diff --git a/doc/metadata/rhel7/RHEL-07-030492.rst b/doc/metadata/rhel7/RHEL-07-030492.rst index 8662a36c..d372cd48 100644 --- a/doc/metadata/rhel7/RHEL-07-030492.rst +++ b/doc/metadata/rhel7/RHEL-07-030492.rst @@ -1,7 +1,13 @@ --- id: RHEL-07-030492 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time an account is accessed. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_account_access: no diff --git a/doc/metadata/rhel7/RHEL-07-030510.rst b/doc/metadata/rhel7/RHEL-07-030510.rst index 56812a8e..8d356b93 100644 --- a/doc/metadata/rhel7/RHEL-07-030510.rst +++ b/doc/metadata/rhel7/RHEL-07-030510.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-030510 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``passwd`` command is +used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_passwd_command: no diff --git a/doc/metadata/rhel7/RHEL-07-030511.rst b/doc/metadata/rhel7/RHEL-07-030511.rst index dde2167e..9d753c89 100644 --- a/doc/metadata/rhel7/RHEL-07-030511.rst +++ b/doc/metadata/rhel7/RHEL-07-030511.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-030511 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``unix_chkpwd`` command +is used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_unix_chkpwd: no diff --git a/doc/metadata/rhel7/RHEL-07-030512.rst b/doc/metadata/rhel7/RHEL-07-030512.rst index 50c77055..1ac26d8d 100644 --- a/doc/metadata/rhel7/RHEL-07-030512.rst +++ b/doc/metadata/rhel7/RHEL-07-030512.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-030512 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``gpasswd`` command +is used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_gpasswd: no diff --git a/doc/metadata/rhel7/RHEL-07-030513.rst b/doc/metadata/rhel7/RHEL-07-030513.rst index 316981a2..4eba7144 100644 --- a/doc/metadata/rhel7/RHEL-07-030513.rst +++ b/doc/metadata/rhel7/RHEL-07-030513.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-030513 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``chage`` command +is used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_chage: no diff --git a/doc/metadata/rhel7/RHEL-07-030514.rst b/doc/metadata/rhel7/RHEL-07-030514.rst index 1fecf60c..ff5ee437 100644 --- a/doc/metadata/rhel7/RHEL-07-030514.rst +++ b/doc/metadata/rhel7/RHEL-07-030514.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-030514 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``userhelper`` command +is used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_userhelper: no diff --git a/doc/metadata/rhel7/RHEL-07-030521.rst b/doc/metadata/rhel7/RHEL-07-030521.rst index fa1942dc..9fbe104a 100644 --- a/doc/metadata/rhel7/RHEL-07-030521.rst +++ b/doc/metadata/rhel7/RHEL-07-030521.rst @@ -1,7 +1,13 @@ --- id: RHEL-07-030521 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``su`` command is used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_su: no diff --git a/doc/metadata/rhel7/RHEL-07-030522.rst b/doc/metadata/rhel7/RHEL-07-030522.rst index eb0c9a26..91aa72da 100644 --- a/doc/metadata/rhel7/RHEL-07-030522.rst +++ b/doc/metadata/rhel7/RHEL-07-030522.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-030522 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``sudo`` command is +used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_sudo: no diff --git a/doc/metadata/rhel7/RHEL-07-030523.rst b/doc/metadata/rhel7/RHEL-07-030523.rst index 94490e72..1d2c32ff 100644 --- a/doc/metadata/rhel7/RHEL-07-030523.rst +++ b/doc/metadata/rhel7/RHEL-07-030523.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-030523 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time a user manages the +configuration files for ``sudo``. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_sudo_config_changes: no diff --git a/doc/metadata/rhel7/RHEL-07-030524.rst b/doc/metadata/rhel7/RHEL-07-030524.rst index 958a6de1..496982ca 100644 --- a/doc/metadata/rhel7/RHEL-07-030524.rst +++ b/doc/metadata/rhel7/RHEL-07-030524.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-030524 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``newgrp`` command is +used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_newgrp: no diff --git a/doc/metadata/rhel7/RHEL-07-030525.rst b/doc/metadata/rhel7/RHEL-07-030525.rst index 5c264adb..3fecdc10 100644 --- a/doc/metadata/rhel7/RHEL-07-030525.rst +++ b/doc/metadata/rhel7/RHEL-07-030525.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-030525 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``chsh`` command is +used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_chsh: no diff --git a/doc/metadata/rhel7/RHEL-07-030526.rst b/doc/metadata/rhel7/RHEL-07-030526.rst index 0da9311f..050338f0 100644 --- a/doc/metadata/rhel7/RHEL-07-030526.rst +++ b/doc/metadata/rhel7/RHEL-07-030526.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-030526 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``sudoedit`` command is +used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_sudoedit: no diff --git a/doc/metadata/rhel7/RHEL-07-030530.rst b/doc/metadata/rhel7/RHEL-07-030530.rst index e8069e54..366930a0 100644 --- a/doc/metadata/rhel7/RHEL-07-030530.rst +++ b/doc/metadata/rhel7/RHEL-07-030530.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-030530 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``mount`` command is +used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_mount: no diff --git a/doc/metadata/rhel7/RHEL-07-030531.rst b/doc/metadata/rhel7/RHEL-07-030531.rst index b4397b76..a5b0adbb 100644 --- a/doc/metadata/rhel7/RHEL-07-030531.rst +++ b/doc/metadata/rhel7/RHEL-07-030531.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-030531 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``umount`` command is +used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_umount: no diff --git a/doc/metadata/rhel7/RHEL-07-030540.rst b/doc/metadata/rhel7/RHEL-07-030540.rst index baf675b9..83cfc481 100644 --- a/doc/metadata/rhel7/RHEL-07-030540.rst +++ b/doc/metadata/rhel7/RHEL-07-030540.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-030540 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``postdrop`` command is +used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_postdrop: no diff --git a/doc/metadata/rhel7/RHEL-07-030541.rst b/doc/metadata/rhel7/RHEL-07-030541.rst index 797f721d..ffb02449 100644 --- a/doc/metadata/rhel7/RHEL-07-030541.rst +++ b/doc/metadata/rhel7/RHEL-07-030541.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-030541 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``postqueue`` command is +used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_postqueue: no diff --git a/doc/metadata/rhel7/RHEL-07-030550.rst b/doc/metadata/rhel7/RHEL-07-030550.rst index 8c2a24e1..c8783d8f 100644 --- a/doc/metadata/rhel7/RHEL-07-030550.rst +++ b/doc/metadata/rhel7/RHEL-07-030550.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-030550 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``ssh-keysign`` command +is used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_ssh_keysign: no diff --git a/doc/metadata/rhel7/RHEL-07-030560.rst b/doc/metadata/rhel7/RHEL-07-030560.rst index de23f896..3a17d30a 100644 --- a/doc/metadata/rhel7/RHEL-07-030560.rst +++ b/doc/metadata/rhel7/RHEL-07-030560.rst @@ -1,7 +1,18 @@ --- id: RHEL-07-030560 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``pt_chown`` command +is used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_pt_chown: no + +.. note:: + + No action is taken on Ubuntu 16.04 because ``pt_chown`` is not available. diff --git a/doc/metadata/rhel7/RHEL-07-030561.rst b/doc/metadata/rhel7/RHEL-07-030561.rst index 8a8ee1d1..082eec51 100644 --- a/doc/metadata/rhel7/RHEL-07-030561.rst +++ b/doc/metadata/rhel7/RHEL-07-030561.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-030561 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``crontab`` command +is used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_crontab: no diff --git a/doc/metadata/rhel7/RHEL-07-030630.rst b/doc/metadata/rhel7/RHEL-07-030630.rst index 2b9a9155..74af5fbc 100644 --- a/doc/metadata/rhel7/RHEL-07-030630.rst +++ b/doc/metadata/rhel7/RHEL-07-030630.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-030630 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``pam_timestamp_check`` +command is used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_pam_timestamp_check: no diff --git a/doc/metadata/rhel7/RHEL-07-030670.rst b/doc/metadata/rhel7/RHEL-07-030670.rst index d747598a..4cc9bdb6 100644 --- a/doc/metadata/rhel7/RHEL-07-030670.rst +++ b/doc/metadata/rhel7/RHEL-07-030670.rst @@ -1,7 +1,16 @@ --- id: RHEL-07-030670 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``init_module`` command +is used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_init_module: no + +This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/RHEL-07-030671.rst b/doc/metadata/rhel7/RHEL-07-030671.rst index c1337dd5..c6edfe08 100644 --- a/doc/metadata/rhel7/RHEL-07-030671.rst +++ b/doc/metadata/rhel7/RHEL-07-030671.rst @@ -1,7 +1,16 @@ --- id: RHEL-07-030671 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``delete_module`` +command is used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_delete_module: no + +This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/RHEL-07-030672.rst b/doc/metadata/rhel7/RHEL-07-030672.rst index 71acf328..53201b9f 100644 --- a/doc/metadata/rhel7/RHEL-07-030672.rst +++ b/doc/metadata/rhel7/RHEL-07-030672.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-030672 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``insmod`` command is +used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_insmod: no diff --git a/doc/metadata/rhel7/RHEL-07-030673.rst b/doc/metadata/rhel7/RHEL-07-030673.rst index e9ccda14..ac8344ac 100644 --- a/doc/metadata/rhel7/RHEL-07-030673.rst +++ b/doc/metadata/rhel7/RHEL-07-030673.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-030673 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``rmmod`` command is +used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_rmmod: no diff --git a/doc/metadata/rhel7/RHEL-07-030674.rst b/doc/metadata/rhel7/RHEL-07-030674.rst index b3f33fd8..1517baae 100644 --- a/doc/metadata/rhel7/RHEL-07-030674.rst +++ b/doc/metadata/rhel7/RHEL-07-030674.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-030674 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``modprobe`` command is +used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_modprobe: no diff --git a/doc/metadata/rhel7/RHEL-07-030710.rst b/doc/metadata/rhel7/RHEL-07-030710.rst index 22638aed..33d67e44 100644 --- a/doc/metadata/rhel7/RHEL-07-030710.rst +++ b/doc/metadata/rhel7/RHEL-07-030710.rst @@ -1,7 +1,20 @@ --- id: RHEL-07-030710 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time that an account is modified. +This includes changes to the following files: + +* ``/etc/group`` +* ``/etc/passwd`` +* ``/etc/gshadow`` +* ``/etc/shadow`` +* ``/etc/security/opasswd`` + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_account_actions: no diff --git a/doc/metadata/rhel7/RHEL-07-030750.rst b/doc/metadata/rhel7/RHEL-07-030750.rst index 27b88ad4..420fba6c 100644 --- a/doc/metadata/rhel7/RHEL-07-030750.rst +++ b/doc/metadata/rhel7/RHEL-07-030750.rst @@ -1,7 +1,16 @@ --- id: RHEL-07-030750 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``rename`` command is +used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_rename: no + +This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/RHEL-07-030751.rst b/doc/metadata/rhel7/RHEL-07-030751.rst index 01a9e115..29308a5a 100644 --- a/doc/metadata/rhel7/RHEL-07-030751.rst +++ b/doc/metadata/rhel7/RHEL-07-030751.rst @@ -1,7 +1,16 @@ --- id: RHEL-07-030751 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``renameat`` command is +used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_renameat: no + +This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/RHEL-07-030752.rst b/doc/metadata/rhel7/RHEL-07-030752.rst index 40e62a0c..085021d0 100644 --- a/doc/metadata/rhel7/RHEL-07-030752.rst +++ b/doc/metadata/rhel7/RHEL-07-030752.rst @@ -1,7 +1,16 @@ --- id: RHEL-07-030752 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``rmdir`` command is +used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_rmdir: no + +This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/RHEL-07-030753.rst b/doc/metadata/rhel7/RHEL-07-030753.rst index 81162e6e..398d7825 100644 --- a/doc/metadata/rhel7/RHEL-07-030753.rst +++ b/doc/metadata/rhel7/RHEL-07-030753.rst @@ -1,7 +1,16 @@ --- id: RHEL-07-030753 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``unlink`` command is +used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_unlink: no + +This rule is compatible with x86, x86_64, and ppc64 architectures. diff --git a/doc/metadata/rhel7/RHEL-07-030754.rst b/doc/metadata/rhel7/RHEL-07-030754.rst index f75b23d7..b4e0aa4a 100644 --- a/doc/metadata/rhel7/RHEL-07-030754.rst +++ b/doc/metadata/rhel7/RHEL-07-030754.rst @@ -1,7 +1,16 @@ --- id: RHEL-07-030754 -status: not implemented -tag: misc +status: implemented +tag: auditd --- -This STIG requirement is not yet implemented. +The tasks add a rule to auditd that logs each time the ``unlinkat`` command is +used. + +Deployers can opt-out of this change by setting an Ansible variable: + +.. code-block:: yaml + + security_rhel7_audit_unlinkat: no + +This rule is compatible with x86, x86_64, and ppc64 architectures.