beta1
kind: HyperConverged
metadata:
name: kubevirt-hyperconverged
namespace: "{{ cluster_config_cnv_namespace }}"
spec:
BareMetalPlatform: true
cluster_config_oadp_namespace: openshift-adp
cluster_config_oadp:
namespace:
name: "{{ cluster_config_oadp_namespace }}"
operator_group:
name: redhat-oadp-operator-group
target_namespaces:
- "{{ cluster_config_oadp_namespace }}"
subscription:
name: redhat-oadp-operator-subscription
spec_name: redhat-oadp-operator
```
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
An example of configuring a CatalogSource resource:
```
- name: Configure Catalog Sources for Operators
hosts: localhost
gather_facts: false
tasks:
- ansible.builtin.include_role:
name: cluster_config
tasks_from: operators/catalog_sources
```
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

23
collections/ansible_collections/demo/openshift/roles/cluster_config/defaults/main.yml Normal file
View File

@@ -0,0 +1,23 @@
---
# defaults file for cluster_config
cluster_config_operators:
- cnv
cluster_config_cnv:
checkplan: true
namespace:
name: &cluster_config_cnv_namespace openshift-cnv
operator_group:
name: kubevirt-hyperconverged-group
target_namespaces:
- *cluster_config_cnv_namespace
subscription:
name: kubevirt-hyperconverged
extra_resources:
- apiVersion: hco.kubevirt.io/v1beta1
kind: HyperConverged
metadata:
name: kubevirt-hyperconverged
namespace: *cluster_config_cnv_namespace
spec:
BareMetalPlatform: true

2
collections/ansible_collections/demo/openshift/roles/cluster_config/handlers/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# handlers file for cluster_config

3
collections/ansible_collections/demo/openshift/roles/cluster_config/tasks/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: Configure Operators
ansible.builtin.import_tasks: operators/operator_config.yml

37
collections/ansible_collections/demo/openshift/roles/cluster_config/tasks/operators/_operator_config_item.yml Normal file
View File

@@ -0,0 +1,37 @@
---
- name: Retrieve Operator name
ansible.builtin.set_fact:
_operator: "{{ vars['cluster_config_' + _operator_name] }}"
- name: Configure Operator {{ _operator_name }}
redhat.openshift.k8s:
state: present
template:
- operators/namespace.yml.j2
- operators/operator_group.yml.j2
- operators/subscription.yml.j2
- name: Query for install plan
kubernetes.core.k8s_info:
api_version: operators.coreos.com/v1alpha1
kind: InstallPlan
namespace: "{{ _operator.namespace.name }}"
register: r_install_plans
retries: 30
delay: 5
until:
- r_install_plans.resources | default([]) | length > 0
- r_install_plans.resources[0].status is defined
- r_install_plans.resources[0].status.phase == "Complete"
when:
- _operator.checkplan is defined
- _operator.checkplan | bool
- name: Configure extra resources for Operator {{ _operator_name }}
redhat.openshift.k8s:
state: present
definition: "{{ item }}"
register: creation_result
loop: "{{ _operator.extra_resources }}"
retries: 30
delay: 5
until: creation_result is success
when: _operator.extra_resources is defined

7
collections/ansible_collections/demo/openshift/roles/cluster_config/tasks/operators/catalog_sources.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- name: Configure custom CatalogSource for Operators
redhat.openshift.k8s:
state: present
template: operators/catalog_source.j2
loop: "{{ cluster_config_catalog_sources }}"
when: cluster_config_catalog_sources is defined

59
collections/ansible_collections/demo/openshift/roles/cluster_config/tasks/operators/node-health-check.yml Normal file
View File

@@ -0,0 +1,59 @@
---
- name: Create node-health-check operator namespace
redhat.openshift.k8s:
name: openshift-workload-availability
api_version: v1
kind: Namespace
state: present
- name: Create node-health-check operator group
redhat.openshift.k8s:
state: present
definition:
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
generateName: openshift-workload-availability-
annotations:
olm.providedAPIs: >-
NodeHealthCheck.v1alpha1.remediation.medik8s.io,SelfNodeRemediation.v1alpha1.self-node-remediation.medik8s.io,SelfNodeRemediationConfig.v1alpha1.self-node-remediation.medik8s.io,SelfNodeRemediationTemplate.v1alpha1.self-node-remediation.medik8s.io
namespace: openshift-workload-availability
spec:
upgradeStrategy: Default
- name: Create node-health-check operator subscription
redhat.openshift.k8s:
state: present
definition:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
labels:
operators.coreos.com/node-healthcheck-operator.openshift-workload-availability: ''
name: node-health-check-operator
namespace: openshift-workload-availability
spec:
channel: stable
installPlanApproval: Automatic
name: node-healthcheck-operator
source: redhat-operators
sourceNamespace: openshift-marketplace
- name: Create Self Node Remediation subscription
redhat.openshift.k8s:
state: present
definition:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: self-node-remediation-stable-redhat-operators-openshift-marketplace
namespace: openshift-workload-availability
labels:
operators.coreos.com/self-node-remediation.openshift-workload-availability: ''
spec:
channel: stable
installPlanApproval: Automatic
name: self-node-remediation
source: redhat-operators
sourceNamespace: openshift-marketplace
startingCSV: self-node-remediation.v0.8.0

6
collections/ansible_collections/demo/openshift/roles/cluster_config/tasks/operators/operator_config.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: Configure Operators
ansible.builtin.include_tasks: _operator_config_item.yml
loop: "{{ cluster_config_operators }}"
loop_control:
loop_var: _operator_name

34
collections/ansible_collections/demo/openshift/roles/cluster_config/templates/operators/catalog_source.j2 Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: {{ item.name }}
namespace: openshift-marketplace
spec:
sourceType: {{ item.source_type | d('grpc',true) }}
image: {{ item.image_path }}
{% if item.display_name is defined -%}
displayName: {{ item.display_name }}
{% endif -%}
{% if item.priority is defined -%}
priority: {{ item.priority }}
{% endif -%}
{% if item.grpc_pod_config is defined -%}
grpcPodConfig:
{{ item.grpc_pod_config | indent(4) }}
{% endif -%}
{% if item.icon is defined -%}
icon:
base64data: '{{ item.icon.base64data or '' }}'
mediatype: '{{ item.icon.mediatype or '' }}'
{% endif -%}
{% if item.publisher is defined -%}
publisher: {{ item.publisher }}
{% endif -%}
{% if item.address is defined -%}
address: {{ item.address }}
{% endif -%}
{% if item.registry_poll_interval is defined -%}
updateStrategy:
registryPoll:
interval: {{ item.registry_poll_interval }}
{% endif -%}

10
collections/ansible_collections/demo/openshift/roles/cluster_config/templates/operators/namespace.yml.j2 Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: Namespace
metadata:
name: {{ _operator.namespace.name }}
{% if _operator.namespace.labels is defined %}
labels:
{% for key, value in _operator.namespace.labels.items() -%}
{{ key }}: "{{ value }}"
{% endfor -%}
{% endif -%}

12
collections/ansible_collections/demo/openshift/roles/cluster_config/templates/operators/operator_group.yml.j2 Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: {{ _operator.operator_group.name }}
namespace: {{ _operator.operator_group.namespace | d(_operator.namespace.name, true) }}
spec:
{% if _operator.operator_group.target_namespaces is defined -%}
targetNamespaces:
{% for item in _operator.operator_group.target_namespaces %}
- {{ item }}
{% endfor %}
{% endif -%}

14
collections/ansible_collections/demo/openshift/roles/cluster_config/templates/operators/subscription.yml.j2 Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: {{ _operator.subscription.name }}
namespace: "{{ _operator.subscription.namespace | d(_operator.namespace.name, true) }}"
spec:
channel: {{ _operator.subscription.channel | d('stable', true) }}
installPlanApproval: {{ _operator.subscription.install_plan_approval | d('Automatic', true) }}
name: {{ _operator.subscription.spec_name | d(_operator.subscription.name, true) }}
source: {{ _operator.subscription.source | d('redhat-operators', true) }}
sourceNamespace: {{ _operator.subscription.source_namespace | d('openshift-marketplace', true) }}
{% if _operator.subscription.starting_csv is defined %}
startingCSV: {{ _operator.subscription.starting_csv }}
{% endif -%}

1
collections/ansible_collections/demo/openshift/roles/cluster_config/tests/inventory Normal file
View File

@@ -0,0 +1 @@
localhost

6
collections/ansible_collections/demo/openshift/roles/cluster_config/tests/test.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: Include cluster_config role
hosts: localhost
remote_user: root
roles:
- cluster_config

2
collections/ansible_collections/demo/openshift/roles/cluster_config/vars/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# vars file for cluster_config

13
collections/ansible_collections/demo/openshift/roles/eda_controller/.yamllint Normal file
View File

@@ -0,0 +1,13 @@
---
extends: default
rules:
comments:
require-starting-space: false
min-spaces-from-content: 1
comments-indentation: disable
indentation:
indent-sequences: consistent
line-length:
max: 120
allow-non-breakable-inline-mappings: true

16
collections/ansible_collections/demo/openshift/roles/eda_controller/defaults/main.yml Normal file
View File

@@ -0,0 +1,16 @@
---
# --------------------------------------------------------
# Ansible Automation Platform Controller URL
# --------------------------------------------------------
# eda_controller_aap_controller_url: [Required]
# --------------------------------------------------------
# Workload: eda_controller
# --------------------------------------------------------
eda_controller_project: "aap"
eda_controller_project_app_name: "eda-controller"
# eda_controller_admin_password: "{{ common_password }}"
eda_controller_cluster_rolebinding_name: eda_default
eda_controller_cluster_rolebinding_role: cluster-admin

14
collections/ansible_collections/demo/openshift/roles/eda_controller/meta/main.yml Normal file
View File

@@ -0,0 +1,14 @@
---
galaxy_info:
role_name: eda_controller
author: Mitesh Sharma (mitsharm@redhat.com)
description: |
Installs EDA on OpenShift
license: GPLv3
min_ansible_version: "2.9"
platforms: []
galaxy_tags:
- eda
- openshift
- aap
dependencies: []

6
collections/ansible_collections/demo/openshift/roles/eda_controller/readme.adoc Normal file
View File

@@ -0,0 +1,6 @@
== eda_controller
This role installs EDA on OpenShift, mostly copied from https://github.com/redhat-cop/agnosticd/.
== Dependencies
Role: automation_controller_platform

54
collections/ansible_collections/demo/openshift/roles/eda_controller/tasks/main.yml Normal file
View File

@@ -0,0 +1,54 @@
---
- name: Setup environment vars
block:
- name: Create secret and Install EDA
kubernetes.core.k8s:
state: present
definition: "{{ lookup('template', __definition) }}"
loop:
- eda_admin_secret.j2
- eda_controller.j2
loop_control:
loop_var: __definition
- name: Retrieve created route
kubernetes.core.k8s_info:
api_version: "route.openshift.io/v1"
kind: Route
name: "{{ eda_controller_project_app_name }}"
namespace: "{{ eda_controller_project }}"
register: eda_controller_r_eda_route
until: eda_controller_r_eda_route.resources[0].spec.host is defined
retries: 30
delay: 45
- name: Get eda-controller route hostname
ansible.builtin.set_fact:
eda_controller_hostname: "{{ eda_controller_r_eda_route.resources[0].spec.host }}"
- name: Wait for eda_controller to be running
ansible.builtin.uri:
url: https://{{ eda_controller_hostname }}/api/eda/v1/users/me/awx-tokens/
user: "admin"
password: "{{ lookup('ansible.builtin.env', 'CONTROLLER_PASSWORD') }}"
method: GET
force_basic_auth: true
validate_certs: false
body_format: json
status_code: 200
register: eda_controller_r_result
until: not eda_controller_r_result.failed
retries: 60
delay: 45
- name: Create Rolebinding for Rulebook Activations
kubernetes.core.k8s:
state: present
definition: "{{ lookup('template', 'cluster_rolebinding.j2') }}"
- name: Display EDA Controller URL
ansible.builtin.debug:
msg:
- "EDA Controller URL: https://{{ eda_controller_hostname }}"
- "EDA Controller Admin Login: admin"
- "EDA Controller Admin Password: <same as the Controller Admin password>"

13
collections/ansible_collections/demo/openshift/roles/eda_controller/templates/cluster_rolebinding.j2 Normal file
View File

@@ -0,0 +1,13 @@
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ eda_controller_cluster_rolebinding_name }}
subjects:
- kind: ServiceAccount
name: default
namespace: {{ eda_controller_project }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ eda_controller_cluster_rolebinding_role }}

15
collections/ansible_collections/demo/openshift/roles/eda_controller/templates/eda_admin_secret.j2 Normal file
View File

@@ -0,0 +1,15 @@
---
kind: Secret
apiVersion: v1
metadata:
name: {{ eda_controller_project_app_name }}-admin-password
namespace: {{ eda_controller_project }}
labels:
app.kubernetes.io/component: eda
app.kubernetes.io/managed-by: eda-operator
app.kubernetes.io/name: {{ eda_controller_project_app_name }}
app.kubernetes.io/operator-version: '2.4'
app.kubernetes.io/part-of: {{ eda_controller_project_app_name }}
data:
password: "{{ lookup('ansible.builtin.env', 'CONTROLLER_PASSWORD') | b64encode }}"
type: Opaque

26
collections/ansible_collections/demo/openshift/roles/eda_controller/templates/eda_controller.j2 Normal file
View File

@@ -0,0 +1,26 @@
---
apiVersion: eda.ansible.com/v1alpha1
kind: EDA
metadata:
name: {{ eda_controller_project_app_name }}
namespace: {{ eda_controller_project }}
spec:
route_tls_termination_mechanism: Edge
ingress_type: Route
loadbalancer_port: 80
no_log: true
image_pull_policy: IfNotPresent
ui:
replicas: 1
set_self_labels: true
api:
gunicorn_workers: 2
replicas: 1
redis:
replicas: 1
admin_user: admin
loadbalancer_protocol: http
worker:
replicas: 3
automation_server_url: '{{ lookup('ansible.builtin.env', 'CONTROLLER_HOST') }}'
admin_password_secret: {{ eda_controller_project_app_name }}-admin-password

49
collections/ansible_collections/demo/openshift/roles/snapshot/tasks/create.yml Normal file
View File

@@ -0,0 +1,49 @@
---
- name: Get state of VirtualMachine
redhat.openshift_virtualization.kubevirt_vm_info:
name: "{{ item }}"
namespace: "{{ vm_namespace }}"
register: snapshot_state
- name: Stop VirtualMachine
redhat.openshift_virtualization.kubevirt_vm:
name: "{{ item }}"
namespace: "{{ vm_namespace }}"
running: false
wait: true
when: snapshot_state.resources.0.spec.running
- name: Create a VirtualMachineSnapshot
kubernetes.core.k8s:
definition:
apiVersion: snapshot.kubevirt.io/v1alpha1
kind: VirtualMachineSnapshot
metadata:
generateName: "{{ item }}-{{ ansible_date_time.epoch }}"
namespace: "{{ vm_namespace }}"
spec:
source:
apiGroup: kubevirt.io
kind: VirtualMachine
name: "{{ item }}"
wait: true
wait_condition:
type: Ready
register: snapshot_snapshot
- name: Start VirtualMachine
redhat.openshift_virtualization.kubevirt_vm:
name: "{{ item }}"
namespace: "{{ vm_namespace }}"
running: true
wait: true
when: snapshot_state.resources.0.spec.running
- name: Export snapshot name
ansible.builtin.set_stats:
data:
restore_snapshot_name: "{{ snapshot_snapshot.result.metadata.name }}"
- name: Output snapshot name
ansible.builtin.debug:
msg: "Successfully created snapshot {{ snapshot_snapshot.result.metadata.name }}"

12
collections/ansible_collections/demo/openshift/roles/snapshot/tasks/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
# parameters
# snapshot_opeation: <ceate/restore>
- name: Show hostnames we care about
ansible.builtin.debug:
msg: "About to {{ snapshot_operation }} snapshot(s) for the following hosts:
{{ lookup('ansible.builtin.inventory_hostnames', snapshot_hosts) | split(',') | difference(['localhost']) }}"
- name: Manage snapshots based on operation
ansible.builtin.include_tasks:
file: "{{ snapshot_operation }}.yml"
loop: "{{ lookup('ansible.builtin.inventory_hostnames', snapshot_hosts) | regex_replace(vm_namespace + '-', '') | split(',') | difference(['localhost']) }}"

51
collections/ansible_collections/demo/openshift/roles/snapshot/tasks/restore.yml Normal file
View File

@@ -0,0 +1,51 @@
---
- name: Get state of VirtualMachine
redhat.openshift_virtualization.kubevirt_vm_info:
name: "{{ item }}"
namespace: "{{ vm_namespace }}"
register: snapshot_state
- name: List snapshots
kubernetes.core.k8s_info:
api_version: snapshot.kubevirt.io/v1alpha1
kind: VirtualMachineSnapshot
namespace: "{{ vm_namespace }}"
register: snapshot_snapshot
- name: Set snapshot name for {{ item }}
ansible.builtin.set_fact:
snapshot_latest_snapshot: "{{ snapshot_snapshot.resources | selectattr('spec.source.name', 'equalto', item) | sort(attribute='metadata.creationTimestamp') | first }}"
- name: Stop VirtualMachine
redhat.openshift_virtualization.kubevirt_vm:
name: "{{ item }}"
namespace: "{{ vm_namespace }}"
running: false
wait: true
when: snapshot_state.resources.0.spec.running
- name: Restore a VirtualMachineSnapshot
kubernetes.core.k8s:
definition:
apiVersion: snapshot.kubevirt.io/v1alpha1
kind: VirtualMachineRestore
metadata:
generateName: "{{ snapshot_latest_snapshot.metadata.generateName }}"
namespace: "{{ vm_namespace }}"
spec:
target:
apiGroup: kubevirt.io
kind: VirtualMachine
name: "{{ item }}"
virtualMachineSnapshotName: "{{ snapshot_latest_snapshot.metadata.name }}"
wait: true
wait_condition:
type: Ready
- name: Start VirtualMachine
redhat.openshift_virtualization.kubevirt_vm:
name: "{{ item }}"
namespace: "{{ vm_namespace }}"
running: true
wait: true
when: snapshot_state.resources.0.spec.running

50
collections/ansible_collections/demo/patching/plugins/modules/scan_packages.py
View File

@@ -1,16 +1,16 @@
#!/usr/bin/env python
from ansible.module_utils.basic import * # noqa
from ansible.module_utils.basic import * # noqa
DOCUMENTATION = '''
DOCUMENTATION = """
---
module: scan_packages
short_description: Return installed packages information as fact data
description:
- Return information about installed packages as fact data
'''
"""
EXAMPLES = '''
EXAMPLES = """
# Example fact output:
# host | success >> {
# "ansible_facts": {
@@ -34,21 +34,23 @@ EXAMPLES = '''
# "name": "gcc-4.8-base"
# }
# ]
'''
"""
def rpm_package_list():
import rpm
trans_set = rpm.TransactionSet()
installed_packages = []
for package in trans_set.dbMatch():
package_details = {
'name':package[rpm.RPMTAG_NAME],
'version':package[rpm.RPMTAG_VERSION],
'release':package[rpm.RPMTAG_RELEASE],
'epoch':package[rpm.RPMTAG_EPOCH],
'arch':package[rpm.RPMTAG_ARCH],
'source':'rpm' }
"name": package[rpm.RPMTAG_NAME],
"version": package[rpm.RPMTAG_VERSION],
"release": package[rpm.RPMTAG_RELEASE],
"epoch": package[rpm.RPMTAG_EPOCH],
"arch": package[rpm.RPMTAG_ARCH],
"source": "rpm",
}
if installed_packages == []:
installed_packages = [package_details]
else:
@@ -58,16 +60,20 @@ def rpm_package_list():
def deb_package_list():
import apt
apt_cache = apt.Cache()
installed_packages = []
apt_installed_packages = [pk for pk in apt_cache.keys() if apt_cache[pk].is_installed]
apt_installed_packages = [
pk for pk in apt_cache.keys() if apt_cache[pk].is_installed
]
for package in apt_installed_packages:
ac_pkg = apt_cache[package].installed
package_details = {
'name':package,
'version':ac_pkg.version,
'arch':ac_pkg.architecture,
'source':'apt'}
"name": package,
"version": ac_pkg.version,
"arch": ac_pkg.architecture,
"source": "apt",
}
if installed_packages == []:
installed_packages = [package_details]
else:
@@ -76,13 +82,11 @@ def deb_package_list():
def main():
module = AnsibleModule(
argument_spec = dict(os_family=dict(required=True))
)
ans_os = module.params['os_family']
if ans_os in ('RedHat', 'Suse', 'openSUSE Leap'):
module = AnsibleModule(argument_spec=dict(os_family=dict(required=True)))
ans_os = module.params["os_family"]
if ans_os in ("RedHat", "Suse", "openSUSE Leap"):
packages = rpm_package_list()
elif ans_os == 'Debian':
elif ans_os == "Debian":
packages = deb_package_list()
else:
packages = None
@@ -94,4 +98,4 @@ def main():
module.exit_json(**results)
main()
main()

169
collections/ansible_collections/demo/patching/plugins/modules/scan_services.py
View File

@@ -1,46 +1,47 @@
#!/usr/bin/env python
import re
from ansible.module_utils.basic import * # noqa
from ansible.module_utils.basic import * # noqa
DOCUMENTATION = '''
DOCUMENTATION = """
---
module: scan_services
short_description: Return service state information as fact data
description:
- Return service state information as fact data for various service management utilities
'''
"""
EXAMPLES = '''
EXAMPLES = """
---
- monit: scan_services
# Example fact output:
# host | success >> {
# "ansible_facts": {
# "services": {
# "network": {
# "source": "sysv",
# "state": "running",
# "name": "network"
# },
# "arp-ethers.service": {
# "source": "systemd",
# "state": "stopped",
# "name": "arp-ethers.service"
# }
# }
# "ansible_facts": {
# "services": {
# "network": {
# "source": "sysv",
# "state": "running",
# "name": "network"
# },
# "arp-ethers.service": {
# "source": "systemd",
# "state": "stopped",
# "name": "arp-ethers.service"
# }
# }
# }
'''
# }
"""
class BaseService(object):
def __init__(self, module):
self.module = module
self.incomplete_warning = False
class ServiceScanService(BaseService):
def gather_services(self):
services = {}
service_path = self.module.get_bin_path("service")
@@ -51,94 +52,125 @@ class ServiceScanService(BaseService):
# sysvinit
if service_path is not None and chkconfig_path is None:
rc, stdout, stderr = self.module.run_command("%s --status-all 2>&1 | grep -E \"\\[ (\\+|\\-) \\]\"" % service_path, use_unsafe_shell=True)
rc, stdout, stderr = self.module.run_command(
'%s --status-all 2>&1 | grep -E "\\[ (\\+|\\-) \\]"' % service_path,
use_unsafe_shell=True,
)
for line in stdout.split("\n"):
line_data = line.split()
if len(line_data) < 4:
continue # Skipping because we expected more data
continue # Skipping because we expected more data
service_name = " ".join(line_data[3:])
if line_data[1] == "+":
service_state = "running"
else:
service_state = "stopped"
services[service_name] = {"name": service_name, "state": service_state, "source": "sysv"}
services[service_name] = {
"name": service_name,
"state": service_state,
"source": "sysv",
}
# Upstart
if initctl_path is not None and chkconfig_path is None:
p = re.compile('^\s?(?P<name>.*)\s(?P<goal>\w+)\/(?P<state>\w+)(\,\sprocess\s(?P<pid>[0-9]+))?\s*$')
p = re.compile(
"^\s?(?P<name>.*)\s(?P<goal>\w+)\/(?P<state>\w+)(\,\sprocess\s(?P<pid>[0-9]+))?\s*$"
)
rc, stdout, stderr = self.module.run_command("%s list" % initctl_path)
real_stdout = stdout.replace("\r","")
real_stdout = stdout.replace("\r", "")
for line in real_stdout.split("\n"):
m = p.match(line)
if not m:
continue
service_name = m.group('name')
service_goal = m.group('goal')
service_state = m.group('state')
if m.group('pid'):
pid = m.group('pid')
service_name = m.group("name")
service_goal = m.group("goal")
service_state = m.group("state")
if m.group("pid"):
pid = m.group("pid")
else:
pid = None # NOQA
payload = {"name": service_name, "state": service_state, "goal": service_goal, "source": "upstart"}
payload = {
"name": service_name,
"state": service_state,
"goal": service_goal,
"source": "upstart",
}
services[service_name] = payload
# RH sysvinit
elif chkconfig_path is not None:
#print '%s --status-all | grep -E "is (running|stopped)"' % service_path
# print '%s --status-all | grep -E "is (running|stopped)"' % service_path
p = re.compile(
'(?P<service>.*?)\s+[0-9]:(?P<rl0>on|off)\s+[0-9]:(?P<rl1>on|off)\s+[0-9]:(?P<rl2>on|off)\s+'
'[0-9]:(?P<rl3>on|off)\s+[0-9]:(?P<rl4>on|off)\s+[0-9]:(?P<rl5>on|off)\s+[0-9]:(?P<rl6>on|off)')
rc, stdout, stderr = self.module.run_command('%s' % chkconfig_path, use_unsafe_shell=True)
"(?P<service>.*?)\s+[0-9]:(?P<rl0>on|off)\s+[0-9]:(?P<rl1>on|off)\s+[0-9]:(?P<rl2>on|off)\s+"
"[0-9]:(?P<rl3>on|off)\s+[0-9]:(?P<rl4>on|off)\s+[0-9]:(?P<rl5>on|off)\s+[0-9]:(?P<rl6>on|off)"
)
rc, stdout, stderr = self.module.run_command(
"%s" % chkconfig_path, use_unsafe_shell=True
)
# Check for special cases where stdout does not fit pattern
match_any = False
for line in stdout.split('\n'):
for line in stdout.split("\n"):
if p.match(line):
match_any = True
if not match_any:
p_simple = re.compile('(?P<service>.*?)\s+(?P<rl0>on|off)')
p_simple = re.compile("(?P<service>.*?)\s+(?P<rl0>on|off)")
match_any = False
for line in stdout.split('\n'):
for line in stdout.split("\n"):
if p_simple.match(line):
match_any = True
if match_any:
# Try extra flags " -l --allservices" needed for SLES11
rc, stdout, stderr = self.module.run_command('%s -l --allservices' % chkconfig_path, use_unsafe_shell=True)
elif '--list' in stderr:
rc, stdout, stderr = self.module.run_command(
"%s -l --allservices" % chkconfig_path, use_unsafe_shell=True
)
elif "--list" in stderr:
# Extra flag needed for RHEL5
rc, stdout, stderr = self.module.run_command('%s --list' % chkconfig_path, use_unsafe_shell=True)
for line in stdout.split('\n'):
rc, stdout, stderr = self.module.run_command(
"%s --list" % chkconfig_path, use_unsafe_shell=True
)
for line in stdout.split("\n"):
m = p.match(line)
if m:
service_name = m.group('service')
service_state = 'stopped'
if m.group('rl3') == 'on':
rc, stdout, stderr = self.module.run_command('%s %s status' % (service_path, service_name), use_unsafe_shell=True)
service_name = m.group("service")
service_state = "stopped"
if m.group("rl3") == "on":
rc, stdout, stderr = self.module.run_command(
"%s %s status" % (service_path, service_name),
use_unsafe_shell=True,
)
service_state = rc
if rc in (0,):
service_state = 'running'
#elif rc in (1,3):
service_state = "running"
# elif rc in (1,3):
else:
if 'root' in stderr or 'permission' in stderr.lower() or 'not in sudoers' in stderr.lower():
if (
"root" in stderr
or "permission" in stderr.lower()
or "not in sudoers" in stderr.lower()
):
self.incomplete_warning = True
continue
else:
service_state = 'stopped'
service_data = {"name": service_name, "state": service_state, "source": "sysv"}
service_state = "stopped"
service_data = {
"name": service_name,
"state": service_state,
"source": "sysv",
}
services[service_name] = service_data
return services
class SystemctlScanService(BaseService):
def systemd_enabled(self):
# Check if init is the systemd command, using comm as cmdline could be symlink
try:
f = open('/proc/1/comm', 'r')
f = open("/proc/1/comm", "r")
except IOError:
# If comm doesn't exist, old kernel, no systemd
return False
for line in f:
if 'systemd' in line:
if "systemd" in line:
return True
return False
@@ -146,10 +178,16 @@ class SystemctlScanService(BaseService):
services = {}
if not self.systemd_enabled():
return None
systemctl_path = self.module.get_bin_path("systemctl", opt_dirs=["/usr/bin", "/usr/local/bin"])
systemctl_path = self.module.get_bin_path(
"systemctl", opt_dirs=["/usr/bin", "/usr/local/bin"]
)
if systemctl_path is None:
return None
rc, stdout, stderr = self.module.run_command("%s list-unit-files --type=service | tail -n +2 | head -n -2" % systemctl_path, use_unsafe_shell=True)
rc, stdout, stderr = self.module.run_command(
"%s list-unit-files --type=service | tail -n +2 | head -n -2"
% systemctl_path,
use_unsafe_shell=True,
)
for line in stdout.split("\n"):
line_data = line.split()
if len(line_data) != 2:
@@ -158,12 +196,16 @@ class SystemctlScanService(BaseService):
state_val = "running"
else:
state_val = "stopped"
services[line_data[0]] = {"name": line_data[0], "state": state_val, "source": "systemd"}
services[line_data[0]] = {
"name": line_data[0],
"state": state_val,
"source": "systemd",
}
return services
def main():
module = AnsibleModule(argument_spec = dict())
module = AnsibleModule(argument_spec=dict())
service_modules = (ServiceScanService, SystemctlScanService)
all_services = {}
incomplete_warning = False
@@ -175,12 +217,17 @@ def main():
if svcmod.incomplete_warning:
incomplete_warning = True
if len(all_services) == 0:
results = dict(skipped=True, msg="Failed to find any services. Sometimes this is due to insufficient privileges.")
results = dict(
skipped=True,
msg="Failed to find any services. Sometimes this is due to insufficient privileges.",
)
else:
results = dict(ansible_facts=dict(services=all_services))
if incomplete_warning:
results['msg'] = "WARNING: Could not find status for all services. Sometimes this is due to insufficient privileges."
results[
"msg"
] = "WARNING: Could not find status for all services. Sometimes this is due to insufficient privileges."
module.exit_json(**results)
main()
main()

2
collections/ansible_collections/demo/patching/plugins/modules/win_scan_packages.ps1
View File

@@ -63,4 +63,4 @@ $result = New-Object psobject @{
changed = $false
}
Exit-Json $result;
Exit-Json $result;

43
collections/ansible_collections/demo/patching/plugins/modules/win_scan_packages.py
View File

@@ -1,31 +1,34 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
DOCUMENTATION = '''
DOCUMENTATION = """
---
module: win_scan_packages
short_description: Return Package state information as fact data
description:
- Return Package state information as fact data for various Packages
'''
"""
EXAMPLES = '''
EXAMPLES = """
- monit: win_scan_packages
# Example fact output:
# host | success >> {
# "ansible_facts": {
# "packages": [
{
"name": "Mozilla Firefox 76.0.1 (x64 en-US)",
"version": "76.0.1",
"publisher": "Mozilla",
"arch": "Win64"
},
{
"name": "Mozilla Maintenance Service",
"version": "76.0.1",
"publisher": "Mozilla",
"arch": "Win64"
},
# Example fact output:
# host | success >> {
# "ansible_facts": {
# "packages": [
# {
# "name": "Mozilla Firefox 76.0.1 (x64 en-US)",
# "version": "76.0.1",
# "publisher": "Mozilla",
# "arch": "Win64"
# },
# {
# "name": "Mozilla Maintenance Service",
# "version": "76.0.1",
# "publisher": "Mozilla",
# "arch": "Win64"
# }
# ]
# }
'''
# }
"""

2
collections/ansible_collections/demo/patching/plugins/modules/win_scan_services.ps1
View File

@@ -27,4 +27,4 @@ $result = New-Object psobject @{
changed = $false
}
Exit-Json $result;
Exit-Json $result;

45
collections/ansible_collections/demo/patching/plugins/modules/win_scan_services.py
View File

@@ -1,34 +1,37 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
DOCUMENTATION = '''
DOCUMENTATION = """
---
module: win_scan_services
short_description: Return service state information as fact data
description:
- Return service state information as fact data for various service management utilities
'''
"""
EXAMPLES = '''
EXAMPLES = """
- monit: win_scan_services
# Example fact output:
# host | success >> {
# "ansible_facts": {
# "services": [
{
"name": "AllJoyn Router Service",
"win_svc_name": "AJRouter",
"state": "stopped"
},
{
"name": "Application Layer Gateway Service",
"win_svc_name": "ALG",
"state": "stopped"
},
{
"name": "Application Host Helper Service",
"win_svc_name": "AppHostSvc",
"state": "running"
},
# "ansible_facts": {
# "services": [
# {
# "name": "AllJoyn Router Service",
# "win_svc_name": "AJRouter",
# "state": "stopped"
# },
# {
# "name": "Application Layer Gateway Service",
# "win_svc_name": "ALG",
# "state": "stopped"
# },
# {
# "name": "Application Host Helper Service",
# "win_svc_name": "AppHostSvc",
# "state": "running"
# }
# ]
# }
'''
# }
"""

4
collections/ansible_collections/demo/patching/roles/build_report_network/README.md
View File

@@ -32,5 +32,5 @@ The role can be used to create an html report on any number of Linux hosts using
- name: Run Network Report
import_role:
name: shadowman.reports.build_report_network
```
```

23
collections/ansible_collections/demo/patching/roles/build_report_network/tasks/main.yml
View File

@@ -1,3 +1,4 @@
---
- name: Create web directory if it does not exist
ansible.builtin.file:
path: "{{ file_path }}"
@@ -5,32 +6,34 @@
mode: "0755"
- name: Create HTML report
check_mode: false
ansible.builtin.template:
src: report.j2
dest: "{{ file_path }}/network.html"
mode: "0644"
check_mode: false
- name: Copy CSS over
check_mode: false
ansible.builtin.copy:
src: "css"
dest: "{{ file_path }}"
directory_mode: true
mode: "0775"
check_mode: false
- name: Copy logos over
ansible.builtin.copy:
src: "{{ item }}"
dest: "{{ file_path }}"
directory_mode: true
mode: "0644"
loop:
- "webpage_logo.png"
- "redhat-ansible-logo.svg"
- "router.png"
loop_control:
loop_var: logo
check_mode: false
ansible.builtin.copy:
src: "{{ logo }}"
dest: "{{ file_path }}"
directory_mode: true
mode: "0644"
# - name: Display link to Linux patch report
# ansible.builtin.debug:
# msg: "Please go to http://{{ hostvars[report_server]['ansible_host'] }}/reports/network.html"
- name: Display link to Linux patch report
ansible.builtin.debug:
msg: "Please go to http://{{ hostvars[report_server]['ansible_host'] }}/reports/network.html"

7
collections/ansible_collections/demo/patching/roles/build_report_network/vars/main.yml
View File

@@ -1,11 +1,12 @@
file_path: "{{ web_path | default('/var/www/html/reports') }}"
vendor:
---
file_path: "{{ web_path | default('/var/www/html/reports') }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way
vendor: # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way
ios: &my_value 'Cisco'
nxos: *my_value
iosxr: *my_value
junos: "Juniper"
eos: "Arista"
transport:
transport: # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way
cliconf: "Network_CLI"
netconf: "NETCONF"
nxapi: "NX-API"

4
collections/ansible_collections/demo/patching/roles/build_report_windows/README.md
View File

@@ -32,5 +32,5 @@ The role can be used to create an html report on any number of Linux hosts using
- name: Run Windows Report
import_role:
name: shadowman.reports.build_report_windows
```
```

2
collections/ansible_collections/demo/patching/roles/build_report_windows/defaults/main.yml
View File

@@ -1,2 +1,2 @@
---
detailedreport: true
detailedreport: true # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way

52
collections/ansible_collections/demo/patching/roles/build_report_windows/files/css/new.css
View File

@@ -5,33 +5,33 @@ p.hostname {
margin: auto;
width: 50%;
}
#subtable {
background: #ebebeb;
margin: 0px;
width: 100%;
}
#subtable tbody tr td {
padding: 5px 5px 5px 5px;
}
#subtable thead th {
padding: 5px;
}
* {
-moz-box-sizing: border-box;
-webkit-box-sizing: border-box;
box-sizing: border-box;
font-family: "Open Sans", "Helvetica";
}
a {
color: #ffffff;
}
p {
color: #ffffff;
}
@@ -39,14 +39,14 @@ p.hostname {
text-align: center;
color: #ffffff;
}
body {
background:#353a40;
padding: 0px;
margin: 0px;
font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
}
table {
border-collapse: separate;
background:#fff;
@@ -57,11 +57,11 @@ p.hostname {
.main_net_table {
margin:50px auto;
}
thead {
@include border-radius(5px);
}
thead th {
font-size:16px;
font-weight:400;
@@ -71,16 +71,16 @@ p.hostname {
padding:20px;
border-top:1px solid #858d99;
background: #353a40;
&:first-child {
@include border-top-left-radius(5px);
}
&:last-child {
@include border-top-right-radius(5px);
}
}
tbody tr td {
font-weight:400;
color:#5f6062;
@@ -88,11 +88,11 @@ p.hostname {
padding:20px 20px 20px 20px;
border-bottom:1px solid #e0e0e0;
}
tbody tr:nth-child(2n) {
background:#f0f3f5;
}
tbody tr:last-child td {
border-bottom:none;
&:first-child {
@@ -102,7 +102,7 @@ p.hostname {
@include border-bottom-right-radius(5px);
}
}
td {
vertical-align: top;
}
@@ -110,16 +110,16 @@ p.hostname {
span.highlight {
background-color: yellow;
}
.expandclass {
color: #5f6062;
}
.content{
display:none;
margin: 10px;
}
header {
width: 100%;
position: initial;
@@ -130,7 +130,7 @@ p.hostname {
height: 88px;
background-color: #171717;
}
.header-container {
margin: 0 auto;
width: 100%;
@@ -141,14 +141,14 @@ p.hostname {
display: flex;
align-items: center;
}
.header-logo {
width: 137px;
border: 0;
margin: 0;
margin-left: 15px;
}
.header-link {
margin-left: 40px;
text-decoration: none;
@@ -158,12 +158,12 @@ p.hostname {
font-family: 'Red Hat Text';
font-weight: 500;
}
.header-link:hover {
text-shadow: 0 0 0.02px white;
text-decoration: none;
}
table.net_info td {
padding: 5px;
}
@@ -199,4 +199,4 @@ table.net_info {
p.internal_label {
color: #000000;
}
}

1
collections/ansible_collections/demo/patching/roles/build_report_windows/tasks/main.yml
View File

@@ -1,3 +1,4 @@
---
- name: Create HTML report
ansible.builtin.template:
src: report.j2

4
collections/ansible_collections/demo/patching/roles/build_report_windows/templates/header.j2
View File

@@ -1,5 +1,5 @@
<div class="wrapper">
<header>
<div class="header-container">
@@ -12,4 +12,4 @@
/>
</a>
</div>
</header>
</header>

2
collections/ansible_collections/demo/patching/roles/build_report_windows/templates/packages.j2
View File

@@ -26,4 +26,4 @@
</div>
</div>
</div>
<! END INTERNAL TABLE FOR PACKAGES --!>
<! END INTERNAL TABLE FOR PACKAGES --!>

2
collections/ansible_collections/demo/patching/roles/build_report_windows/templates/report.j2
View File

@@ -79,7 +79,7 @@ collapsible: true
<tr>
<td class="summary_info">
<div id="hostname">
<p class="hostname">
<p class="hostname">
<img class="router_image" src="server.png"> {{ hostvars[windows_host]['inventory_hostname'].split('.')[0] }}</p>
</div>
{% if detailedreport == 'True' %}

2
collections/ansible_collections/demo/patching/roles/build_report_windows/templates/services.j2
View File

@@ -26,4 +26,4 @@
</div>
</div>
</div>
<! END INTERNAL TABLE FOR SERVICES --!>
<! END INTERNAL TABLE FOR SERVICES --!>

Some files were not shown because too many files have changed in this diff Show More