content
content copied to clipboard
Published
20 hours ago •
ComplianceAsCode
ComplianceAsCode
Change rule platforms - Part 4: Individual rules in the "system" group
Many rules currently marked with the machine platform should be applicable also to bootable containers. The reason is that often these rules check configuration that should be applied if the bootable container is deployed and booted on a real system. The applicability of these rules needs to be extended by marking them with the system_with_kernel platform instead.
We change the platforms carefully, we don't perform a blind mass platform replacement because not every rule that is currently marked as machine should be applicable to bootable containers, for example partition rules should be evaluated as "not applicable" when scanning a bootable container.
For more details, please read commit messages of all commits.
Review hints
For normal (non-bootable) containers, run a scan and verify that the rules affected by this change are still evaluated as notapplicable as they were before this change. For example: sudo oscap-podman centos:stream9 xccdf eval --profile stig --report /tmp/report.html build/ssg-cs9-ds.xml
Start a new ephemeral environment with changes proposed in this pull request:
rhel8 (from CTF) Environment (using Fedora as testing environment)
Fedora Testing Environment
Oracle Linux 8 Environment
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This datastream diff is auto generated by the check Compare DS/Generate Diff.
Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit.
Click here to see the trimmed diff
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_install_antivirus'
--- xccdf_org.ssgproject.content_rule_install_antivirus
+++ xccdf_org.ssgproject.content_rule_install_antivirus
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_install_hids'
--- xccdf_org.ssgproject.content_rule_install_hids
+++ xccdf_org.ssgproject.content_rule_install_hids
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_nails_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_nails_enabled
+++ xccdf_org.ssgproject.content_rule_service_nails_enabled
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'nails.service'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_nails_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_nails_enabled
+++ xccdf_org.ssgproject.content_rule_service_nails_enabled
@@ -1,3 +1,17 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SC-28
+ - NIST-800-53-SI-3(a)
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - service_nails_enabled
+
- name: Enable nails Service - Enable service nails
block:
@@ -13,7 +27,7 @@
masked: false
when:
- '"nails" in ansible_facts.packages'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-28
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_service_nails_enabled'
--- xccdf_org.ssgproject.content_rule_service_nails_enabled
+++ xccdf_org.ssgproject.content_rule_service_nails_enabled
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_install_mcafee_antivirus'
--- xccdf_org.ssgproject.content_rule_install_mcafee_antivirus
+++ xccdf_org.ssgproject.content_rule_install_mcafee_antivirus
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated'
--- xccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated
+++ xccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_sudo_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_sudo_installed
+++ xccdf_org.ssgproject.content_rule_package_sudo_installed
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
if ! rpm -q --quiet "sudo" ; then
yum install -y "sudo"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_sudo_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_sudo_installed
+++ xccdf_org.ssgproject.content_rule_package_sudo_installed
@@ -1,8 +1,6 @@
-- name: Ensure sudo is installed
- package:
- name: sudo
- state: present
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+- name: Gather the package facts
+ package_facts:
+ manager: auto
tags:
- CCE-82214-8
- NIST-800-53-CM-6(a)
@@ -14,3 +12,20 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
+
+- name: Ensure sudo is installed
+ package:
+ name: sudo
+ state: present
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-82214-8
+ - NIST-800-53-CM-6(a)
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - package_sudo_installed
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_package_sudo_installed'
--- xccdf_org.ssgproject.content_rule_package_sudo_installed
+++ xccdf_org.ssgproject.content_rule_package_sudo_installed
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_rng-tools_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_rng-tools_installed
+++ xccdf_org.ssgproject.content_rule_package_rng-tools_installed
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
if ! rpm -q --quiet "rng-tools" ; then
yum install -y "rng-tools"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_rng-tools_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_rng-tools_installed
+++ xccdf_org.ssgproject.content_rule_package_rng-tools_installed
@@ -1,8 +1,6 @@
-- name: Ensure rng-tools is installed
- package:
- name: rng-tools
- state: present
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+- name: Gather the package facts
+ package_facts:
+ manager: auto
tags:
- CCE-82968-9
- DISA-STIG-RHEL-08-010472
@@ -12,3 +10,18 @@
- low_severity
- no_reboot_needed
- package_rng-tools_installed
+
+- name: Ensure rng-tools is installed
+ package:
+ name: rng-tools
+ state: present
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-82968-9
+ - DISA-STIG-RHEL-08-010472
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - low_severity
+ - no_reboot_needed
+ - package_rng-tools_installed
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_package_rng-tools_installed'
--- xccdf_org.ssgproject.content_rule_package_rng-tools_installed
+++ xccdf_org.ssgproject.content_rule_package_rng-tools_installed
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
login_banner_text=''
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue
@@ -1,3 +1,18 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-80763-6
+ - DISA-STIG-RHEL-08-010060
+ - NIST-800-171-3.1.9
+ - NIST-800-53-AC-8(a)
+ - NIST-800-53-AC-8(c)
+ - banner_etc_issue
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - unknown_strategy
- name: XCCDF Value login_banner_text # promote to variable
set_fact:
login_banner_text: !!str
@@ -10,7 +25,7 @@
content: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
"\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
"\n") | regex_replace("\\", "") | wordwrap() }}'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-80763-6
- DISA-STIG-RHEL-08-010060
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue'
--- xccdf_org.ssgproject.content_rule_banner_etc_issue
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_cis' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue_cis
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue_cis
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
cis_banner_text=''
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_cis' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue_cis
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue_cis
@@ -1,3 +1,14 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-86160-9
+ - banner_etc_issue_cis
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
- name: XCCDF Value cis_banner_text # promote to variable
set_fact:
cis_banner_text: !!str
@@ -9,7 +20,7 @@
ansible.builtin.copy:
content: '{{ cis_banner_text }}'
dest: /etc/issue
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-86160-9
- banner_etc_issue_cis
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_cis'
--- xccdf_org.ssgproject.content_rule_banner_etc_issue_cis
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue_cis
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
remote_login_banner_text=''
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net
@@ -1,3 +1,14 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-86147-6
+ - banner_etc_issue_net
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - unknown_strategy
- name: XCCDF Value remote_login_banner_text # promote to variable
set_fact:
remote_login_banner_text: !!str
@@ -10,7 +21,7 @@
content: '{{ remote_login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
"\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
"\n") | regex_replace("\\", "") | wordwrap() }}'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-86147-6
- banner_etc_issue_net
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net'
--- xccdf_org.ssgproject.content_rule_banner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
cis_banner_text=''
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis
@@ -1,3 +1,14 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-86167-4
+ - banner_etc_issue_net_cis
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
- name: XCCDF Value cis_banner_text # promote to variable
set_fact:
cis_banner_text: !!str
@@ -9,7 +20,7 @@
ansible.builtin.copy:
content: '{{ cis_banner_text }}'
dest: /etc/issue.net
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-86167-4
- banner_etc_issue_net_cis
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis'
--- xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_motd
+++ xccdf_org.ssgproject.content_rule_banner_etc_motd
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
motd_banner_text=''
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_motd
+++ xccdf_org.ssgproject.content_rule_banner_etc_motd
@@ -1,3 +1,14 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-83496-0
+ - banner_etc_motd
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - unknown_strategy
- name: XCCDF Value motd_banner_text # promote to variable
set_fact:
motd_banner_text: !!str
@@ -10,7 +21,7 @@
content: '{{ motd_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
"\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
"\n") | regex_replace("\\", "") | wordwrap() }}'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-83496-0
- banner_etc_motd
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd'
--- xccdf_org.ssgproject.content_rule_banner_etc_motd
+++ xccdf_org.ssgproject.content_rule_banner_etc_motd
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd_cis' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_motd_cis
+++ xccdf_org.ssgproject.content_rule_banner_etc_motd_cis
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
cis_banner_text=''
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd_cis' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_motd_cis
+++ xccdf_org.ssgproject.content_rule_banner_etc_motd_cis
@@ -1,3 +1,14 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-86145-0
+ - banner_etc_motd_cis
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
- name: XCCDF Value cis_banner_text # promote to variable
set_fact:
cis_banner_text: !!str
@@ -8,7 +19,7 @@
ansible.builtin.copy:
content: '{{ cis_banner_text }}'
dest: /etc/motd
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-86145-0
- banner_etc_motd_cis
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd_cis'
--- xccdf_org.ssgproject.content_rule_banner_etc_motd_cis
+++ xccdf_org.ssgproject.content_rule_banner_etc_motd_cis
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir
+++ xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir
@@ -1,7 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-#!/bin/bash
+if rpm --quiet -q kernel; then
FAILLOCK_CONF_FILES="/etc/security/faillock.conf /etc/pam.d/system-auth /etc/pam.d/password-auth"
faillock_dirs=$(grep -oP "^\s*(?:auth.*pam_faillock.so.*)?dir\s*=\s*(\S+)" $FAILLOCK_CONF_FILES \
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir
+++ xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir
@@ -1,3 +1,18 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-86248-2
+ - DISA-STIG-RHEL-08-020027
+ - DISA-STIG-RHEL-08-020028
+ - NIST-800-53-AC-7 (a)
+ - account_password_selinux_faillock_dir
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
- name: An SELinux Context must be configured for the pam_faillock.so records directory
- Get directories from faillock
ansible.builtin.shell: grep -oP '^\s*(?:auth.*pam_faillock.so.*)?dir\s*=\s*(\S+)'
@@ -7,7 +22,7 @@
- /etc/security/faillock.conf
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-86248-2
- DISA-STIG-RHEL-08-020027
@@ -25,7 +40,7 @@
ansible.builtin.set_fact:
list_faillock_dir: '{{ faillock_output.results | map(attribute=''stdout_lines'')
| flatten }}'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-86248-2
- DISA-STIG-RHEL-08-020027
@@ -45,7 +60,7 @@
state: directory
with_items: '{{ list_faillock_dir }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"kernel" in ansible_facts.packages'
- item != ""
tags:
- CCE-86248-2
@@ -67,7 +82,7 @@
fi
with_items: '{{ list_faillock_dir }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"kernel" in ansible_facts.packages'
- item != ""
tags:
- CCE-86248-2
@@ -86,7 +101,7 @@
ansible.builtin.command: restorecon -R -v "{{ item }}"
with_items: '{{ list_faillock_dir }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"kernel" in ansible_facts.packages'
- item != ""
tags:
- CCE-86248-2
@@ -107,7 +122,7 @@
"The pam_faillock.so dir option is not set in the system.
If this is not expected, make sure pam_faillock.so is properly configured."
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"kernel" in ansible_facts.packages'
- list_faillock_dir | length == 0
tags:
- CCE-86248-2
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir'
--- xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir
+++ xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_account_unique_id'
--- xccdf_org.ssgproject.content_rule_account_unique_id
+++ xccdf_org.ssgproject.content_rule_account_unique_id
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed'
--- xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed
+++ xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_accounts_password_last_change_is_in_past'
--- xccdf_org.ssgproject.content_rule_accounts_password_last_change_is_in_past
+++ xccdf_org.ssgproject.content_rule_accounts_password_last_change_is_in_past
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow' differs.
--- xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow
+++ xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
readarray -t users_with_empty_pass < <(sudo awk -F: '!$2 {print $1}' /etc/shadow)
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow' differs.
--- xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow
+++ xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow
@@ -1,9 +1,26 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-85953-8
+ - DISA-STIG-RHEL-08-010121
+ - NIST-800-53-CM-6(b)
+ - NIST-800-53-CM-6.1(iv)
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.2
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_empty_passwords_etc_shadow
+ - no_reboot_needed
+ - restrict_strategy
+
- name: Collect users with no password
command: |
awk -F: '!$2 {print $1}' /etc/shadow
register: users_nopasswd
changed_when: false
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-85953-8
- DISA-STIG-RHEL-08-010121
@@ -23,7 +40,7 @@
passwd -l {{ item }}
with_items: '{{ users_nopasswd.stdout_lines }}'
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"kernel" in ansible_facts.packages'
- users_nopasswd is not skipped and users_nopasswd.stdout_lines | length > 0
tags:
- CCE-85953-8
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow'
--- xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow
+++ xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_ensure_root_password_configured'
--- xccdf_org.ssgproject.content_rule_ensure_root_password_configured
+++ xccdf_org.ssgproject.content_rule_ensure_root_password_configured
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_no_direct_root_logins' differs.
--- xccdf_org.ssgproject.content_rule_no_direct_root_logins
+++ xccdf_org.ssgproject.content_rule_no_direct_root_logins
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
echo > /etc/securetty
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_no_direct_root_logins' differs.
--- xccdf_org.ssgproject.content_rule_no_direct_root_logins
+++ xccdf_org.ssgproject.content_rule_no_direct_root_logins
@@ -1,8 +1,6 @@
-- name: Direct root Logins Not Allowed
- copy:
- dest: /etc/securetty
- content: ''
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+- name: Gather the package facts
+ package_facts:
+ manager: auto
tags:
- CCE-80840-2
- NIST-800-171-3.1.1
@@ -17,3 +15,23 @@
- no_direct_root_logins
- no_reboot_needed
- restrict_strategy
+
+- name: Direct root Logins Not Allowed
+ copy:
+ dest: /etc/securetty
+ content: ''
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-80840-2
+ - NIST-800-171-3.1.1
+ - NIST-800-171-3.1.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-2
+ - PCI-DSSv4-8.6
+ - PCI-DSSv4-8.6.1
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_direct_root_logins
+ - no_reboot_needed
+ - restrict_strategy
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_no_direct_root_logins'
--- xccdf_org.ssgproject.content_rule_no_direct_root_logins
+++ xccdf_org.ssgproject.content_rule_no_direct_root_logins
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_tmout' differs.
--- xccdf_org.ssgproject.content_rule_accounts_tmout
+++ xccdf_org.ssgproject.content_rule_accounts_tmout
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
var_accounts_tmout=''
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_tmout' differs.
--- xccdf_org.ssgproject.content_rule_accounts_tmout
+++ xccdf_org.ssgproject.content_rule_accounts_tmout
@@ -1,3 +1,21 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-80673-7
+ - NIST-800-171-3.1.11
+ - NIST-800-53-AC-12
+ - NIST-800-53-AC-2(5)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SC-10
+ - PCI-DSSv4-8.6
+ - PCI-DSSv4-8.6.1
+ - accounts_tmout
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
- name: XCCDF Value var_accounts_tmout # promote to variable
set_fact:
var_accounts_tmout: !!str
@@ -10,7 +28,7 @@
regexp: ^[^#].*TMOUT=.*
replace: typeset -xr TMOUT={{ var_accounts_tmout }}
register: profile_replaced
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-80673-7
- NIST-800-171-3.1.11
@@ -34,7 +52,7 @@
regexp: TMOUT=
line: typeset -xr TMOUT={{ var_accounts_tmout }}
state: present
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-80673-7
- NIST-800-171-3.1.11
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_accounts_tmout'
--- xccdf_org.ssgproject.content_rule_accounts_tmout
+++ xccdf_org.ssgproject.content_rule_accounts_tmout
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_iptables_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_iptables_installed
+++ xccdf_org.ssgproject.content_rule_package_iptables_installed
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] ); then
+if ( rpm --quiet -q kernel ); then
if ! rpm -q --quiet "iptables" ; then
yum install -y "iptables"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_iptables_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_iptables_installed
+++ xccdf_org.ssgproject.content_rule_package_iptables_installed
@@ -1,9 +1,6 @@
-- name: Ensure iptables is installed
- package:
- name: iptables
- state: present
- when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
- "container"] )
+- name: Gather the package facts
+ package_facts:
+ manager: auto
tags:
- CCE-82982-0
- NIST-800-53-CM-6(a)
@@ -14,3 +11,19 @@
- medium_severity
- no_reboot_needed
- package_iptables_installed
+
+- name: Ensure iptables is installed
+ package:
+ name: iptables
+ state: present
+ when: ( "kernel" in ansible_facts.packages )
+ tags:
+ - CCE-82982-0
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-1.4.1
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - package_iptables_installed
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_package_iptables_installed'
--- xccdf_org.ssgproject.content_rule_package_iptables_installed
+++ xccdf_org.ssgproject.content_rule_package_iptables_installed
@@ -1,4 +1,4 @@
oval:ssg-installed_OS_is_rhcos4_rhel9:def:1
-oval:ssg-installed_env_is_a_machine:def:1
oval:ssg-service_disabled_nftables:def:1
oval:ssg-service_disabled_ufw:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_ip6tables_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_ip6tables_enabled
+++ xccdf_org.ssgproject.content_rule_service_ip6tables_enabled
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'ip6tables.service'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_ip6tables_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_ip6tables_enabled
+++ xccdf_org.ssgproject.content_rule_service_ip6tables_enabled
@@ -1,3 +1,20 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-85955-3
+ - NIST-800-53-AC-4
+ - NIST-800-53-CA-3(5)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-SC-7(21)
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - service_ip6tables_enabled
+
- name: Verify ip6tables Enabled if Using IPv6 - Enable service ip6tables
block:
@@ -13,7 +30,7 @@
masked: false
when:
- '"iptables-ipv6" in ansible_facts.packages'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-85955-3
- NIST-800-53-AC-4
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_service_ip6tables_enabled'
--- xccdf_org.ssgproject.content_rule_service_ip6tables_enabled
+++ xccdf_org.ssgproject.content_rule_service_ip6tables_enabled
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_iptables_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_iptables_enabled
+++ xccdf_org.ssgproject.content_rule_service_iptables_enabled
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q iptables ); then
+if ( rpm --quiet -q iptables && rpm --quiet -q kernel ); then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'iptables.service'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_iptables_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_iptables_enabled
+++ xccdf_org.ssgproject.content_rule_service_iptables_enabled
@@ -30,8 +30,8 @@
masked: false
when:
- '"iptables" in ansible_facts.packages'
- when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
- "container"] and "iptables" in ansible_facts.packages )
+ when: ( "iptables" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-85961-1
- NIST-800-53-AC-4
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_service_iptables_enabled'
--- xccdf_org.ssgproject.content_rule_service_iptables_enabled
+++ xccdf_org.ssgproject.content_rule_service_iptables_enabled
@@ -1,3 +1,3 @@
-oval:ssg-installed_env_is_a_machine:def:1
oval:ssg-package_iptables:def:1
oval:ssg-service_disabled_firewalld:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
# Prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack
echo "options ipv6 disable=1" > /etc/modprobe.d/ipv6.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled
@@ -1,10 +1,25 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-82872-3
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_ipv6_option_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
- name: Disable IPv6 Networking kernel module
lineinfile:
create: true
dest: /etc/modprobe.d/ipv6.conf
regexp: ^options\s+ipv6\s+disable=\d
line: options ipv6 disable=1
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-82872-3
- NIST-800-53-CM-6(a)
@@ -26,7 +41,7 @@
with_items:
- net.ipv6.conf.all.disable_ipv6
- net.ipv6.conf.default.disable_ipv6
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-82872-3
- NIST-800-53-CM-6(a)
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled'
--- xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
# Comment out any occurrences of net.ipv6.conf.all.disable_ipv6 from /etc/sysctl.d/*.conf files
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6
@@ -1,3 +1,19 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-85904-1
+ - NIST-800-171-3.1.20
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv6_conf_all_disable_ipv6
+
- name: List /etc/sysctl.d/*.conf files
find:
paths:
@@ -8,7 +24,7 @@
patterns: '*.conf'
file_type: any
register: find_sysctl_d
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-85904-1
- NIST-800-171-3.1.20
@@ -29,7 +45,7 @@
regexp: ^[\s]*net.ipv6.conf.all.disable_ipv6
replace: '#net.ipv6.conf.all.disable_ipv6'
loop: '{{ find_sysctl_d.files }}'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-85904-1
- NIST-800-171-3.1.20
@@ -50,7 +66,7 @@
sysctl_file: /etc/sysctl.conf
state: present
reload: true
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-85904-1
- NIST-800-171-3.1.20
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6'
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
# Comment out any occurrences of net.ipv6.conf.default.disable_ipv6 from /etc/sysctl.d/*.conf files
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6
@@ -1,3 +1,19 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-86004-9
+ - NIST-800-171-3.1.20
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv6_conf_default_disable_ipv6
+
- name: List /etc/sysctl.d/*.conf files
find:
paths:
@@ -8,7 +24,7 @@
patterns: '*.conf'
file_type: any
register: find_sysctl_d
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-86004-9
- NIST-800-171-3.1.20
@@ -29,7 +45,7 @@
regexp: ^[\s]*net.ipv6.conf.default.disable_ipv6
replace: '#net.ipv6.conf.default.disable_ipv6'
loop: '{{ find_sysctl_d.files }}'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-86004-9
- NIST-800-171-3.1.20
@@ -50,7 +66,7 @@
sysctl_file: /etc/sysctl.conf
state: present
reload: true
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-86004-9
- NIST-800-171-3.1.20
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6'
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
# Comment out any occurrences of net.ipv6.conf.all.accept_ra from /etc/sysctl.d/*.conf files
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra
@@ -1,3 +1,20 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-81006-9
+ - DISA-STIG-RHEL-08-040261
+ - NIST-800-171-3.1.20
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv6_conf_all_accept_ra
+
- name: List /etc/sysctl.d/*.conf files
find:
paths:
@@ -8,7 +25,7 @@
patterns: '*.conf'
file_type: any
register: find_sysctl_d
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-81006-9
- DISA-STIG-RHEL-08-040261
@@ -29,7 +46,7 @@
regexp: ^[\s]*net.ipv6.conf.all.accept_ra
replace: '#net.ipv6.conf.all.accept_ra'
loop: '{{ find_sysctl_d.files }}'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-81006-9
- DISA-STIG-RHEL-08-040261
@@ -56,7 +73,7 @@
sysctl_file: /etc/sysctl.conf
state: present
reload: true
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-81006-9
- DISA-STIG-RHEL-08-040261
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra'
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
# Comment out any occurrences of net.ipv6.conf.all.accept_ra_defrtr from /etc/sysctl.d/*.conf files
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr
@@ -1,3 +1,15 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-84272-4
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - reboot_required
+ - sysctl_net_ipv6_conf_all_accept_ra_defrtr
+ - unknown_severity
+
- name: List /etc/sysctl.d/*.conf files
find:
paths:
@@ -8,7 +20,7 @@
patterns: '*.conf'
file_type: any
register: find_sysctl_d
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-84272-4
- disable_strategy
@@ -25,7 +37,7 @@
regexp: ^[\s]*net.ipv6.conf.all.accept_ra_defrtr
replace: '#net.ipv6.conf.all.accept_ra_defrtr'
loop: '{{ find_sysctl_d.files }}'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-84272-4
- disable_strategy
@@ -47,7 +59,7 @@
sysctl_file: /etc/sysctl.conf
state: present
reload: true
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-84272-4
- disable_strategy
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr'
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
# Comment out any occurrences of net.ipv6.conf.all.accept_ra_pinfo from /etc/sysctl.d/*.conf files
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo
@@ -1,3 +1,15 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-84280-7
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - reboot_required
+ - sysctl_net_ipv6_conf_all_accept_ra_pinfo
+ - unknown_severity
+
- name: List /etc/sysctl.d/*.conf files
find:
paths:
@@ -8,7 +20,7 @@
patterns: '*.conf'
file_type: any
register: find_sysctl_d
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-84280-7
- disable_strategy
@@ -25,7 +37,7 @@
regexp: ^[\s]*net.ipv6.conf.all.accept_ra_pinfo
replace: '#net.ipv6.conf.all.accept_ra_pinfo'
loop: '{{ find_sysctl_d.files }}'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-84280-7
- disable_strategy
@@ -47,7 +59,7 @@
sysctl_file: /etc/sysctl.conf
state: present
reload: true
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-84280-7
- disable_strategy
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo'
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
# Comment out any occurrences of net.ipv6.conf.all.accept_ra_rtr_pref from /etc/sysctl.d/*.conf files
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref
@@ -1,3 +1,15 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-84288-0
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - reboot_required
+ - sysctl_net_ipv6_conf_all_accept_ra_rtr_pref
+ - unknown_severity
+
- name: List /etc/sysctl.d/*.conf files
find:
paths:
@@ -8,7 +20,7 @@
patterns: '*.conf'
file_type: any
register: find_sysctl_d
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-84288-0
- disable_strategy
@@ -25,7 +37,7 @@
regexp: ^[\s]*net.ipv6.conf.all.accept_ra_rtr_pref
replace: '#net.ipv6.conf.all.accept_ra_rtr_pref'
loop: '{{ find_sysctl_d.files }}'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-84288-0
- disable_strategy
@@ -47,7 +59,7 @@
sysctl_file: /etc/sysctl.conf
state: present
reload: true
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-84288-0
- disable_strategy
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref'
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
# Comment out any occurrences of net.ipv6.conf.all.accept_redirects from /etc/sysctl.d/*.conf files
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
@@ -1,3 +1,22 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-81009-3
+ - DISA-STIG-RHEL-08-040280
+ - NIST-800-171-3.1.20
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-6(b)
+ - NIST-800-53-CM-6.1(iv)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv6_conf_all_accept_redirects
+
- name: List /etc/sysctl.d/*.conf files
find:
paths:
@@ -8,7 +27,7 @@
patterns: '*.conf'
file_type: any
register: find_sysctl_d
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-81009-3
- DISA-STIG-RHEL-08-040280
@@ -32,7 +51,7 @@
regexp: ^[\s]*net.ipv6.conf.all.accept_redirects
replace: '#net.ipv6.conf.all.accept_redirects'
loop: '{{ find_sysctl_d.files }}'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-81009-3
- DISA-STIG-RHEL-08-040280
@@ -61,7 +80,7 @@
sysctl_file: /etc/sysctl.conf
state: present
reload: true
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-81009-3
- DISA-STIG-RHEL-08-040280
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects'
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
# Comment out any occurrences of net.ipv6.conf.all.accept_source_route from /etc/sysctl.d/*.conf files
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route
@@ -1,3 +1,20 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-81013-5
+ - DISA-STIG-RHEL-08-040240
+ - NIST-800-171-3.1.20
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv6_conf_all_accept_source_route
+
- name: List /etc/sysctl.d/*.conf files
find:
paths:
@@ -8,7 +25,7 @@
patterns: '*.conf'
file_type: any
register: find_sysctl_d
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-81013-5
- DISA-STIG-RHEL-08-040240
@@ -30,7 +47,7 @@
regexp: ^[\s]*net.ipv6.conf.all.accept_source_route
replace: '#net.ipv6.conf.all.accept_source_route'
loop: '{{ find_sysctl_d.files }}'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-81013-5
- DISA-STIG-RHEL-08-040240
@@ -57,7 +74,7 @@
sysctl_file: /etc/sysctl.conf
state: present
reload: true
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-81013-5
- DISA-STIG-RHEL-08-040240
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route'
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
# Comment out any occurrences of net.ipv6.conf.all.autoconf from /etc/sysctl.d/*.conf files
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf
@@ -1,3 +1,15 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-84266-6
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - reboot_required
+ - sysctl_net_ipv6_conf_all_autoconf
+ - unknown_severity
+
- name: List /etc/sysctl.d/*.conf files
find:
paths:
@@ -8,7 +20,7 @@
patterns: '*.conf'
file_type: any
register: find_sysctl_d
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-84266-6
- disable_strategy
@@ -24,7 +36,7 @@
regexp: ^[\s]*net.ipv6.conf.all.autoconf
replace: '#net.ipv6.conf.all.autoconf'
loop: '{{ find_sysctl_d.files }}'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-84266-6
- disable_strategy
@@ -46,7 +58,7 @@
sysctl_file: /etc/sysctl.conf
state: present
reload: true
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-84266-6
- disable_strategy
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf'
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
# Comment out any occurrences of net.ipv6.conf.all.forwarding from /etc/sysctl.d/*.conf files
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
@@ -1,3 +1,21 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-82863-2
+ - DISA-STIG-RHEL-08-040260
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-6(b)
+ - NIST-800-53-CM-6.1(iv)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv6_conf_all_forwarding
+
- name: List /etc/sysctl.d/*.conf files
find:
paths:
@@ -8,7 +26,7 @@
patterns: '*.conf'
file_type: any
register: find_sysctl_d
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-82863-2
- DISA-STIG-RHEL-08-040260
@@ -30,7 +48,7 @@
regexp: ^[\s]*net.ipv6.conf.all.forwarding
replace: '#net.ipv6.conf.all.forwarding'
loop: '{{ find_sysctl_d.files }}'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-82863-2
- DISA-STIG-RHEL-08-040260
@@ -58,7 +76,7 @@
sysctl_file: /etc/sysctl.conf
state: present
reload: true
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-82863-2
- DISA-STIG-RHEL-08-040260
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding'
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
# Comment out any occurrences of net.ipv6.conf.all.max_addresses from /etc/sysctl.d/*.conf files
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses
@@ -1,3 +1,15 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-84259-1
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - reboot_required
+ - sysctl_net_ipv6_conf_all_max_addresses
+ - unknown_severity
+
- name: List /etc/sysctl.d/*.conf files
find:
paths:
@@ -8,7 +20,7 @@
patterns: '*.conf'
file_type: any
register: find_sysctl_d
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-84259-1
- disable_strategy
@@ -25,7 +37,7 @@
regexp: ^[\s]*net.ipv6.conf.all.max_addresses
replace: '#net.ipv6.conf.all.max_addresses'
loop: '{{ find_sysctl_d.files }}'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-84259-1
- disable_strategy
@@ -47,7 +59,7 @@
sysctl_file: /etc/sysctl.conf
state: present
reload: true
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-84259-1
- disable_strategy
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses'
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
# Comment out any occurrences of net.ipv6.conf.all.router_solicitations from /etc/sysctl.d/*.conf files
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations
@@ -1,3 +1,15 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-84109-8
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - reboot_required
+ - sysctl_net_ipv6_conf_all_router_solicitations
+ - unknown_severity
+
- name: List /etc/sysctl.d/*.conf files
find:
paths:
@@ -8,7 +20,7 @@
patterns: '*.conf'
file_type: any
register: find_sysctl_d
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-84109-8
- disable_strategy
@@ -25,7 +37,7 @@
regexp: ^[\s]*net.ipv6.conf.all.router_solicitations
replace: '#net.ipv6.conf.all.router_solicitations'
loop: '{{ find_sysctl_d.files }}'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-84109-8
- disable_strategy
@@ -47,7 +59,7 @@
sysctl_file: /etc/sysctl.conf
state: present
reload: true
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-84109-8
- disable_strategy
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations'
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
# Comment out any occurrences of net.ipv6.conf.default.accept_ra from /etc/sysctl.d/*.conf files
ansible remediation for rule 'xccdf_org.ssgproj
... The diff is trimmed here ...
Code Climate has analyzed commit 2307963b and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 61.0% (0.0% change).
View more on Code Climate.
![qlty-cloud-legacy[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}
