diff --git a/salt/stig/files/so-stig b/salt/stig/files/so-stig index 964bb7879..7e4799ad8 100644 --- a/salt/stig/files/so-stig +++ b/salt/stig/files/so-stig @@ -24,18 +24,19 @@ logCmd() { apply_stigs(){ if [ ! -f $stig_log/pre-oscap-report.html ]; then - echo "Running an OSCAP eval before modifying system for the first time" oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/pre-oscap-results.xml --report $stig_log/pre-oscap-report.html /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml fi - echo "Manually applying STIGs not remediated by OSCAP" - echo "Setting Ctrl-Alt-Del action to none OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction" + + echo -e "\nRunning custom OSCAP profile to remediate applicable STIGs\n" + logCmd "oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/results.xml $stig_conf/sos-oscap.xml" + + # Setting Ctrl-Alt-Del action to none OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction if ! grep -q "^CtrlAltDelBurstAction=none$" /etc/systemd/system.conf; then sed -i 's/#CtrlAltDelBurstAction=reboot-force/CtrlAltDelBurstAction=none/g' /etc/systemd/system.conf logCmd "grep CtrlAltDelBurstAction /etc/systemd/system.conf" fi - - echo "Setting ctrl-alt-del.target to masked or /dev/null OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" + # Setting ctrl-alt-del.target to masked or /dev/null OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot if systemctl is-enabled ctrl-alt-del.target | grep -q masked; then echo "ctrl-alt-del.target is already masked" else @@ -43,11 +44,11 @@ apply_stigs(){ logCmd "ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target" fi - echo "Remove nullok from password-auth & system-auth OSCAP rule id: xccdf_org.ssgproject.content_rule_no_empty_passwords" + # Remove nullok from password-auth & system-auth OSCAP rule id: xccdf_org.ssgproject.content_rule_no_empty_passwords sed -i 's/ nullok//g' /etc/pam.d/password-auth sed -i 's/ nullok//g' /etc/pam.d/system-auth - echo "Setting PermitEmptyPasswords no in /etc/ssh/sshd_config OSCAP rule id: xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" + # Setting PermitEmptyPasswords no in /etc/ssh/sshd_config OSCAP rule id: xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords if grep -q "^#PermitEmptyPasswords no$" /etc/ssh/sshd_config; then sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config logCmd "grep PermitEmptyPasswords /etc/ssh/sshd_config" @@ -55,7 +56,7 @@ apply_stigs(){ logCmd "echo 'PermitEmptyPasswords no' >> /etc/ssh/sshd_config" fi - echo "Setting PermitUserEnvironment no in /etc/ssh/sshd_config STIG rule id: SV-248650r877377" + # Setting PermitUserEnvironment no in /etc/ssh/sshd_config STIG rule id: SV-248650r877377 if grep -q "^#PermitUserEnvironment no$" /etc/ssh/sshd_config; then sed -i 's/#PermitUserEnvironment no/PermitUserEnvironment no/g' /etc/ssh/sshd_config logCmd "grep PermitUserEnvironment /etc/ssh/sshd_config" @@ -63,11 +64,9 @@ apply_stigs(){ logCmd "echo 'PermitUserEnvironment no' >> /etc/ssh/sshd_config" fi - echo "Running custom OSCAP profile to remediate applicable STIGs" - logCmd "oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/results.xml $stig_conf/sos-oscap.xml" echo "Running OSCAP scan to verify application of STIGs" - oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/post-oscap-results.xml --report $stig_log/post-oscap-report.html /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml + oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/post-oscap-results.xml --report $stig_log/post-oscap-report.html /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml > /dev/null 2>&1 } if is_feature_enabled "stig" >/dev/null 2>&1; then