I like this role but I would appreciate if it would be possible to separate the check from the correction action. That would allow us to skip certain correction actions if the files touched by the action are managed by other Ansible role. Then we could use ansible-playbook --skip-tags="V-38653-action" site.yaml to run all the STIG checks and correction actions but the V-38653 action.

I downloaded v0.9.4 of this STIG role, and when I run it in --check mode on ansible v2.3.1.0, I get one fatal error. That error is on V-38574 | PATCH. Here is the error:
fatal: [jon-rhel6]: FAILED! => {"failed": true, "msg": "'dict object' has no attribute 'stdout_lines'"}
I'm guessing that the regexp is the root of the problem, but editing the regexp line in the cat2.yml file isn't getting me any different results. Can you give me any ideas on how to troubleshoot this? Note that we are using sha512 for our password hashes, so this check should result in an ok status.
I am running ansible on a fully-patched RedHat 7.4 server.

Currently it is outdated and needs to be updated to the latest revision.

http://iasecontent.disa.mil/stigs/zip/Apr2016/U_RedHat_6_V1R11_STIG.zip

Result for The DHCP client must be disabled if not needed.

Result: fail

Rule ID: SV-50480r2_rule

Time: 2015-04-25 14:53

Severity: medium

These two tasks which currently do the same exact thing, report a change on every single run. The CAT2 task V-51363 is supposed to set the state to enforcing and the CAT3 task V-51369 is supposed to set the policy to targeted (or stronger).

Not sure if this is because:

• the system needs a reboot for it to take effect?
• the selinux module is not functioning properly?
• other?

Version: 0.9

I'm running STIG categories 1 and 2 on a webserver running CentOS 6.7. I'm running into this error:

Traceback (most recent call last):                                                                                     │ * updates: mirror.web-ster.com
  File "/home/centos/.ansible/tmp/ansible-tmp-1440039562.82-112125137340434/cron", line 2117, in <module>              │Resolving Dependencies
    main()                                                                                                             │--> Running transaction check
  File "/home/centos/.ansible/tmp/ansible-tmp-1440039562.82-112125137340434/cron", line 440, in main                   │---> Package cronie.x86_64 0:1.4.4-15.el6 will be installed
    crontab = CronTab(module, user, cron_file)                                                                         │--> Processing Dependency: dailyjobs for package: cronie-1.4.4-15.el6.x86_64
  File "/home/centos/.ansible/tmp/ansible-tmp-1440039562.82-112125137340434/cron", line 178, in __init__               │--> Processing Dependency: /usr/sbin/sendmail for package: cronie-1.4.4-15.el6.x86_64
    self.read()                                                                                                        │--> Running transaction check
  File "/home/centos/.ansible/tmp/ansible-tmp-1440039562.82-112125137340434/cron", line 199, in read                   │---> Package cronie-anacron.x86_64 0:1.4.4-15.el6 will be installed
    raise CronTabError("Unable to read crontab")                                                                       │--> Processing Dependency: crontabs for package: cronie-anacron-1.4.4-15.el6.x86_64
__main__.CronTabError: Unable to read crontab

I've discovered that the CentOS crontab package cronie is getting uninstalled when running task V-38671 Medium The sendmail package must be removed because cronie has a dependency on sendmail. However, cronie is required for the task beginning with V-38670, which fails because cronie is no longer installed. Reinstalling cronie and then running this role fixes the issue but it is undesirable to have to run the role, reinstall cronie, then run the roll again.

Currently only tested against RHEL 6+

The remediation removes the sudoers line entirely rather than just removing the NOPASSWD part, contrary to how the fix looks like it's written.

TASK: [RHEL6-STIG | MEDIUM | V-38501 | AUDIT | The system must disable accounts after excessive login failures within a 15-minute interval.] ***
<127.0.0.1> REMOTE_MODULE command grep -hG '^account\s_required\s_pam_faillock.so' /etc/pam.d/system-auth /etc/pam.d/password-auth #USE_SHELL
failed: [centos6] => {"changed": false, "cmd": "grep -hG '^account\s_required\s_pam_faillock.so' /etc/pam.d/system-auth /etc/pam.d/password-auth", "delta": "0:00:00.004716", "end": "2016-04-24 07:05:34.990647", "rc": 1, "start": "2016-04-24 07:05:34.985931", "stdout_lines": [], "warnings": []}

FATAL: all hosts have already failed -- aborting

A regexp error can allow root logins at the console without password in certain cases. Fixed by https://github.com/MindPointGroup/RHEL6-STIG/pull/127

All gconftool-2 tasks run every time without exception.

I have a patch locally that makes these idempotent, and also supports check_mode.

I also see that there's a new upstream ansible module for called 'gconftool2' that would likely do the same thing. The gconftool2 module was also included in ansible 2.3. It would make sense to rewrite these tasks to use the new module at some point, and it might make sense to merge that change the same time as https://github.com/MindPointGroup/RHEL6-STIG/pull/125. Is it worth sending a pull request for my already existing patch that doesn't use the new module?

TASK [RHEL6-STIG : V-38685 Low Temporary accounts must be provisioned with an expiration date] ***
task path: RHEL6-STIG/tasks/cat3.yml:194
[DEPRECATION WARNING]: Skipping task due to undefined Error, in the future this
will be a fatal error.. This feature will be removed in a future release.
Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.

$ ansible-galaxy install -p roles nousdefions.STIG-RHEL6

• downloading role 'STIG-RHEL6', owned by nousdefions
• downloading role from https://github.com/MindPointGroup/RHEL6-STIG/archive/master.tar.gz
• error: failed to download the file.
• nousdefions.STIG-RHEL6 was NOT installed successfully.
• you can use --ignore-errors to skip failed roles.

Receiving a Deprecation Warning that always_run will be removed in Ansible 2.4. Fix is to change "always_run: yes" to "check_mode: no" in (RHEL6-STIG-0.9.3/tasks/ ):

• prelim.yml
• cat1.yml
• cat2.yml
• cat3.yml
• not_automated.yml

I had to mock rhnsd on Centos to make the role work.

TASK: [RHEL6-STIG | V-38478 Low The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite] ***
<127.0.0.1> REMOTE_MODULE command chkconfig rhnsd off && service rhnsd stop #USE_SHELL
changed: [centos6] => {"changed": true, "cmd": "chkconfig rhnsd off && service rhnsd stop", "delta": "0:00:00.026290", "end": "2015-03-19 20:53:17.012627", "failed": false, "failed_when_result": false, "rc": 0, "start": "2015-03-19 20:53:16.986337", "stderr": "", "stdout": "", "stdout_lines": [], "warnings": []}

I noticed that sometimes on a subsequent run of this task it is not idempotent. It trigger a changed result because /usr/bin/screen showed up in the list of setuid/gid programs that needed to be audited.

The only thing I can figure is that the task that gathers the setuid/setgid program list is run in prelim.yml before any other tasks. Then there is a task in cat2.yml that runs and updates all out of date packages. i.e. V-38481. THEN in cat3.yml the setuid/gid list of programs is consumed.

I think moving the task out of prelim and putting it in a task block right before it needs to be consumed makes sense to fix this.

TASK: [nousdefions.STIG-RHEL6 | V-38656 Low The system must use SMB client signing for connecting to samba servers using smbclient] ***
<127.0.0.1> REMOTE_MODULE lineinfile state=present backup=yes dest=/etc/samba/smb.conf regexp='client signing' line='client signing = mandatory' insertafter='[global]'
failed: [centos6] => {"failed": true, "rc": 257}
msg: Destination /etc/samba/smb.conf does not exist !

FATAL: all hosts have already failed -- aborting

This reports a change every time...

TASK: [RHEL6-STIG | V-38496 Medium Default system accounts, other than root, must be locked] ***
<127.0.0.1> REMOTE_MODULE command passwd -l bin
changed: [centos6] => (item=bin) => {"changed": true, "cmd": ["passwd", "-l", "bin"], "delta": "0:00:00.048010", "end": "2015-03-19 20:52:42.964521", "item": "bin", "rc": 0, "start": "2015-03-19 20:52:42.916511", "stderr": "", "stdout": "Locking password for user bin.\npasswd: Success", "warnings": []}

While running the role as packer provisioner to create a base box it crashed the build:

virtualbox-iso: TASK [RHEL6-STIG : MEDIUM | V-38580 | AUDIT | The audit system must be configured to audit the loading and unloading of dynamic kernel modules.] ***
virtualbox-iso: task path: /tmp/packer-provisioner-ansible-local/roles/RHEL6-STIG/tasks/cat2.yml:1701
virtualbox-iso: fatal: [127.0.0.1]: FAILED! => {"changed": false, "cmd": "egrep -e "(-w |-F path=)/sbin/insmod" /etc/audit/audit.rules; egrep -e "(-w |-F path=)/sbin/modprobe" /etc/audit/audit.rules; egrep -e "(-w |-F path=)/sbin/rmmod" /etc/audit/audit.rules;grep -w "init_module" /etc/audit/audit.rules; grep -w "init_module" /etc/audit/audit.rules", "delta": "0:00:00.008826", "end": "2016-05-10 22:12:41.606537", "failed": true, "rc": 1, "start": "2016-05-10 22:12:41.597711", "stderr": "", "stdout": "", "stdout_lines": [], "warnings": []}

To replicate:
git clone https://github.com/dockpack/dockpack.git
cd dockpack
make install
packer build -only=virtualbox-iso dockpack-centos6.json

For finding "V-38496 Medium Default system accounts, other than root, must be locked", it locks out all accounts due to "PRELIM | Identify Unlocked Accounts" looking at all entries in the shadow file with passwords and not cross checking the passwd file for system accounts versus user accounts. There is a check "PRELIM | List system accounts" that grabs accounts that do not have a /home/ directory but this isn't necessarily a good way to check since home directories can be anywhere also. The "PRELIM | List system accounts" results are also not used anywhere after they are grabbed.

For my proposed fix, I did a check for user accounts that are not root, then cross checked them against passwd for a UID < 500, since by the standards, 500+ belong to users and 499- should belong to system accounts on Red Hat systems. If someone goes against the standards, this will fail.
PR#24

DISA published v1R17: https://iasecontent.disa.mil/stigs/zip/U_RedHat_6_V1R17_STIG.zip

Currently it is outdated and needs to be updated to the latest revision

The following:

- name: V-38604 Medium  The ypbind service must not be running
  service: name=ypbind state=stopped enabled=no
  register: ypbind_test
  when: ypbind_test.msg is defined and "'FAIL' not in ypbind_test.msg"
  tags: [ 'cat2' , 'V-38604' , 'insecure_services' , 'ypbind' ]

shouldn't work in ansible v1, but it does and it improperly skips the task every time. The register var being used in the conditional in the same task is not proper.

TODO: Refactor so that the presence of ypbind is checked in a separate task prior to attempting to stop/disabling the service.

Currently there are tasks that remediate multiple rules at the same time. This should not be the case.

Example:

- name: "V-38497 High  The system must not have accounts configured with blank or null passwords\n
        \tV-38658 Medium  The system must prohibit the reuse of passwords within twenty-four iterations\n
        \tV-38574 Medium  The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth)\n
        \tV-38482 Low     The system must require passwords to contain at least one numeric character\n
        \tV-38571 Low     The system must require passwords to contain at least one lowercase alphabetic character\n
        \tV-38572 Low     The system must require at least four characters be changed between the old and new passwords during a password change"
  lineinfile: >
    dest={{ item.dest }}
    regexp={{ item.rx }}
    line="{{ item.ln }}"
    backrefs=yes
    follow=yes owner=root group=root mode=0644
  with_items:
    - { rx: "'^(password\\s+requisite\\s+pam_cracklib.so\\s)(.*)$'", ln: "\\1{{rhel6stig_pam_cracklib_params}}", dest: '/etc/pam.d/system-auth' }
    - { rx: "'^(password\\s+requisite\\s+pam_cracklib.so\\s)(.*)$'", ln: "\\1{{rhel6stig_pam_cracklib_params}}", dest: '/etc/pam.d/password-auth' }
    - { rx: "'^(password\\s+sufficient\\s+pam_unix.so\\s)(.*)$'", ln: "\\1{{rhel6stig_pam_unix_params}}", dest: '/etc/pam.d/system-auth' }
    - { rx: "'^(password\\s+sufficient\\s+pam_unix.so\\s)(.*)$'", ln: "\\1{{rhel6stig_pam_unix_params}}", dest: '/etc/pam.d/password-auth' }
    - { rx: "'^(auth\\s+sufficient\\s+pam_unix.so)(.*)$'", ln: "auth        sufficient    {{rhel6stig_pam_auth_sufficient}}", dest: '/etc/pam.d/system-auth' }
    - { rx: "'^(auth\\s+sufficient\\s+pam_unix.so)(.*)$'", ln: "auth        sufficient    {{rhel6stig_pam_auth_sufficient}}", dest: '/etc/pam.d/password-auth' }
  tags: [ 'cat1' , 'cat2' , 'V-38497' , 'V-38658' , 'V-38574' , 'V-38482' , 'V-38571' , 'V-38572' , 'passwords' , 'accounts' ]

This makes it impossible to remediate any of 'V-38497' , 'V-38658' , 'V-38574' , 'V-38482' , 'V-38571' , 'V-38572' on an individual level, hitting one would hit them all. Also, combining varying severity levels is less than ideal as it limits how specific a user can harden a system.

This audit used to work

• name: V-38604 Medium The ypbind service must not be running
  service: name=ypbind state=stopped enabled=no
  register: ypbind_test
  when: ypbind_test.msg is defined and "'FAIL' not in ypbind_test.msg"
  tags: [ 'cat2' , 'V-38604' , 'insecure_services' , 'ypbind' ]

now the below fails when ypbind is not there..

• name: "MEDIUM | V-38604 | AUDIT | The ypbind service must not be running."
  command: chkconfig "ypbind" --list
  changed_when: no
  ignore_errors: yes
  always_run: yes
  register: ypbind_service_audit
  tags:
  - medium
  - V-38604
  - patch
  - cat2
  - ypbind
  - services

There are certain tasks that require the target machine to have Internet access. A good example is V-38476 which pulls down the GPG signature from a pre-defined URL.

I would suggest having a way for the user to optionally supply the required files or override the gpg_key_url variable in order to be able to run this role against machines in 'air-gapped' sites.

All tags used in this role should be prefixed by some role-specific prefix to avoid conflicts with other roles. I suggest to use rhel6stig_ prefix.

According to https://bugzilla.redhat.com/show_bug.cgi?id=531873, the appropriate way to disable IPv6 is to allow the module to load (by removing "install ipv6 /bin/true") but have the line "options ipv6 disable=1" inside /etc/modprobe.d. The linked bug is for RHEL 5.4, however we have experienced identical behavior on RHEL 6.7.
The SCAP files also do not check for the "/bin/true" line.

This issue is similar to ansible/ansible#6986

By default, on RHEL6, /etc/pam.d/system-auth is a symlink to /etc/pam.d/system-auth-ac. After running this role, system-auth ends up as a file rather than a symlink.

I'll send in a patch for this issue.

When I ran the role in packer, at the end I get a problem:

RUNNING HANDLER [RHEL6-STIG : restart ssh] *************************************
virtualbox-iso: fatal: [127.0.0.1]: FAILED! => {"changed": false, "failed": true, "msg": "/etc/ssh/sshd_config: line 140: Bad configuration option: 'Ciphers\r\n/etc/ssh/sshd_config: line 141: Bad configuration option: 'IgnoreRhosts\r\n/etc/ssh/sshd_config: line 142: Bad configuration option: 'HostbasedAuthentication\r\n/etc/ssh/sshd_config: line 143: Bad configuration option: 'PermitRootLogin\r\n/etc/ssh/sshd_config: line 144: Bad configuration option: 'Banner\r\n/etc/ssh/sshd_config: line 145: Bad configuration option: 'PrintLastLog\r\n/etc/ssh/sshd_config: terminating, 6 bad configuration options\r\n"}****

Title The system must not have accounts configured with blank or null passwords.
Rule SV-50298r2_rule
Ident CCE-27038-9
Ident CCI-000366
Result fail

Repeated runs of the role insert these lines over and over again:

[root@centos6 vagrant]# cat /etc/pam.d/system-auth

%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth required pam_deny.so

There's currently a bug in Ansible where stdout_lines always appends a new line. This new line causes the file module to choke with "msg": "file () is absent, cannot continue".

I'm working around this by using the difference set filter, for example:

- name: "MEDIUM | V-38465 | PATCH | Library files must have mode 0755 or less permissive"
  file:
      state: file
      mode: "go-w"
      path: "{{ item }}"
  when: library_perms_audit.stdout
  with_items: "{{ library_perms_audit.stdout_lines | difference(['']) }}"
  tags:
      - cat2
      - medium
      - V-38465
      - patch
      - file_perms

The open Ansible issue is here: ansible/ansible#15099. This issue happens in quite a few places in cat2.yml.

The STIG says to set these values:

xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES

We only set the first one.

The download was "0.9.3.tar.gz". Recommend a more descriptive filename like "RHEL6-STIG-0.9.3.tar.gz".

From this:

- name: V-38677 High  The NFS server must not have the insecure file locking option enabled
  replace: dest=/etc/exports regexp='insecure_locks'
  tags: [ 'cat1' , 'V-38677' , 'nfs' ]

to this:

- name: V-38677 High  The NFS server must not have the insecure file locking option enabled
  replace: 
      dest: /etc/exports 
      regexp: 'insecure_locks'
  tags: [ 'cat1' , 'V-38677' , 'nfs' ]

Repeated runs of the role insert these lines over and over again:

[root@centos6 vagrant]# cat /etc/pam.d/password-auth

%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth required pam_deny.so

account required pam_unix.so

I think we should remove the rhel6stig_ prefix from all variables. I don't see that it adds anything since they all already exist in the rhel6stig role. Also if you parameterizing the role and arew using a variable when you call it. i.e.

roles:
    - role: "{{ baseline }}"
      rhel6stig_fullauto: true
      rhel6stig_cat2: true
      rhel6stig_cat3: true

or

roles:
    - { role: "{{ baseline }}", rhel6stig_fullauto: true, rhel6stig_cat2: true, rhel6stig_cat3: true, tags: ['cat1', 'rhel6']}

Then those prefixes can become an issue. If I wanted to be able to call rhel6stig, rhel5stig, ubuntu14cis baselines in this way with parameters then it would be a problem. Also as a bonus it makes the variable names shorter.

Will defer to the group for voting on this though.

It would be really great if I could specify what to run as a variable instead of as a tag. For example if I want to always run only audit tasks, I would specify:

rhel6stig_run:
  - audit

and if the task has the following tags:

  tags:
      - cat1
      - high
      - V-38701
      - patch
      - tftp
      - tftp-server
      - unsecure_services

the when: condition would look like this:

when: >
  rhel6stig_run | length == 0 or
  rhel6stig_run in ['cat1', 'high', 'V-38701', 'patch', 'tftp', 'tftp-server', 'unsecure_services']

The above could be extended by rhel6stig_ignore variable which would allow to ignore certain subset of the rhel6stig_run. For example if I would like to run all audit tasks but the V-38701, the rhel6stig_ignore variable would look like this:

rhel6stig_ignore:
  - V-38701

and the when: condition in the task like this:

when: >
  rhel6stig_run | length == 0 or (
    rhel6stig_run in ['cat1', 'high', 'V-38701', 'patch', 'tftp', 'tftp-server', 'unsecure_services'] and
    intersect(['cat1', 'high', 'V-38701', 'patch', 'tftp', 'tftp-server', 'unsecure_services'], rhel6stig_ignore) | len == 0
  )  

Of course the rhel6stig_run as well as the rhel6stig_ignore can have more than one item:

# Expressing: 'audit' in tasks AND 'high' in tasks
rhel6stig_run:
  - audit
  - high

# Expressing: 'ssh' in tasks OR 'rlogin' in tasks OR ''v-38668' in tasks
rhel6stig_ignore:
  - ssh
  - rlogin
  - V-38668

That would run all tasks marked as audit AND high and ignore all tasks marked as ssh, rlogin and V-38668 tasks.

Tonight I was working on integrating this role into another project, and came across a bug (in RHEL/CentOS, not the role). The playbook was failing on firewall related tasks (V-38512 and 38513 in particular) when running against the Vagrant box I am using for the project. I am using the bento/centos6.7 box for this, and have upgraded it to CentOS 6.8.

In any case, the expected behavior for these tasks is that /etc/sysconfig/iptables exists so that when the service iptables start is attempted in line 985 (and subsequent tasks will fail as well) the command will succeed. /etc/sysconfig/iptables is expected to always exist.

In researching this, I came across this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1161682 It appears to impact CentOS and RHEL 6.6 and above, though probably not all install/use cases. This seems to be low priority, but how would the project generally address this? Create a var whose value is set in the PRELIM tasking based on whether that file exists or not? I can make the change, but want to make sure I am taking the consistent approach.

Current role is based on Release 15 and needs to be update do release 16.

The defaults chosen for this project sometimes fail the scap-security-guide checks. It would be nice to create a tailoring file for variables here that would allow ssg to pass its checks. Notably, the daemon umask settings and the audit failure actions do not pass the ssg default checks. (see ComplianceAsCode/content#2755)

CI Pipeline should contain a mechanism that determines if any rules have been left out that exist in the current revision.

Already in progress.

I suggest to enable them whenever based on oscap auditing. I could mitigate findings using these:

• name: 'SV-50440r3_rule'
  command: gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /apps/gnome-screensaver/mode blank-only
• name: 'V-38629 Medium The graphical desktop environment must set the idle timeout to no more than 15 minutes'
  gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type int --set /apps/gnome-screensaver/idle_delay 15
• name: 'V-38630 Medium The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user to re-authenticate to unlock the environment'
  gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gnome-screensaver/idle_activation_enabled true
• name: 'V-38638 Medium The graphical desktop environment must have automatic lock enabled'
  gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gnome-screensaver/lock_enabled true

sysctl reload in rule V-38596 fails, but offending key introduced in rule V-38548.

Tried to install the role using: ansible-galaxy install -p roles nousdefions.STIG-RHEL6,devel and got:

- downloading role 'STIG-RHEL6', owned by nousdefions
 [WARNING]: - nousdefions.STIG-RHEL6 was NOT installed successfully: - the specified version (devel) of nousdefions.STIG-RHEL6
was not found in the list of available versions ([{u'name': u'v0.9', u'created': u'2015-03-19T13:22:29.626Z', u'url': u'',
u'release_date': None, u'modified': u'2015-03-19T13:22:29.741Z', u'related': {}, u'id': 3667, u'active': True,
u'summary_fields': {u'role': {u'id': 2955, u'name': u'STIG-RHEL6'}}}]).

ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.

Doesn't seem like this has been uploaded yet to galaxy?

When editing site.yml to change "no" to "yes" for "rhell6_stig_cat2" and "rhel6_stig_cat3", the ansible-playbook still doesn't run those tasks. Could use some guidance on how to make them run and what file to edit so they continue to do so.

And new benchmark. What tools do you use to compare, besides the MK1 eyeball?

I understand that this isn't the best place to post this but I am in dire need of help. I used this role to lock down a VM and it turns out that I had a type in one of the audit rules that is preventing the VM from booting. I did not change the rhel6stig_bootloader_password to something other than 'random'. I misread the description and thought you had to leave it has random if you wanted to be able to access the bootloader. Is there anyway possible to recover the random password generated by grub-crypt?