├── .github └── workflows │ ├── ci.yml │ └── release.yml ├── .yamllint ├── LICENSE ├── README.md ├── defaults └── main.yml ├── handlers └── main.yml ├── meta └── main.yml ├── molecule ├── default │ ├── converge.yml │ ├── molecule.yml │ └── verify.yml └── docker │ ├── converge.yml │ ├── molecule.yml │ └── verify.yml ├── tasks └── main.yml ├── tests ├── inventory └── test.yml └── vars └── main.yml /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: CI 3 | 'on': 4 | pull_request: 5 | workflow_dispatch: 6 | push: 7 | branches: 8 | - master 9 | schedule: 10 | - cron: "0 1 * * 3" 11 | 12 | defaults: 13 | run: 14 | working-directory: 'redhatofficial.rhel7-stig' 15 | 16 | jobs: 17 | 18 | lint: 19 | name: Lint 20 | runs-on: ubuntu-latest 21 | steps: 22 | - name: Check out the codebase. 23 | uses: actions/checkout@v2 24 | with: 25 | path: 'redhatofficial.rhel7-stig' 26 | 27 | - name: Set up Python 3. 28 | uses: actions/setup-python@v2 29 | with: 30 | python-version: '3.x' 31 | 32 | - name: Install test dependencies. 33 | run: pip3 install yamllint 34 | 35 | - name: Lint code. 36 | run: | 37 | yamllint . 38 | 39 | molecule: 40 | name: Molecule 41 | runs-on: ubuntu-latest 42 | strategy: 43 | matrix: 44 | distro: 45 | - centos7 46 | 47 | steps: 48 | - name: Check out the codebase. 49 | uses: actions/checkout@v2 50 | with: 51 | path: 'redhatofficial.rhel7-stig' 52 | 53 | - name: Set up Python 3. 54 | uses: actions/setup-python@v2 55 | with: 56 | python-version: '3.x' 57 | 58 | - name: Install test dependencies. 59 | run: pip3 install ansible molecule[docker] docker 60 | 61 | - name: Destroy existing molecule 62 | run: molecule destroy --scenario-name default 63 | 64 | - name: Run Molecule tests. 65 | run: molecule -vvv test --scenario-name default 66 | env: 67 | PY_COLORS: '1' 68 | ANSIBLE_FORCE_COLOR: '1' 69 | MOLECULE_DISTRO: ${{ matrix.distro }} 70 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This workflow requires a GALAXY_API_KEY secret present in the GitHub 3 | # repository or organization. 4 | # 5 | # See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy 6 | # See: https://github.com/ansible/galaxy/issues/46 7 | 8 | name: Release 9 | 'on': 10 | workflow_dispatch: 11 | push: 12 | tags: 13 | - '*' 14 | 15 | defaults: 16 | run: 17 | working-directory: 'redhatofficial.rhel7-stig' 18 | 19 | jobs: 20 | 21 | release: 22 | name: Release 23 | runs-on: ubuntu-latest 24 | steps: 25 | - name: Check out the codebase. 26 | uses: actions/checkout@v2 27 | with: 28 | path: 'redhatofficial.rhel7-stig' 29 | 30 | - name: Set up Python 3. 31 | uses: actions/setup-python@v2 32 | with: 33 | python-version: '3.x' 34 | 35 | - name: Install Ansible. 36 | run: pip3 install ansible-base 37 | 38 | - name: Trigger a new import on Galaxy. 39 | run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} --role-name $(echo ${{ github.repository }} | cut -d/ -f2 | sed 's|ansible-role-||') $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) 40 | -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | --- 2 | # Based on ansible-lint config 3 | extends: default 4 | 5 | rules: 6 | braces: {max-spaces-inside: 1, level: error} 7 | brackets: {max-spaces-inside: 1, level: error} 8 | colons: {max-spaces-after: -1, level: error} 9 | commas: {max-spaces-after: -1, level: error} 10 | comments: disable 11 | comments-indentation: disable 12 | document-start: disable 13 | empty-lines: {max: 3, level: error} 14 | hyphens: {level: error} 15 | indentation: disable 16 | key-duplicates: enable 17 | line-length: disable 18 | new-line-at-end-of-file: disable 19 | new-lines: {type: unix} 20 | trailing-spaces: disable 21 | truthy: disable 22 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | SPDX license identifier: BSD-3-Clause 2 | Copyright (c) 2012-2017, Red Hat, Inc. 3 | All rights reserved. 4 | 5 | Redistribution and use in source and binary forms, with or without 6 | modification, are permitted provided that the following conditions are met: 7 | * Redistributions of source code must retain the above copyright 8 | notice, this list of conditions and the following disclaimer. 9 | * Redistributions in binary form must reproduce the above copyright 10 | notice, this list of conditions and the following disclaimer in the 11 | documentation and/or other materials provided with the distribution. 12 | * Neither the name of the Red Hat nor the 13 | names of its contributors may be used to endorse or promote products 14 | derived from this software without specific prior written permission. 15 | 16 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 17 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY 20 | DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 23 | ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 25 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | DISA STIG for Red Hat Enterprise Linux 7 2 | ========= 3 | 4 | Ansible Role for DISA STIG for Red Hat Enterprise Linux 7 5 | 6 | Profile Description: 7 | This profile contains configuration checks that align to the 8 | DISA STIG for Red Hat Enterprise Linux V3R14. 9 | In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this 10 | configuration baseline as applicable to the operating system tier of 11 | Red Hat technologies that are based on Red Hat Enterprise Linux 7, such as: 12 | - Red Hat Enterprise Linux Server 13 | - Red Hat Enterprise Linux Workstation and Desktop 14 | - Red Hat Enterprise Linux for HPC 15 | - Red Hat Storage 16 | - Red Hat Containers with a Red Hat Enterprise Linux 7 image 17 | 18 | The tasks that are used in this role are generated using OpenSCAP. 19 | See the OpenSCAP project for more details on Ansible playbook generation at [https://github.com/OpenSCAP/openscap](https://github.com/OpenSCAP/openscap) 20 | 21 | To submit a fix or enhancement for an Ansible task that is failing or missing in this role, 22 | see the ComplianceAsCode project at [https://github.com/ComplianceAsCode/content](https://github.com/ComplianceAsCode/content) 23 | 24 | Requirements 25 | ------------ 26 | 27 | - Ansible version 2.9 or higher 28 | 29 | Role Variables 30 | -------------- 31 | 32 | To customize the role to your liking, check out the [list of variables](defaults/main.yml). 33 | 34 | Dependencies 35 | ------------ 36 | 37 | N/A 38 | 39 | Example Role Usage 40 | ---------------- 41 | 42 | Run `ansible-galaxy install RedHatOfficial.rhel7_stig` to 43 | download and install the role. Then, you can use the following playbook snippet to run the Ansible role: 44 | 45 | - hosts: all 46 | roles: 47 | - { role: RedHatOfficial.rhel7_stig } 48 | 49 | Next, check the playbook using (on the localhost) the following example: 50 | 51 | ansible-playbook -i "localhost," -c local --check playbook.yml 52 | 53 | To deploy it, use (this may change configuration of your local machine!): 54 | 55 | ansible-playbook -i "localhost," -c local playbook.yml 56 | 57 | License 58 | ------- 59 | 60 | BSD-3-Clause 61 | 62 | Author Information 63 | ------------------ 64 | 65 | This Ansible remediation role has been generated from the body of security 66 | policies developed by the ComplianceAsCode project. Please see 67 | [https://github.com/complianceascode/content/blob/master/Contributors.md](https://github.com/complianceascode/content/blob/master/Contributors.md) 68 | for an updated list of authors and contributors. 69 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for rhel7_stig 3 | var_aide_scan_notification_email: root@localhost 4 | inactivity_timeout_value: '900' 5 | var_screensaver_lock_delay: '5' 6 | var_sudo_timestamp_timeout: '5' 7 | login_banner_text: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$ 8 | var_password_pam_remember: '5' 9 | var_password_pam_remember_control_flag: requisite 10 | var_accounts_passwords_pam_faillock_deny: '3' 11 | var_accounts_passwords_pam_faillock_fail_interval: '900' 12 | var_accounts_passwords_pam_faillock_unlock_time: '0' 13 | var_password_pam_dcredit: '-1' 14 | var_password_pam_difok: '8' 15 | var_password_pam_lcredit: '-1' 16 | var_password_pam_maxclassrepeat: '4' 17 | var_password_pam_maxrepeat: '3' 18 | var_password_pam_minclass: '4' 19 | var_password_pam_minlen: '15' 20 | var_password_pam_ocredit: '-1' 21 | var_password_pam_retry: '3' 22 | var_password_pam_ucredit: '-1' 23 | var_password_hashing_algorithm: SHA512 24 | var_account_disable_post_pw_expiration: '35' 25 | var_accounts_maximum_age_login_defs: '60' 26 | var_accounts_minimum_age_login_defs: '1' 27 | var_accounts_fail_delay: '4' 28 | var_accounts_max_concurrent_login_sessions: '10' 29 | var_accounts_tmout: '900' 30 | var_user_initialization_files_regex: ^(\.bashrc|\.zshrc|\.cshrc|\.profile|\.bash_login|\.bash_profile)$ 31 | var_accounts_user_umask: '077' 32 | var_audit_failure_mode: '2' 33 | var_accounts_passwords_pam_faillock_dir: /var/run/faillock 34 | var_audispd_remote_server: logcollector 35 | var_audispd_disk_full_action: single 36 | var_audispd_network_failure_action: single 37 | var_auditd_action_mail_acct: root 38 | var_auditd_space_left_action: email 39 | var_auditd_space_left_percentage: '25' 40 | var_auditd_name_format: hostname|fqd|numeric 41 | rsyslog_remote_loghost_address: logcollector 42 | sysctl_net_ipv6_conf_all_accept_source_route_value: '0' 43 | sysctl_net_ipv4_conf_all_accept_redirects_value: '0' 44 | sysctl_net_ipv4_conf_all_accept_source_route_value: '0' 45 | sysctl_net_ipv4_conf_all_rp_filter_value: '1' 46 | sysctl_net_ipv4_conf_default_accept_redirects_value: '0' 47 | sysctl_net_ipv4_conf_default_accept_source_route_value: '0' 48 | sysctl_net_ipv4_conf_default_rp_filter_value: '1' 49 | sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: '1' 50 | var_removable_partition: /dev/cdrom 51 | var_selinux_policy_name: targeted 52 | var_selinux_state: enforcing 53 | var_ssh_sysadm_login: 'false' 54 | var_time_service_set_maxpoll: '16' 55 | var_tftpd_secure_directory: /var/lib/tftpboot 56 | var_snmpd_ro_string: changemero 57 | var_snmpd_rw_string: changemerw 58 | sshd_idle_timeout_value: '600' 59 | var_sshd_disable_compression: 'no' 60 | var_sshd_priv_separation: sandbox 61 | DISA_STIG_RHEL_07_010010: true 62 | DISA_STIG_RHEL_07_010019: true 63 | DISA_STIG_RHEL_07_010020: true 64 | DISA_STIG_RHEL_07_010030: true 65 | DISA_STIG_RHEL_07_010040: true 66 | DISA_STIG_RHEL_07_010050: true 67 | DISA_STIG_RHEL_07_010060: true 68 | DISA_STIG_RHEL_07_010061: true 69 | DISA_STIG_RHEL_07_010062: true 70 | DISA_STIG_RHEL_07_010063: true 71 | DISA_STIG_RHEL_07_010070: true 72 | DISA_STIG_RHEL_07_010081: true 73 | DISA_STIG_RHEL_07_010082: true 74 | DISA_STIG_RHEL_07_010090: true 75 | DISA_STIG_RHEL_07_010100: true 76 | DISA_STIG_RHEL_07_010101: true 77 | DISA_STIG_RHEL_07_010110: true 78 | DISA_STIG_RHEL_07_010119: true 79 | DISA_STIG_RHEL_07_010120: true 80 | DISA_STIG_RHEL_07_010130: true 81 | DISA_STIG_RHEL_07_010140: true 82 | DISA_STIG_RHEL_07_010150: true 83 | DISA_STIG_RHEL_07_010160: true 84 | DISA_STIG_RHEL_07_010170: true 85 | DISA_STIG_RHEL_07_010180: true 86 | DISA_STIG_RHEL_07_010190: true 87 | DISA_STIG_RHEL_07_010200: true 88 | DISA_STIG_RHEL_07_010210: true 89 | DISA_STIG_RHEL_07_010220: true 90 | DISA_STIG_RHEL_07_010230: true 91 | DISA_STIG_RHEL_07_010240: true 92 | DISA_STIG_RHEL_07_010250: true 93 | DISA_STIG_RHEL_07_010260: true 94 | DISA_STIG_RHEL_07_010270: true 95 | DISA_STIG_RHEL_07_010280: true 96 | DISA_STIG_RHEL_07_010290: true 97 | DISA_STIG_RHEL_07_010291: true 98 | DISA_STIG_RHEL_07_010300: true 99 | DISA_STIG_RHEL_07_010310: true 100 | DISA_STIG_RHEL_07_010320: true 101 | DISA_STIG_RHEL_07_010330: true 102 | DISA_STIG_RHEL_07_010339: true 103 | DISA_STIG_RHEL_07_010340: true 104 | DISA_STIG_RHEL_07_010342: true 105 | DISA_STIG_RHEL_07_010343: true 106 | DISA_STIG_RHEL_07_010344: true 107 | DISA_STIG_RHEL_07_010350: true 108 | DISA_STIG_RHEL_07_010375: true 109 | DISA_STIG_RHEL_07_010430: true 110 | DISA_STIG_RHEL_07_010440: true 111 | DISA_STIG_RHEL_07_010450: true 112 | DISA_STIG_RHEL_07_010460: true 113 | DISA_STIG_RHEL_07_010470: true 114 | DISA_STIG_RHEL_07_010481: true 115 | DISA_STIG_RHEL_07_020000: true 116 | DISA_STIG_RHEL_07_020010: true 117 | DISA_STIG_RHEL_07_020022: true 118 | DISA_STIG_RHEL_07_020028: true 119 | DISA_STIG_RHEL_07_020029: true 120 | DISA_STIG_RHEL_07_020030: true 121 | DISA_STIG_RHEL_07_020040: true 122 | DISA_STIG_RHEL_07_020050: true 123 | DISA_STIG_RHEL_07_020060: true 124 | DISA_STIG_RHEL_07_020100: true 125 | DISA_STIG_RHEL_07_020101: true 126 | DISA_STIG_RHEL_07_020110: true 127 | DISA_STIG_RHEL_07_020111: true 128 | DISA_STIG_RHEL_07_020200: true 129 | DISA_STIG_RHEL_07_020210: true 130 | DISA_STIG_RHEL_07_020220: true 131 | DISA_STIG_RHEL_07_020230: true 132 | DISA_STIG_RHEL_07_020231: true 133 | DISA_STIG_RHEL_07_020240: true 134 | DISA_STIG_RHEL_07_020260: true 135 | DISA_STIG_RHEL_07_020310: true 136 | DISA_STIG_RHEL_07_020610: true 137 | DISA_STIG_RHEL_07_020620: true 138 | DISA_STIG_RHEL_07_020630: true 139 | DISA_STIG_RHEL_07_020640: true 140 | DISA_STIG_RHEL_07_020650: true 141 | DISA_STIG_RHEL_07_020660: true 142 | DISA_STIG_RHEL_07_020670: true 143 | DISA_STIG_RHEL_07_020680: true 144 | DISA_STIG_RHEL_07_020690: true 145 | DISA_STIG_RHEL_07_020700: true 146 | DISA_STIG_RHEL_07_020710: true 147 | DISA_STIG_RHEL_07_021000: true 148 | DISA_STIG_RHEL_07_021010: true 149 | DISA_STIG_RHEL_07_021020: true 150 | DISA_STIG_RHEL_07_021021: true 151 | DISA_STIG_RHEL_07_021024: true 152 | DISA_STIG_RHEL_07_021040: true 153 | DISA_STIG_RHEL_07_021110: true 154 | DISA_STIG_RHEL_07_021120: true 155 | DISA_STIG_RHEL_07_021300: true 156 | DISA_STIG_RHEL_07_021350: true 157 | DISA_STIG_RHEL_07_021600: true 158 | DISA_STIG_RHEL_07_021610: true 159 | DISA_STIG_RHEL_07_021710: true 160 | DISA_STIG_RHEL_07_030000: true 161 | DISA_STIG_RHEL_07_030010: true 162 | DISA_STIG_RHEL_07_030201: true 163 | DISA_STIG_RHEL_07_030210: true 164 | DISA_STIG_RHEL_07_030211: true 165 | DISA_STIG_RHEL_07_030300: true 166 | DISA_STIG_RHEL_07_030310: true 167 | DISA_STIG_RHEL_07_030320: true 168 | DISA_STIG_RHEL_07_030321: true 169 | DISA_STIG_RHEL_07_030330: true 170 | DISA_STIG_RHEL_07_030340: true 171 | DISA_STIG_RHEL_07_030350: true 172 | DISA_STIG_RHEL_07_030360: true 173 | DISA_STIG_RHEL_07_030370: true 174 | DISA_STIG_RHEL_07_030410: true 175 | DISA_STIG_RHEL_07_030440: true 176 | DISA_STIG_RHEL_07_030510: true 177 | DISA_STIG_RHEL_07_030560: true 178 | DISA_STIG_RHEL_07_030570: true 179 | DISA_STIG_RHEL_07_030580: true 180 | DISA_STIG_RHEL_07_030590: true 181 | DISA_STIG_RHEL_07_030610: true 182 | DISA_STIG_RHEL_07_030620: true 183 | DISA_STIG_RHEL_07_030630: true 184 | DISA_STIG_RHEL_07_030640: true 185 | DISA_STIG_RHEL_07_030650: true 186 | DISA_STIG_RHEL_07_030660: true 187 | DISA_STIG_RHEL_07_030670: true 188 | DISA_STIG_RHEL_07_030680: true 189 | DISA_STIG_RHEL_07_030690: true 190 | DISA_STIG_RHEL_07_030700: true 191 | DISA_STIG_RHEL_07_030710: true 192 | DISA_STIG_RHEL_07_030720: true 193 | DISA_STIG_RHEL_07_030740: true 194 | DISA_STIG_RHEL_07_030750: true 195 | DISA_STIG_RHEL_07_030760: true 196 | DISA_STIG_RHEL_07_030770: true 197 | DISA_STIG_RHEL_07_030780: true 198 | DISA_STIG_RHEL_07_030800: true 199 | DISA_STIG_RHEL_07_030810: true 200 | DISA_STIG_RHEL_07_030819: true 201 | DISA_STIG_RHEL_07_030820: true 202 | DISA_STIG_RHEL_07_030830: true 203 | DISA_STIG_RHEL_07_030840: true 204 | DISA_STIG_RHEL_07_030870: true 205 | DISA_STIG_RHEL_07_030871: true 206 | DISA_STIG_RHEL_07_030872: true 207 | DISA_STIG_RHEL_07_030873: true 208 | DISA_STIG_RHEL_07_030874: true 209 | DISA_STIG_RHEL_07_030910: true 210 | DISA_STIG_RHEL_07_031000: true 211 | DISA_STIG_RHEL_07_031010: true 212 | DISA_STIG_RHEL_07_040000: true 213 | DISA_STIG_RHEL_07_040110: true 214 | DISA_STIG_RHEL_07_040160: true 215 | DISA_STIG_RHEL_07_040170: true 216 | DISA_STIG_RHEL_07_040180: true 217 | DISA_STIG_RHEL_07_040190: true 218 | DISA_STIG_RHEL_07_040201: true 219 | DISA_STIG_RHEL_07_040300: true 220 | DISA_STIG_RHEL_07_040310: true 221 | DISA_STIG_RHEL_07_040320: true 222 | DISA_STIG_RHEL_07_040330: true 223 | DISA_STIG_RHEL_07_040340: true 224 | DISA_STIG_RHEL_07_040350: true 225 | DISA_STIG_RHEL_07_040360: true 226 | DISA_STIG_RHEL_07_040370: true 227 | DISA_STIG_RHEL_07_040380: true 228 | DISA_STIG_RHEL_07_040390: true 229 | DISA_STIG_RHEL_07_040400: true 230 | DISA_STIG_RHEL_07_040410: true 231 | DISA_STIG_RHEL_07_040420: true 232 | DISA_STIG_RHEL_07_040430: true 233 | DISA_STIG_RHEL_07_040440: true 234 | DISA_STIG_RHEL_07_040450: true 235 | DISA_STIG_RHEL_07_040460: true 236 | DISA_STIG_RHEL_07_040470: true 237 | DISA_STIG_RHEL_07_040500: true 238 | DISA_STIG_RHEL_07_040520: true 239 | DISA_STIG_RHEL_07_040530: true 240 | DISA_STIG_RHEL_07_040540: true 241 | DISA_STIG_RHEL_07_040550: true 242 | DISA_STIG_RHEL_07_040610: true 243 | DISA_STIG_RHEL_07_040611: true 244 | DISA_STIG_RHEL_07_040612: true 245 | DISA_STIG_RHEL_07_040620: true 246 | DISA_STIG_RHEL_07_040630: true 247 | DISA_STIG_RHEL_07_040640: true 248 | DISA_STIG_RHEL_07_040641: true 249 | DISA_STIG_RHEL_07_040650: true 250 | DISA_STIG_RHEL_07_040660: true 251 | DISA_STIG_RHEL_07_040670: true 252 | DISA_STIG_RHEL_07_040680: true 253 | DISA_STIG_RHEL_07_040690: true 254 | DISA_STIG_RHEL_07_040700: true 255 | DISA_STIG_RHEL_07_040710: true 256 | DISA_STIG_RHEL_07_040711: true 257 | DISA_STIG_RHEL_07_040712: true 258 | DISA_STIG_RHEL_07_040720: true 259 | DISA_STIG_RHEL_07_040730: true 260 | DISA_STIG_RHEL_07_040740: true 261 | DISA_STIG_RHEL_07_040750: true 262 | DISA_STIG_RHEL_07_040800: true 263 | DISA_STIG_RHEL_07_040830: true 264 | DISA_STIG_RHEL_07_041001: true 265 | DISA_STIG_RHEL_07_041003: true 266 | DISA_STIG_RHEL_07_041010: true 267 | DISA_STIG_RHEL_07_910055: true 268 | account_disable_post_pw_expiration: true 269 | accounts_have_homedir_login_defs: true 270 | accounts_logon_fail_delay: true 271 | accounts_max_concurrent_login_sessions: true 272 | accounts_maximum_age_login_defs: true 273 | accounts_minimum_age_login_defs: true 274 | accounts_no_uid_except_zero: true 275 | accounts_password_pam_dcredit: true 276 | accounts_password_pam_difok: true 277 | accounts_password_pam_lcredit: true 278 | accounts_password_pam_maxclassrepeat: true 279 | accounts_password_pam_maxrepeat: true 280 | accounts_password_pam_minclass: true 281 | accounts_password_pam_minlen: true 282 | accounts_password_pam_ocredit: true 283 | accounts_password_pam_pwhistory_remember_password_auth: true 284 | accounts_password_pam_pwhistory_remember_system_auth: true 285 | accounts_password_pam_retry: true 286 | accounts_password_pam_ucredit: true 287 | accounts_password_set_max_life_existing: true 288 | accounts_password_set_min_life_existing: true 289 | accounts_passwords_pam_faillock_deny: true 290 | accounts_passwords_pam_faillock_deny_root: true 291 | accounts_passwords_pam_faillock_interval: true 292 | accounts_passwords_pam_faillock_unlock_time: true 293 | accounts_tmout: true 294 | accounts_umask_etc_login_defs: true 295 | accounts_umask_interactive_users: true 296 | accounts_user_dot_group_ownership: true 297 | accounts_user_dot_user_ownership: true 298 | accounts_user_interactive_home_directory_exists: true 299 | accounts_users_home_files_groupownership: true 300 | accounts_users_home_files_ownership: true 301 | accounts_users_home_files_permissions: true 302 | aide_build_database: true 303 | aide_periodic_cron_checking: true 304 | aide_scan_notification: true 305 | aide_verify_acls: true 306 | aide_verify_ext_attributes: true 307 | audit_rules_dac_modification_chmod: true 308 | audit_rules_dac_modification_chown: true 309 | audit_rules_dac_modification_fchmod: true 310 | audit_rules_dac_modification_fchmodat: true 311 | audit_rules_dac_modification_fchown: true 312 | audit_rules_dac_modification_fchownat: true 313 | audit_rules_dac_modification_fremovexattr: true 314 | audit_rules_dac_modification_fsetxattr: true 315 | audit_rules_dac_modification_lchown: true 316 | audit_rules_dac_modification_lremovexattr: true 317 | audit_rules_dac_modification_lsetxattr: true 318 | audit_rules_dac_modification_removexattr: true 319 | audit_rules_dac_modification_setxattr: true 320 | audit_rules_execution_chcon: true 321 | audit_rules_execution_semanage: true 322 | audit_rules_execution_setfiles: true 323 | audit_rules_execution_setsebool: true 324 | audit_rules_file_deletion_events_rename: true 325 | audit_rules_file_deletion_events_renameat: true 326 | audit_rules_file_deletion_events_rmdir: true 327 | audit_rules_file_deletion_events_unlink: true 328 | audit_rules_file_deletion_events_unlinkat: true 329 | audit_rules_kernel_module_loading_create: true 330 | audit_rules_kernel_module_loading_delete: true 331 | audit_rules_kernel_module_loading_finit: true 332 | audit_rules_kernel_module_loading_init: true 333 | audit_rules_login_events_faillock: true 334 | audit_rules_login_events_lastlog: true 335 | audit_rules_media_export: true 336 | audit_rules_privileged_commands_chage: true 337 | audit_rules_privileged_commands_chsh: true 338 | audit_rules_privileged_commands_crontab: true 339 | audit_rules_privileged_commands_gpasswd: true 340 | audit_rules_privileged_commands_kmod: true 341 | audit_rules_privileged_commands_mount: true 342 | audit_rules_privileged_commands_newgrp: true 343 | audit_rules_privileged_commands_pam_timestamp_check: true 344 | audit_rules_privileged_commands_passwd: true 345 | audit_rules_privileged_commands_postdrop: true 346 | audit_rules_privileged_commands_postqueue: true 347 | audit_rules_privileged_commands_ssh_keysign: true 348 | audit_rules_privileged_commands_su: true 349 | audit_rules_privileged_commands_sudo: true 350 | audit_rules_privileged_commands_umount: true 351 | audit_rules_privileged_commands_unix_chkpwd: true 352 | audit_rules_privileged_commands_userhelper: true 353 | audit_rules_suid_privilege_function: true 354 | audit_rules_sysadmin_actions: true 355 | audit_rules_system_shutdown: true 356 | audit_rules_unsuccessful_file_modification_creat: true 357 | audit_rules_unsuccessful_file_modification_ftruncate: true 358 | audit_rules_unsuccessful_file_modification_open: true 359 | audit_rules_unsuccessful_file_modification_open_by_handle_at: true 360 | audit_rules_unsuccessful_file_modification_openat: true 361 | audit_rules_unsuccessful_file_modification_truncate: true 362 | audit_rules_usergroup_modification_group: true 363 | audit_rules_usergroup_modification_gshadow: true 364 | audit_rules_usergroup_modification_opasswd: true 365 | audit_rules_usergroup_modification_passwd: true 366 | audit_rules_usergroup_modification_shadow: true 367 | auditd_audispd_configure_remote_server: true 368 | auditd_audispd_disk_full_action: true 369 | auditd_audispd_encrypt_sent_records: true 370 | auditd_audispd_network_failure_action: true 371 | auditd_audispd_remote_daemon_activated: true 372 | auditd_audispd_remote_daemon_direction: true 373 | auditd_audispd_remote_daemon_path: true 374 | auditd_audispd_remote_daemon_type: true 375 | auditd_data_retention_action_mail_acct: true 376 | auditd_data_retention_space_left_action: true 377 | auditd_data_retention_space_left_percentage: true 378 | auditd_name_format: true 379 | auditd_overflow_action: true 380 | banner_etc_issue: true 381 | chronyd_or_ntpd_set_maxpoll: true 382 | clean_components_post_updating: true 383 | configure_strategy: true 384 | dconf_db_up_to_date: true 385 | dconf_gnome_banner_enabled: true 386 | dconf_gnome_disable_automount: true 387 | dconf_gnome_disable_automount_open: true 388 | dconf_gnome_disable_autorun: true 389 | dconf_gnome_disable_ctrlaltdel_reboot: true 390 | dconf_gnome_disable_user_list: true 391 | dconf_gnome_enable_smartcard_auth: true 392 | dconf_gnome_login_banner_text: true 393 | dconf_gnome_screensaver_idle_activation_enabled: true 394 | dconf_gnome_screensaver_idle_activation_locked: true 395 | dconf_gnome_screensaver_idle_delay: true 396 | dconf_gnome_screensaver_lock_delay: true 397 | dconf_gnome_screensaver_lock_enabled: true 398 | dconf_gnome_screensaver_lock_locked: true 399 | dconf_gnome_screensaver_user_locks: true 400 | dconf_gnome_session_idle_user_locks: true 401 | disable_ctrlaltdel_reboot: true 402 | disable_host_auth: true 403 | disable_strategy: true 404 | disallow_bypass_password_sudo: true 405 | display_login_attempts: true 406 | enable_strategy: true 407 | ensure_gpgcheck_globally_activated: true 408 | ensure_gpgcheck_local_packages: true 409 | ensure_redhat_gpgkey_installed: true 410 | file_groupowner_cron_allow: true 411 | file_groupownership_home_directories: true 412 | file_owner_cron_allow: true 413 | file_ownership_home_directories: true 414 | file_permission_user_init_files: true 415 | file_permissions_home_directories: true 416 | file_permissions_sshd_private_key: true 417 | file_permissions_sshd_pub_key: true 418 | file_permissions_var_log_audit: true 419 | gnome_gdm_disable_automatic_login: true 420 | gnome_gdm_disable_guest_login: true 421 | grub2_enable_fips_mode: true 422 | high_complexity: true 423 | high_disruption: true 424 | high_severity: true 425 | install_smartcard_packages: true 426 | kernel_module_dccp_disabled: true 427 | low_complexity: true 428 | low_disruption: true 429 | low_severity: true 430 | medium_complexity: true 431 | medium_disruption: true 432 | medium_severity: true 433 | mount_option_dev_shm_nodev: true 434 | mount_option_dev_shm_noexec: true 435 | mount_option_dev_shm_nosuid: true 436 | mount_option_home_nosuid: true 437 | mount_option_krb_sec_remote_filesystems: true 438 | mount_option_noexec_remote_filesystems: true 439 | mount_option_nosuid_remote_filesystems: true 440 | mount_option_nosuid_removable_partitions: true 441 | network_sniffer_disabled: true 442 | no_empty_passwords: true 443 | no_empty_passwords_etc_shadow: true 444 | no_host_based_files: true 445 | no_reboot_needed: true 446 | no_user_host_based_files: true 447 | package_aide_installed: true 448 | package_mailx_installed: true 449 | package_openssh_server_installed: true 450 | package_rsh_server_removed: true 451 | package_screen_installed: true 452 | package_telnet_server_removed: true 453 | package_tftp_server_removed: true 454 | package_vsftpd_removed: true 455 | package_ypserv_removed: true 456 | patch_strategy: true 457 | postfix_prevent_unrestricted_relay: true 458 | reboot_required: true 459 | require_singleuser_auth: true 460 | restrict_strategy: true 461 | rpm_verify_hashes: true 462 | rpm_verify_ownership: true 463 | rpm_verify_permissions: true 464 | rsyslog_nolisten: true 465 | rsyslog_remote_loghost: true 466 | sebool_ssh_sysadm_login: true 467 | security_patches_up_to_date: true 468 | selinux_policytype: true 469 | selinux_state: true 470 | service_auditd_enabled: true 471 | service_autofs_disabled: true 472 | service_firewalld_enabled: true 473 | service_kdump_disabled: true 474 | service_sshd_enabled: true 475 | set_password_hashing_algorithm_libuserconf: true 476 | set_password_hashing_algorithm_logindefs: true 477 | set_password_hashing_algorithm_passwordauth: true 478 | set_password_hashing_algorithm_systemauth: true 479 | skip_ansible_lint: true 480 | smartcard_configure_cert_checking: true 481 | snmpd_not_default_password: true 482 | sshd_allow_only_protocol2: true 483 | sshd_disable_compression: true 484 | sshd_disable_empty_passwords: true 485 | sshd_disable_gssapi_auth: true 486 | sshd_disable_kerb_auth: true 487 | sshd_disable_rhosts: true 488 | sshd_disable_rhosts_rsa: true 489 | sshd_disable_root_login: true 490 | sshd_disable_user_known_hosts: true 491 | sshd_disable_x11_forwarding: true 492 | sshd_do_not_permit_user_env: true 493 | sshd_enable_strictmodes: true 494 | sshd_enable_warning_banner: true 495 | sshd_print_last_log: true 496 | sshd_set_idle_timeout: true 497 | sshd_set_keepalive_0: true 498 | sshd_use_approved_ciphers_ordered_stig: true 499 | sshd_use_approved_kex_ordered_stig: true 500 | sshd_use_approved_macs_ordered_stig: true 501 | sshd_use_priv_separation: true 502 | sshd_x11_use_localhost: true 503 | sssd_ldap_configure_tls_reqcert: true 504 | sssd_ldap_start_tls: true 505 | sudo_remove_no_authenticate: true 506 | sudo_remove_nopasswd: true 507 | sudo_require_reauthentication: true 508 | sudoers_default_includedir: true 509 | sudoers_validate_passwd: true 510 | sysctl_kernel_dmesg_restrict: true 511 | sysctl_kernel_randomize_va_space: true 512 | sysctl_net_ipv4_conf_all_accept_redirects: true 513 | sysctl_net_ipv4_conf_all_accept_source_route: true 514 | sysctl_net_ipv4_conf_all_rp_filter: true 515 | sysctl_net_ipv4_conf_all_send_redirects: true 516 | sysctl_net_ipv4_conf_default_accept_redirects: true 517 | sysctl_net_ipv4_conf_default_accept_source_route: true 518 | sysctl_net_ipv4_conf_default_rp_filter: true 519 | sysctl_net_ipv4_conf_default_send_redirects: true 520 | sysctl_net_ipv4_icmp_echo_ignore_broadcasts: true 521 | sysctl_net_ipv4_ip_forward: true 522 | sysctl_net_ipv6_conf_all_accept_source_route: true 523 | tftpd_uses_secure_mode: true 524 | unknown_strategy: true 525 | wireless_disable_interfaces: true 526 | xwindows_remove_packages: true 527 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for rhel7-role-stig-rhel7-disa -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | role_name: rhel7_stig 3 | author: ComplianceAsCode development team 4 | description: DISA STIG for Red Hat Enterprise Linux 7 5 | 6 | issue_tracker_url: https://github.com/ComplianceAsCode/content/issues 7 | 8 | license: BSD-3-Clause 9 | 10 | min_ansible_version: 2.9 11 | 12 | platforms: 13 | - name: EL 14 | versions: 15 | - 7 16 | 17 | galaxy_tags: [system, hardening, openscap, ssg, scap, security, compliance, complianceascode, 18 | redhatofficial, redhat, rhel7, stig, disa] 19 | 20 | 21 | dependencies: [] 22 | -------------------------------------------------------------------------------- /molecule/default/converge.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Converge 3 | hosts: all 4 | gather_facts: true 5 | become: true 6 | 7 | roles: 8 | - role: redhatofficial.rhel7-stig 9 | -------------------------------------------------------------------------------- /molecule/default/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependency: 3 | name: galaxy 4 | driver: 5 | name: docker 6 | platforms: 7 | - name: instance 8 | image: centos:8 9 | command: /sbin/init 10 | tmpfs: 11 | - /run 12 | - /tmp 13 | volumes: 14 | - /sys/fs/cgroup:/sys/fs/cgroup:ro 15 | privileged: true 16 | pre_build_image: false 17 | provisioner: 18 | name: ansible 19 | config_options: 20 | defaults: 21 | local_tmp: /tmp/ 22 | remote_tmp: /tmp/ 23 | playbooks: 24 | converge: ${MOLECULE_PLAYBOOK:-converge.yml} 25 | scenario: 26 | name: default 27 | test_sequence: 28 | - lint 29 | - cleanup 30 | - destroy 31 | - syntax 32 | - create 33 | - prepare 34 | - converge 35 | # - idempotence 36 | - cleanup 37 | - destroy 38 | -------------------------------------------------------------------------------- /molecule/default/verify.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This is an example playbook to execute Ansible tests. 3 | 4 | - name: Verify 5 | hosts: all 6 | gather_facts: false 7 | tasks: 8 | - name: Example assertion 9 | assert: 10 | that: true 11 | -------------------------------------------------------------------------------- /molecule/docker/converge.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Converge 3 | hosts: all 4 | tasks: 5 | - name: "Include ansible-role-rhel7-stig" 6 | include_role: 7 | name: "ansible-role-rhel7-stig" 8 | -------------------------------------------------------------------------------- /molecule/docker/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependency: 3 | name: galaxy 4 | driver: 5 | name: docker 6 | lint: | 7 | set -ex 8 | yamllint . 9 | ansible-lint . 10 | flake8 11 | platforms: 12 | - name: instance 13 | image: quay.io/cmatos/molecule-centos7 14 | volumes: 15 | - /sys/fs/cgroup:/sys/fs/cgroup:ro 16 | command: /usr/sbin/init 17 | capabilities: 18 | - ALL 19 | privileged: true 20 | pull: false 21 | groups: 22 | - docker 23 | provisioner: 24 | name: ansible 25 | scenario: 26 | test_sequence: 27 | - lint 28 | - destroy 29 | - syntax 30 | - create 31 | - prepare 32 | - converge 33 | - destroy 34 | verifier: 35 | name: ansible 36 | -------------------------------------------------------------------------------- /molecule/docker/verify.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This is an example playbook to execute Ansible tests. 3 | 4 | - name: Verify 5 | hosts: all 6 | gather_facts: false 7 | tasks: 8 | - name: Example assertion 9 | assert: 10 | that: true 11 | -------------------------------------------------------------------------------- /tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | connection: local 4 | become: true 5 | roles: 6 | - ansible-role-rhel7-stig 7 | -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for rhel7_stig 3 | --------------------------------------------------------------------------------