diff --git a/defaults/main.yml b/defaults/main.yml index f57d7eca..3f05db57 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -389,39 +389,62 @@ security_unattended_upgrades_notifications: false #security_audisp_remote_server: '10.0.21.1' # RHEL-07-030330 # Encrypt audit records when they are transmitted over the network. #security_audisp_enable_krb5: yes # RHEL-07-030331 -# Rules for auditd are enabled if 'yes', disabled if 'no'. See the -# documentation for each STIG control before enabling or disabling any rules. -security_rhel7_audit_account_access: yes # RHEL-07-030492 -security_rhel7_audit_passwd_command: yes # RHEL-07-030510 -security_rhel7_audit_unix_chkpwd: yes # RHEL-07-030511 -security_rhel7_audit_gpasswd: yes # RHEL-07-030512 -security_rhel7_audit_chage: yes # RHEL-07-030513 -security_rhel7_audit_userhelper: yes # RHEL-07-030514 -security_rhel7_audit_su: yes # RHEL-07-030521 -security_rhel7_audit_sudo: yes # RHEL-07-030522 -security_rhel7_audit_sudo_config_changes: yes # RHEL-07-030523 -security_rhel7_audit_newgrp: yes # RHEL-07-030524 +# Add audit rules for commands/syscalls. security_rhel7_audit_chsh: yes # RHEL-07-030525 -security_rhel7_audit_sudoedit: yes # RHEL-07-030526 +security_rhel7_audit_chage: yes # RHEL-07-030513 +security_rhel7_audit_chcon: yes # RHEL-07-030443 +security_rhel7_audit_chmod: no # RHEL-07-030390 +security_rhel7_audit_chown: no # RHEL-07-030380 +security_rhel7_audit_creat: yes # RHEL-07-030420 +security_rhel7_audit_crontab: yes # RHEL-07-030561 +security_rhel7_audit_delete_module: yes # RHEL-07-030671 +security_rhel7_audit_fchmod: no # RHEL-07-030391 +security_rhel7_audit_fchmodat: no # RHEL-07-030392 +security_rhel7_audit_fchown: no # RHEL-07-030381 +security_rhel7_audit_fchownat: no # RHEL-07-030383 +security_rhel7_audit_fremovexattr: no # RHEL-07-030404 +security_rhel7_audit_fsetxattr: no # RHEL-07-030401 +security_rhel7_audit_ftruncate: yes # RHEL-07-030425 +security_rhel7_audit_init_module: yes # RHEL-07-030670 +security_rhel7_audit_gpasswd: yes # RHEL-07-030512 +security_rhel7_audit_lchown: no # RHEL-07-030382 +security_rhel7_audit_lremovexattr: no # RHEL-07-030405 +security_rhel7_audit_lsetxattr: no # RHEL-07-030402 security_rhel7_audit_mount: yes # RHEL-07-030530 -security_rhel7_audit_umount: yes # RHEL-07-030531 +security_rhel7_audit_newgrp: yes # RHEL-07-030524 +security_rhel7_audit_open: yes # RHEL-07-030421 +security_rhel7_audit_openat: yes # RHEL-07-030422 +security_rhel7_audit_open_by_handle_at: yes # RHEL-07-030423 +security_rhel7_audit_pam_timestamp_check: yes # RHEL-07-030630 +security_rhel7_audit_passwd: yes # RHEL-07-030510 security_rhel7_audit_postdrop: yes # RHEL-07-030540 security_rhel7_audit_postqueue: yes # RHEL-07-030541 -security_rhel7_audit_ssh_keysign: yes # RHEL-07-030550 security_rhel7_audit_pt_chown: yes # RHEL-07-030560 -security_rhel7_audit_crontab: yes # RHEL-07-030561 -security_rhel7_audit_pam_timestamp_check: yes # RHEL-07-030630 -security_rhel7_audit_init_module: yes # RHEL-07-030670 -security_rhel7_audit_delete_module: yes # RHEL-07-030671 +security_rhel7_audit_removexattr: no # RHEL-07-030403 +security_rhel7_audit_rename: yes # RHEL-07-030750 +security_rhel7_audit_renameat: yes # RHEL-07-030751 +security_rhel7_audit_restorecon: yes # RHEL-07-030444 +security_rhel7_audit_rmdir: yes # RHEL-07-030752 +security_rhel7_audit_semanage: yes # RHEL-07-030441 +security_rhel7_audit_setsebool: yes # RHEL-07-030442 +security_rhel7_audit_setxattr: no # RHEL-07-030400 +security_rhel7_audit_ssh_keysign: yes # RHEL-07-030550 +security_rhel7_audit_su: yes # RHEL-07-030521 +security_rhel7_audit_sudo: yes # RHEL-07-030522 +security_rhel7_audit_sudoedit: yes # RHEL-07-030526 +security_rhel7_audit_truncate: yes # RHEL-07-030424 +security_rhel7_audit_umount: yes # RHEL-07-030531 +security_rhel7_audit_unix_chkpwd: yes # RHEL-07-030511 +security_rhel7_audit_unlink: yes # RHEL-07-030753 +security_rhel7_audit_unlinkat: yes # RHEL-07-030754 +security_rhel7_audit_userhelper: yes # RHEL-07-030514 +# Add audit rules for other events. +security_rhel7_audit_account_access: yes # RHEL-07-030490 +security_rhel7_audit_sudo_config_changes: yes # RHEL-07-030523 security_rhel7_audit_insmod: yes # RHEL-07-030672 security_rhel7_audit_rmmod: yes # RHEL-07-030673 security_rhel7_audit_modprobe: yes # RHEL-07-030674 security_rhel7_audit_account_actions: yes # RHEL-07-030710 -security_rhel7_audit_rename: yes # RHEL-07-030750 -security_rhel7_audit_renameat: yes # RHEL-07-030751 -security_rhel7_audit_rmdir: yes # RHEL-07-030752 -security_rhel7_audit_unlink: yes # RHEL-07-030753 -security_rhel7_audit_unlinkat: yes # RHEL-07-030754 ## Authentication (auth) # Disallow logins from accounts with blank/null passwords via PAM. diff --git a/tasks/rhel7stig/auditd.yml b/tasks/rhel7stig/auditd.yml index 824ae3cd..b2417f72 100644 --- a/tasks/rhel7stig/auditd.yml +++ b/tasks/rhel7stig/auditd.yml @@ -21,6 +21,11 @@ tags: - always +- name: Load variables for audited commands + include_vars: audit.yml + tags: + - always + - name: RHEL-07-030330 - The operating system must off-load audit records onto a different system or media from the system being audited lineinfile: dest: /etc/audisp/audisp-remote.conf @@ -79,33 +84,57 @@ - generate auditd rules tags: - auditd - - RHEL-07-030492 - - RHEL-07-030510 - - RHEL-07-030511 - - RHEL-07-030512 - - RHEL-07-030513 - - RHEL-07-030514 - - RHEL-07-030521 - - RHEL-07-030522 - - RHEL-07-030523 - - RHEL-07-030524 - RHEL-07-030525 - - RHEL-07-030526 + - RHEL-07-030513 + - RHEL-07-030443 + - RHEL-07-030390 + - RHEL-07-030380 + - RHEL-07-030420 + - RHEL-07-030561 + - RHEL-07-030671 + - RHEL-07-030391 + - RHEL-07-030392 + - RHEL-07-030381 + - RHEL-07-030383 + - RHEL-07-030404 + - RHEL-07-030401 + - RHEL-07-030425 + - RHEL-07-030670 + - RHEL-07-030512 + - RHEL-07-030382 + - RHEL-07-030405 + - RHEL-07-030402 - RHEL-07-030530 - - RHEL-07-030531 + - RHEL-07-030524 + - RHEL-07-030421 + - RHEL-07-030422 + - RHEL-07-030423 + - RHEL-07-030630 + - RHEL-07-030510 - RHEL-07-030540 - RHEL-07-030541 - - RHEL-07-030550 - RHEL-07-030560 - - RHEL-07-030561 - - RHEL-07-030630 - - RHEL-07-030670 - - RHEL-07-030671 + - RHEL-07-030403 + - RHEL-07-030750 + - RHEL-07-030751 + - RHEL-07-030444 + - RHEL-07-030752 + - RHEL-07-030441 + - RHEL-07-030442 + - RHEL-07-030400 + - RHEL-07-030550 + - RHEL-07-030521 + - RHEL-07-030522 + - RHEL-07-030526 + - RHEL-07-030424 + - RHEL-07-030531 + - RHEL-07-030511 + - RHEL-07-030753 + - RHEL-07-030754 + - RHEL-07-030514 + - RHEL-07-030490 + - RHEL-07-030523 - RHEL-07-030672 - RHEL-07-030673 - RHEL-07-030674 - - RHEL-07-030750 - - RHEL-07-030751 - - RHEL-07-030752 - - RHEL-07-030753 - - RHEL-07-030754 + - RHEL-07-030710 diff --git a/templates/osas-auditd-rhel7.j2 b/templates/osas-auditd-rhel7.j2 index 3a87ddba..abb5ecc0 100644 --- a/templates/osas-auditd-rhel7.j2 +++ b/templates/osas-auditd-rhel7.j2 @@ -1,123 +1,66 @@ +## Rules for auditd deployed by openstack-ansible-security +# Do not edit any of these rules directly. The contents of this file are +# controlled by Ansible variables and each variable is explained in detail +# within the role documentation: +# +# http://docs.openstack.org/developer/openstack-ansible-security/ +# +{# #} +{# The following loop takes a variable called audited_commands (a list of #} +{# dictionaries) and creates audit rules for each audited command or #} +{# syscall. #} +{# #} +# Audited commands and syscalls +{% for audited_command in audited_commands %} +{# #} +{# We replace any dashes in the command with underscores. The variables that #} +{# control the deployment of each rule can only contain underscores. #} +{# #} +{% set command_sanitized = audited_command['command'] | replace('-', '_') %} +{# #} +{# Verify that the variable controlling the rule is enabled and any distro- #} +{# specific requirements are met. #} +{# #} +{% if vars['security_rhel7_audit_' + command_sanitized ] | bool and (audited_command['distro'] | default(ansible_os_family | lower) == ansible_os_family | lower) %} +# {{ audited_command['stig_id'] }} - All uses of the {{ audited_command['command'] }} command must be audited. +{# #} +{# Some audit rules are specific to syscalls. Different rules are needed for #} +{# x86 and ppc64 systems. #} +{# #} +{% if audited_command['arch_specific'] %} +{% for arch in auditd_architectures %} +-a always,exit -F arch={{ arch }} -S {{ audited_command['command'] }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k {{ audited_command['stig_id'] }} +{% endfor %} +{% else %} +-a always,exit -F path={{ audited_command['path'] | default('/usr/bin') }}/{{ audited_command['command'] }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k {{ audited_command['stig_id'] }} +{% endif %} +{% endif %} + +{% endfor %} + +# Other audited events +{# #} +{# These events are more specific and require static templating. #} +{# #} {% if security_rhel7_audit_account_access | bool %} +# RHEL-07-030490 - The operating system must generate audit records for all +# successful/unsuccessful account access count events. +-w /var/log/tallylog -p wa -k RHEL-07-030490 +# RHEL-07-030491 - The operating system must generate audit records for all +# unsuccessful account access events. +-w /var/run/faillock -p wa -k RHEL-07-030491 # RHEL-07-030492 - The operating system must generate audit records for all # successful account access events. -w /var/log/lastlog -p wa -k RHEL-07-030492 {% endif %} -{% if security_rhel7_audit_passwd_command | bool %} -# RHEL-07-030510 - All uses of the passwd command must be audited. --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030510 -{% endif %} - -{% if security_rhel7_audit_unix_chkpwd | bool %} -# RHEL-07-030511 - All uses of the unix_chkpwd command must be audited. --a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030511 -{% endif %} - -{% if security_rhel7_audit_gpasswd | bool %} -# RHEL-07-030512 - All uses of the gpasswd command must be audited. --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030512 -{% endif %} - -{% if security_rhel7_audit_chage | bool %} -# RHEL-07-030513 - All uses of the chage command must be audited. --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030513 -{% endif %} - -{% if security_rhel7_audit_userhelper | bool %} -# RHEL-07-030514 - All uses of the userhelper command must be audited. --a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030514 -{% endif %} - -{% if security_rhel7_audit_su | bool %} -# RHEL-07-030521 - All uses of the su command must be audited. --a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030521 -{% endif %} - -{% if security_rhel7_audit_sudo | bool %} -# RHEL-07-030522 - All uses of the sudo command must be audited. --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030522 -{% endif %} - {% if security_rhel7_audit_sudo_config_changes | bool %} -# RHEL-07-030523 - The operating system must generate audit records containing the full-text recording of modifications to sudo configuration files. +# RHEL-07-030523 - The operating system must generate audit records containing +# the full-text recording of modifications to sudo configuration files. -w /etc/sudoers -p wa -k RHEL-07-030523 -w /etc/sudoers.d/ -p wa -k RHEL-07-030523 {% endif %} -{% if security_rhel7_audit_newgrp | bool %} -# RHEL-07-030524 - All uses of the newgrp command must be audited. --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030524 -{% endif %} - -{% if security_rhel7_audit_chsh | bool %} -# RHEL-07-030525 - All uses of the chsh command must be audited. --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030525 -{% endif %} - -{% if security_rhel7_audit_sudoedit | bool %} -# RHEL-07-030526 - All uses of the sudoedit command must be audited. --a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030526 -{% endif %} - -{% if security_rhel7_audit_mount | bool %} -# RHEL-07-030530 - All uses of the mount command must be audited. --a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030530 -{% endif %} - -{% if security_rhel7_audit_umount | bool %} -# RHEL-07-030531 - All uses of the umount command must be audited. --a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030531 -{% endif %} - -{% if security_rhel7_audit_postdrop | bool %} -# RHEL-07-030540 - All uses of the postdrop command must be audited. --a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030540 -{% endif %} - -{% if security_rhel7_audit_postqueue | bool %} -# RHEL-07-030541 - All uses of the postqueue command must be audited. --a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030541 -{% endif %} - -{% if security_rhel7_audit_ssh_keysign | bool %} -# RHEL-07-030550 - All uses of the ssh-keysign command must be audited. -{% if ansible_os_family | lower == 'debian' %} --a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030550 -{% else %} --a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030550 -{% endif %} -{% endif %} - -{% if security_rhel7_audit_pt_chown | bool and ansible_os_family | lower == 'redhat' %} -# RHEL-07-030560 - All uses of the pt_chown command must be audited. --a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030560 -{% endif %} - -{% if security_rhel7_audit_crontab | bool %} -# RHEL-07-030561 - All uses of the crontab command must be audited. --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030561 -{% endif %} - -{% if security_rhel7_audit_pam_timestamp_check | bool %} -# RHEL-07-030630 - All uses of the pam_timestamp_check command must be audited. --a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F auid!=4294967295 -k RHEL-07-030630 -{% endif %} - -{% if security_rhel7_audit_init_module | bool %} -# RHEL-07-030670 - All uses of the init_module command must be audited. -{% for arch in auditd_architectures %} --a always,exit -F arch={{ arch }} -S init_module -k RHEL-07-030670 -{% endfor %} -{% endif %} - -{% if security_rhel7_audit_delete_module | bool %} -# RHEL-07-030671 - All uses of the delete_module command must be audited. -{% for arch in auditd_architectures %} --a always,exit -F arch={{ arch }} -S delete_module -k RHEL-07-030671 -{% endfor %} -{% endif %} - {% if security_rhel7_audit_insmod | bool %} # RHEL-07-030672 - All uses of the insmod command must be audited. -w /sbin/insmod -p x -F auid!=4294967295 -k RHEL-07-030672 @@ -142,38 +85,3 @@ -w /etc/shadow -p wa -k RHEL-07-030710 -w /etc/security/opasswd -p wa -k RHEL-07-030710 {% endif %} - -{% if security_rhel7_audit_rename | bool %} -# RHEL-07-030750 - All uses of the rename command must be audited. -{% for arch in auditd_architectures %} --a always,exit -F arch={{ arch }} -S rename -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030750 -{% endfor %} -{% endif %} - -{% if security_rhel7_audit_renameat | bool %} -# RHEL-07-030751 - All uses of the renameat command must be audited. -{% for arch in auditd_architectures %} --a always,exit -F arch={{ arch }} -S renameat -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030751 -{% endfor %} -{% endif %} - -{% if security_rhel7_audit_rmdir | bool %} -# RHEL-07-030752 - All uses of the rmdir command must be audited. -{% for arch in auditd_architectures %} --a always,exit -F arch={{ arch }} -S rmdir -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030752 -{% endfor %} -{% endif %} - -{% if security_rhel7_audit_unlink | bool %} -# RHEL-07-030753 - All uses of the unlink command must be audited. -{% for arch in auditd_architectures %} --a always,exit -F arch={{ arch }} -S unlink -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030753 -{% endfor %} -{% endif %} - -{% if security_rhel7_audit_unlinkat | bool %} -# RHEL-07-030754 - All uses of the unlinkat command must be audited. -{% for arch in auditd_architectures %} --a always,exit -F arch={{ arch }} -S unlinkat -F perm=x -F auid>=1000 -F auid!=4294967295 -k RHEL-07-030754 -{% endfor %} -{% endif %} diff --git a/vars/audit.yml b/vars/audit.yml new file mode 100644 index 00000000..dda450dc --- /dev/null +++ b/vars/audit.yml @@ -0,0 +1,162 @@ +--- + +audited_commands: + - command: chsh + stig_id: RHEL-07-030525 + arch_specific: no + - command: chage + stig_id: RHEL-07-030513 + arch_specific: no + - command: chcon + stig_id: RHEL-07-030443 + arch_specific: no + - command: chmod + stig_id: RHEL-07-030390 + arch_specific: yes + - command: chown + stig_id: RHEL-07-030380 + arch_specific: yes + - command: creat + stig_id: RHEL-07-030420 + arch_specific: yes + - command: crontab + stig_id: RHEL-07-030561 + arch_specific: no + - command: delete_module + stig_id: RHEL-07-030671 + arch_specific: yes + - command: fchmod + stig_id: RHEL-07-030391 + arch_specific: yes + - command: fchmodat + stig_id: RHEL-07-030392 + arch_specific: yes + - command: fchown + stig_id: RHEL-07-030381 + arch_specific: yes + - command: fchownat + stig_id: RHEL-07-030383 + arch_specific: yes + - command: fremovexattr + stig_id: RHEL-07-030404 + arch_specific: yes + - command: fsetxattr + stig_id: RHEL-07-030401 + arch_specific: yes + - command: ftruncate + stig_id: RHEL-07-030425 + arch_specific: yes + - command: init_module + stig_id: RHEL-07-030670 + arch_specific: yes + - command: gpasswd + stig_id: RHEL-07-030512 + arch_specific: no + - command: lchown + stig_id: RHEL-07-030382 + arch_specific: yes + - command: lremovexattr + stig_id: RHEL-07-030405 + arch_specific: yes + - command: lsetxattr + stig_id: RHEL-07-030402 + arch_specific: yes + - command: mount + path: /bin + stig_id: RHEL-07-030530 + arch_specific: no + - command: newgrp + stig_id: RHEL-07-030524 + arch_specific: no + - command: open + stig_id: RHEL-07-030421 + arch_specific: yes + - command: openat + stig_id: RHEL-07-030422 + arch_specific: yes + - command: open_by_handle_at + stig_id: RHEL-07-030423 + arch_specific: yes + - command: pam_timestamp_check + path: /sbin + stig_id: RHEL-07-030630 + arch_specific: no + - command: passwd + stig_id: RHEL-07-030510 + arch_specific: no + - command: postdrop + path: /usr/sbin + stig_id: RHEL-07-030540 + arch_specific: no + - command: postqueue + path: /usr/sbin + stig_id: RHEL-07-030541 + arch_specific: no + - command: pt_chown + path: /usr/libexec + stig_id: RHEL-07-030560 + arch_specific: no + distro: redhat + - command: removexattr + stig_id: RHEL-07-030403 + arch_specific: yes + - command: rename + stig_id: RHEL-07-030750 + arch_specific: yes + - command: renameat + stig_id: RHEL-07-030751 + arch_specific: yes + - command: restorecon + path: /usr/sbin + stig_id: RHEL-07-030444 + arch_specific: no + - command: rmdir + stig_id: RHEL-07-030752 + arch_specific: yes + - command: semanage + path: /usr/sbin + stig_id: RHEL-07-030441 + arch_specific: no + - command: setsebool + path: /usr/sbin + stig_id: RHEL-07-030442 + arch_specific: no + - command: setxattr + stig_id: RHEL-07-030400 + arch_specific: yes + - command: ssh-keysign + path: "{{ ssh_keysign_path }}" + stig_id: RHEL-07-030550 + arch_specific: no + - command: su + path: /bin + stig_id: RHEL-07-030521 + arch_specific: no + - command: sudo + stig_id: RHEL-07-030522 + arch_specific: no + - command: sudoedit + path: /bin + stig_id: RHEL-07-030526 + arch_specific: no + - command: truncate + stig_id: RHEL-07-030424 + arch_specific: yes + - command: umount + path: /bin + stig_id: RHEL-07-030531 + arch_specific: no + - command: unix_chkpwd + path: /sbin + stig_id: RHEL-07-030511 + arch_specific: no + - command: unlink + stig_id: RHEL-07-030753 + arch_specific: yes + - command: unlinkat + stig_id: RHEL-07-030754 + arch_specific: yes + - command: userhelper + path: /usr/sbin + stig_id: RHEL-07-030514 + arch_specific: no diff --git a/vars/redhat.yml b/vars/redhat.yml index 09091cc5..5b4f3857 100644 --- a/vars/redhat.yml +++ b/vars/redhat.yml @@ -30,6 +30,7 @@ clamav_service: 'clamd@scan' # Commands grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf" +ssh_keysign_path: /usr/libexec/openssh # RHEL 6 STIG: Packages to add/remove stig_packages: diff --git a/vars/ubuntu.yml b/vars/ubuntu.yml index b9f027c3..6d466c38 100644 --- a/vars/ubuntu.yml +++ b/vars/ubuntu.yml @@ -33,6 +33,7 @@ clamav_service: clamd # Commands grub_update_cmd: "update-grub" +ssh_keysign_path: /usr/lib/openssh # RHEL 6 STIG: Packages to add/remove stig_packages: