Add Centos-8 support

Make hardening compatible with CentOS-8. Dependant patch [1] already passes hardening and another one resolves issue with installing non-existent packages. So we should merge this one without passing CentOS 8 tests not to create circular dependency [1] https://review.opendev.org/689629 Change-Id: I33160b9a6e8331d6db39824e420033c7ab06780b
2020-02-24 12:48:39 +00:00 · 2020-02-24 12:48:39 +00:00 · 0114e44f3e
commit 0114e44f3e
parent b7bd353139
3 changed files with 126 additions and 2 deletions
--- a/bindep.txt
+++ b/bindep.txt
@ -45,8 +45,12 @@ python3-dnf       [platform:fedora]
 git               [platform:gentoo]

 # For SELinux
-libselinux-python  [platform:redhat]
-libsemanage-python [platform:redhat]
+python3-libselinux  [platform:redhat]
+libsemanage-python3 [platform:redhat]
+
+libselinux-python  [platform:redhat !platform:rhel-8 !platform:centos-8]
+libsemanage-python [platform:redhat !platform:rhel-8 !platform:centos-8]
+

 # Required for compressing collected log files in CI
 gzip
--- a/vars/redhat-7.yml
+++ b/vars/redhat-7.yml
--- a/vars/redhat-8.yml
+++ b/vars/redhat-8.yml
@ -0,0 +1,120 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Variables for CentOS 7, Red Hat Enterprise Linux 7 and Fedora 27.
+# The following variables apply only to CentOS 7, Red Hat Enterprise Linux 7
+# and Fedora 27. Deployers should not override these.
+#
+# For more details, see 'vars/main.yml'.
+
+# Configuration file paths
+pam_auth_file: /etc/pam.d/system-auth
+pam_password_file: /etc/pam.d/password-auth
+pam_postlogin_file: /etc/pam.d/postlogin
+vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
+grub_conf_file: /boot/grub2/grub.cfg
+grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg"
+aide_cron_job_path: /etc/cron.d/aide
+aide_database_file: /var/lib/aide/aide.db.gz
+aide_database_out_file: /var/lib/aide/aide.db.new.gz
+chrony_conf_file: /etc/chrony.conf
+chrony_key_file: /etc/chrony.keys
+daemon_init_params_file: /etc/init.d/functions
+pkg_mgr_config: "{{ (ansible_pkg_mgr == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}"
+
+# Service names
+cron_service: crond
+ssh_service: sshd
+chrony_service: chronyd
+clamav_service: 'clamd@scan'
+
+# Commands
+grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"
+ssh_keysign_path: /usr/libexec/openssh
+
+# Other configuration
+security_interactive_user_minimum_uid: 1000
+
+# RHEL 7 STIG: Packages to add/remove
+stig_packages_rhel7:
+  - packages:
+      - audispd-plugins
+      - audit
+      - aide
+      - dracut-fips
+      - dracut-fips-aesni
+      - openssh-clients
+      - openssh-server
+    state: "{{ security_package_state }}"
+    enabled: True
+  - packages:
+      - python3-libselinux
+      - policycoreutils-python-utils
+      - selinux-policy
+      - selinux-policy-targeted
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_rhel7_enable_linux_security_module }}"
+  - packages:
+      - chrony
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_rhel7_enable_chrony }}"
+  - packages:
+      - clamav
+      - clamav-data
+      - clamav-devel
+      - clamav-filesystem
+      - clamav-lib
+      - clamav-scanner-systemd
+      - clamav-server-systemd
+      - clamav-server
+      - clamav-update
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_enable_virus_scanner }}"
+  - packages:
+      - firewalld
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_enable_firewalld }}"
+  - packages:
+      - "{{ (ansible_pkg_mgr == 'yum') | ternary('yum-cron', 'dnf-automatic') }}"
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_rhel7_automatic_package_updates }}"
+  - packages:
+      - rsh-server
+    state: absent
+    enabled: "{{ security_rhel7_remove_rsh_server }}"
+  - packages:
+      - telnet-server
+    state: absent
+    enabled: "{{ security_rhel7_remove_telnet_server }}"
+  - packages:
+      - tftp-server
+    state: absent
+    enabled: "{{ security_rhel7_remove_tftp_server }}"
+  - packages:
+      - xorg-x11-server-Xorg
+    state: absent
+    enabled: "{{ security_rhel7_remove_xorg }}"
+  - packages:
+      - ypserv
+    state: absent
+    enabled: "{{ security_rhel7_remove_ypserv }}"
+
+rpm_gpgchecks:
+  - regexp: "^gpgcheck.*"
+    line: "gpgcheck={{ security_enable_gpgcheck_packages | bool | ternary('1', 0) }}"
+  - regexp: "^localpkg_gpgcheck.*"
+    line: "localpkg_gpgcheck={{ security_enable_gpgcheck_packages_local | bool | ternary('1', 0) }}"
+  - regexp: "^repo_gpgcheck.*"
+    line: "repo_gpgcheck={{ security_enable_gpgcheck_repo | bool | ternary('1', 0) }}"