openstack/ansible-hardening
Code Issues Proposed changes

Add CentOS 7 and Ubuntu 16.04 support

Browse Source 
This patch adds initial support for CentOS 7 and Ubuntu 16.04
to the security role. Documentation and tests still need updates
in subsequent patches.

Release notes are included.

Change-Id: Iae936bb307a5938651c55e703d68d39a7716d178
This commit is contained in:
Major Hayden 2016-05-13 14:57:28 -05:00
parent fa2800419e
commit 22c4c21583
19 changed files with 623 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/source/developer-notes/V-38633.rst
View File

@ -8,5 +8,3 @@ by adjusting the following Ansible variable:
.. code-block:: yaml
security_max_log_file: 6

2
handlers/main.yml
View File

@ -46,7 +46,7 @@
- name: restart ssh
service:
name: ssh
name: "{{ ssh_service }}"
state: restarted
- name: restart vsftpd

4
meta/main.yml
View File

@ -6,9 +6,13 @@ galaxy_info:
license: Apache
min_ansible_version: 1.8.3
platforms:
- name: EL
versions:
- 7
- name: Ubuntu
versions:
- trusty
- xenial
categories:
- cloud
- security

10
other-requirements.txt
View File

@ -14,7 +14,13 @@
# TODO(odyssey4me) remove this once https://review.openstack.org/288634 has merged
# and the disk images are rebuilt and redeployed.
curl
wget
# Requirements for Paramiko 2.0
libssl-dev
libffi-dev
libssl-dev [platform:dpkg]
libffi-dev [platform:dpkg]
libffi-devel [platform:rpm]
openssl-devel [platform:rpm]
# For selinux
libselinux-python [platform:rpm]

5
releasenotes/notes/support-for-centos-xenial-2b89c318cc3df4b0.yaml Normal file
View File

@ -0,0 +1,5 @@
---
features:
- The openstack-ansible-security role supports the application of the Red
Hat Enterprise Linux 6 STIG configurations to systems running CentOS 7 and
Ubuntu 16.04 LTS.

29
tasks/apt.yml
View File

@ -13,6 +13,23 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#TODO(evrardjp): Replace the next 2 tasks by a standard apt with cache
#when https://github.com/ansible/ansible-modules-core/pull/1517 is merged
#in 1.9.x or we move to 2.0 (if tested working)
- name: Check apt last update file
stat:
path: /var/cache/apt
register: apt_cache_stat
tags:
- auditd-apt-packages
- name: Update apt if needed
apt:
update_cache: yes
when: "ansible_date_time.epoch|float - apt_cache_stat.stat.mtime > {{cache_timeout}}"
tags:
- auditd-apt-packages
# Notes for V-38476 ###########################################################
#
# These GPG keys are valid as of Ubuntu 14.04 in late 2015, but they could
@ -29,7 +46,7 @@
msg: "FAILED: Missing Ubuntu 14.04 Archive signing keys"
when: "'437D05B5' not in v38476_result.stdout or 'C0B21F32' not in v38476_result.stdout"
tags:
- apt
- package
- cat1
- V-38476
@ -48,7 +65,7 @@
failed_when: False
always_run: True
tags:
- auth
- package
- cat1
- V-38462
@ -57,7 +74,7 @@
msg: "FAILED: Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified."
when: "v38462_result.rc == 0"
tags:
- auth
- package
- cat1
- V-38462
@ -67,7 +84,7 @@
state: present
when: security_unattended_upgrades_enabled | bool
tags:
- apt
- package
- cat2
- V-38481
@ -77,7 +94,7 @@
dest: /etc/apt/apt.conf.d/20auto-upgrades
when: security_unattended_upgrades_enabled | bool
tags:
- apt
- package
- cat2
- V-38481
@ -90,6 +107,6 @@
- security_unattended_upgrades_enabled | bool
- security_unattended_upgrades_notifications | bool
tags:
- apt
- package
- cat2
- V-38481

61
tasks/auditd.yml
View File

@ -13,27 +13,22 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#TODO(evrardjp): Replace the next 2 tasks by a standard apt with cache
#when https://github.com/ansible/ansible-modules-core/pull/1517 is merged
#in 1.9.x or we move to 2.0 (if tested working)
- name: Check apt last update file
stat:
path: /var/cache/apt
register: apt_cache_stat
tags:
- auditd-apt-packages
- name: Update apt if needed
- name: V-38631/38632 - The operating system must produce audit records (install auditd with apt)
apt:
update_cache: yes
when: "ansible_date_time.epoch|float - apt_cache_stat.stat.mtime > {{cache_timeout}}"
tags:
- auditd-apt-packages
- name: V-38631/38632 - The operating system must produce audit records (install auditd)
apt:
name: auditd
name: "{{ auditd_pkg }}"
state: present
when: ansible_pkg_mgr == 'apt'
tags:
- auditd
- cat2
- V-38632
- V-38631
- name: V-38631/38632 - The operating system must produce audit records (install auditd with yum)
yum:
name: "{{ auditd_pkg }}"
state: present
when: ansible_pkg_mgr == 'yum'
tags:
- auditd
- cat2
@ -104,6 +99,7 @@
apt:
name: debsums
state: present
when: ansible_pkg_mgr == 'apt'
tags:
- auditd
- cat2
@ -117,6 +113,7 @@
register: v38637_result
changed_when: False
failed_when: "'not installed' in v38637_result.stdout"
when: ansible_pkg_mgr == 'apt'
tags:
- auditd
- cat2
@ -125,7 +122,31 @@
- name: V-38637 - Contents of auditd package must be verified
fail:
msg: "FAILED: Could not verify that files from auditd package are unaltered"
when: not check_mode and v38637_result.rc == 2
when:
- not check_mode
- ansible_pkg_mgr == 'apt'
- v38637_result.rc == 2
tags:
- auditd
- cat2
- V-38637
- name: Check audit package contents for alterations with rpm (for V-38637)
shell: rpmverify audit audit-libs | grep -v audit.conf | wc -l
register: v38637_result
when: ansible_pkg_mgr == 'yum'
tags:
- auditd
- cat2
- V-38637
- name: V-38637 - Contents of auditd package must be verified
fail:
msg: "FAILED: Could not verify that files from auditd package are unaltered"
when:
- not check_mode
- ansible_pkg_mgr == 'yum'
- v38637_result.stdout != "0"
tags:
- auditd
- cat2

44
tasks/auth.yml
View File

@ -104,7 +104,7 @@
# /etc/pam.d/common-auth
- name: V-38497 - The system must not have accounts configured with blank or null passwords.
lineinfile:
dest: /etc/pam.d/common-auth
dest: "{{ pam_auth_file }}"
state: present
regexp: "^(.*)nullok_secure(.*)$"
line: '\1\2'
@ -191,21 +191,49 @@
- cat2
- V-38501
- name: V-38591 - Remove rshd
- name: V-38591 - Remove rshd with apt
apt:
name: rsh-server
state: absent
when: security_remove_rsh_server | bool
when:
- ansible_pkg_mgr == 'apt'
- security_remove_rsh_server | bool
tags:
- auth
- cat1
- V-38591
- name: V-38587 - Remove telnet-server
apt:
name: telnetd
- name: V-38591 - Remove rshd with yum
yum:
name: rsh-server
state: absent
when: security_remove_telnet_server | bool
when:
- ansible_pkg_mgr == 'yum'
- security_remove_rsh_server | bool
tags:
- auth
- cat1
- V-38591
- name: V-38587 - Remove telnet-server with apt
apt:
name: "{{ telnet_server_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_telnet_server | bool
tags:
- auth
- cat1
- V-38587
- name: V-38587 - Remove telnet-server with yum
yum:
name: "{{ telnet_server_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_telnet_server | bool
tags:
- auth
- cat1
@ -261,7 +289,7 @@
# SHA512 is the minimum requirement and it happens to be Ubuntu 14.04's default
# hashing algorithm as well.
- name: Check password hashing algorithm used by PAM (for V-38574)
shell: "grep '^\\s*password.*pam_unix.*sha512' /etc/pam.d/common-password"
shell: "grep '^\\s*password.*pam_unix.*sha512' {{ pam_password_file }}"
register: v38574_result
changed_when: False
failed_when: False

9
tasks/console.yml
View File

@ -19,6 +19,15 @@
regexp: '^(#)?exec shutdown -r now "Control-Alt-Delete pressed"'
line: '#exec shutdown -r now "Control-Alt-Delete pressed"'
state: present
when: not systemd_running | bool
tags:
- console
- cat1
- V-38668
- name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled
command: systemctl mask ctrl-alt-del.target
when: systemd_running | bool
tags:
- console
- cat1

13
tasks/mail.yml
View File

@ -13,10 +13,21 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: V-38669 - The postfix service must be enabled for mail delivery (install postfix)
- name: V-38669 - The postfix service must be enabled for mail delivery (install postfix with apt)
apt:
name: postfix
state: present
when: ansible_pkg_mgr == 'apt'
tags:
- mail
- cat3
- V-38669
- name: V-38669 - The postfix service must be enabled for mail delivery (install postfix with yum)
yum:
name: postfix
state: present
when: ansible_pkg_mgr == 'yum'
tags:
- mail
- cat3

33
tasks/main.yml
View File

@ -13,15 +13,42 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Verify if we're using check mode
- name: Gather variables for each operating system
include_vars: "{{ item }}"
with_first_found:
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
- "{{ ansible_distribution | lower }}.yml"
- "{{ ansible_os_family | lower }}.yml"
tags:
- always
- name: Check if we're in check/audit mode
command: /bin/true
register: noop_result
- name: Set a fact if we're in check mode
- name: Check to see if systemd is in use
command: systemctl status
register: systemd_check
failed_when: False
always_run: True
- name: Set facts
set_fact:
check_mode: "{{ noop_result|skipped }}"
check_mode: "{{ noop_result | skipped }}"
systemd_running: "{{ systemd_check | success }}"
- include: apt.yml
when: ansible_pkg_mgr == 'apt'
tag:
- apt
- package
- include: rpm.yml
when: ansible_pkg_mgr == 'yum' or ansible_pkg_mgr == 'dnf'
tag:
- package
- rpm
- include: auditd.yml
- include: auth.yml
- include: boot.yml

178
tasks/misc.yml
View File

@ -13,10 +13,20 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: V-38489 - Install AIDE
- name: V-38489 - Install AIDE (with apt)
apt:
name: aide
state: present
name: aide
state: present
when: ansible_pkg_mgr == 'apt'
tags:
- cat2
- V-38489
- name: V-38489 - Install AIDE (with yum)
yum:
name: aide
state: present
when: ansible_pkg_mgr == 'yum'
tags:
- cat2
- V-38489
@ -76,10 +86,20 @@
- cat2
- V-38619
- name: V-38620 - Synchronize system clock (installing chrony)
- name: V-38620 - Synchronize system clock (installing chrony with apt)
apt:
name: chrony
state: present
when: ansible_pkg_mgr == 'apt'
tags:
- cat2
- V-38620
- name: V-38620 - Synchronize system clock (installing chrony with yum)
yum:
name: chrony
state: present
when: ansible_pkg_mgr == 'yum'
tags:
- cat2
- V-38620
@ -117,10 +137,20 @@
# The openstack-ansible project will configure logs to be rotated weekly and
# compressed with each run. We won't change the interval here, but we will
# ensure that logrotate is installed (to meet the STIG requirement).
- name: V-38624 - System logs must be rotated daily (install logrotate)
- name: V-38624 - System logs must be rotated daily (install logrotate with apt)
apt:
name: logrotate
state: present
when: ansible_pkg_mgr == 'apt'
tags:
- cat3
- V-38624
- name: V-38624 - System logs must be rotated daily (install logrotate with yum)
yum:
name: logrotate
state: present
when: ansible_pkg_mgr == 'yum'
tags:
- cat3
- V-38624
@ -138,7 +168,7 @@
msg: "FAILED: Cron job for logrotate is missing"
when:
- not check_mode
- v38624_result.stat.exists == False
- not v38624_result.stat.exists | bool
tags:
- cat3
- V-38624
@ -158,32 +188,53 @@
regexp: "^(;)?client signing"
line: "client signing = mandatory"
insertafter: "############ Misc ############"
when: v38656_result.stat.exists == True
when: v38656_result.stat.exists | bool
notify:
- restart samba
tags:
- cat3
- V-38656
- name: Check if SNMP daemon is installed (for V-38660)
- name: Check if SNMP daemon is installed using dpkg (for V-38660)
shell: "dpkg --status snmpd | grep \"^Status:.*ok installed\""
register: v38660_snmpd_installed
register: v38660_snmpd_apt
changed_when: False
failed_when: False
always_run: True
when: ansible_pkg_mgr == 'apt'
tags:
- cat2
- V-38660
- name: Check if SNMP daemon is installed using rpm (for V-38660)
shell: "rpm -qi net-snmp"
register: v38660_snmpd_rpm
changed_when: False
failed_when: False
always_run: True
when: ansible_pkg_mgr == 'yum'
tags:
- cat2
- V-38660
- name: Set fact for SNMP being installed
set_fact:
snmpd_installed: True
when: |
(v38660_snmpd_apt.rc is defined and v38660_snmpd_apt.rc == 0) or
(v38660_snmpd_rpm.rc is defined and v38660_snmpd_rpm.rc == 0)
# We shouldn't get any output from this grep since it looks for configuration
# lines for the SNMP v1 and v2c protocols.
- name: Check for insecure SNMP protocols (for V-38660)
shell: "egrep 'v1|v2c|com2sec|community' /etc/snmp/snmpd.conf | grep -v '^\\s*#'"
register: v38660_result
when: v38660_snmpd_installed.rc == 0
changed_when: False
failed_when: False
always_run: True
when:
- snmpd_installed is defined
- snmpd_installed | bool
tags:
- cat2
- V-38660
@ -193,7 +244,8 @@
msg: "FAILED: Insecure SNMP configuration found -- use SNMPv3 only"
when:
- not check_mode
- v38660_snmpd_installed.rc == 0
- snmpd_installed is defined
- snmpd_installed | bool
- v38660_result.rc == 0
tags:
- cat2
@ -219,23 +271,46 @@
- cat3
- V-38684
- name: Check if vsftpd installed (for V-38599 and V-38702)
- name: Check if vsftpd installed using dpkg (for V-38599 and V-38702)
shell: "dpkg --status vsftpd | grep \"^Status:.*ok installed\""
register: v38599_result
register: v38599_vsftpd_apt
changed_when: False
failed_when: False
always_run: True
when: ansible_pkg_mgr == 'apt'
tags:
- cat2
- cat3
- V-38599
- V-38702
- name: Check if vsftpd installed using rpm (for V-38599 and V-38702)
shell: "rpm -qi vsftpd"
register: v38599_vsftpd_rpm
changed_when: False
failed_when: False
always_run: True
when: ansible_pkg_mgr == 'yum'
tags:
- cat2
- cat3
- V-38599
- V-38702
- name: Set fact for vsftpd being installed
set_fact:
vsftpd_installed: True
when: |
(v38599_vsftpd_apt.rc is defined and v38599_vsftpd_apt.rc == 0) or
(v38599_vsftpd_rpm.rc is defined and v38599_vsftpd_rpm.rc == 0)
- name: Copy login banner (for V-38599)
copy:
src: login_banner.txt
dest: /etc/issue.net
when: v38599_result.rc == 0
when:
- vsftpd_installed is defined
- vsftpd_installed | bool
notify:
- restart vsftpd
tags:
@ -244,10 +319,12 @@
- name: V-38599 - Set warning banner for FTPS/FTP logins
lineinfile:
dest: /etc/vsftpd/vsftpd.conf
dest: "{{ vsftpd_conf_file }}"
regexp: "^(#)?banner_file"
line: "banner_file=/etc/issue.net"
when: v38599_result.rc == 0
when:
- vsftpd_installed is defined
- vsftpd_installed | bool
notify:
- restart vsftpd
tags:
@ -256,10 +333,12 @@
- name: V-38702 - Enable xferlog
lineinfile:
dest: /etc/vsftpd.conf
dest: "{{ vsftpd_conf_file }}"
regexp: "^(#)?xferlog_enable"
line: "xferlog_enable=YES"
when: v38599_result.rc == 0
when:
- vsftpd_installed is defined
- vsftpd_installed | bool
notify:
- restart vsftpd
tags:
@ -268,10 +347,12 @@
- name: V-38702 - Disable xferlog_std_format
lineinfile:
dest: /etc/vsftpd.conf
dest: "{{ vsftpd_conf_file }}"
regexp: "^(#)?xferlog_std_format"
line: "xferlog_std_format=NO"
when: v38599_result.rc == 0
when:
- vsftpd_installed is defined
- vsftpd_installed | bool
notify:
- restart vsftpd
tags:
@ -280,10 +361,12 @@
- name: V-38702 - Enable log_ftp_protocol
lineinfile:
dest: /etc/vsftpd.conf
dest: "{{ vsftpd_conf_file }}"
regexp: "^(#)?log_ftp_protocol"
line: "log_ftp_protocol=YES"
when: v38599_result.rc == 0
when:
- vsftpd_installed is defined
- vsftpd_installed | bool
notify:
- restart vsftpd
tags:
@ -295,6 +378,7 @@
register: v38674_result
changed_when: False
always_run: True
when: not systemd_running | bool
tags:
- cat2
- V-38674
@ -302,7 +386,29 @@
- name: V-38674 - X Windows must not be enabled
fail:
msg: "FAILED: Default runlevel should be 2 (no X windows)"
when: v38674_result.rc != 0
when:
- not systemd_running | bool
- v38674_result.rc != 0
tags:
- cat2
- V-38674
- name: Check if systemd is configured to load the graphical target
shell: "systemctl list-units --type=target | grep '^graphical.target.*loaded active active'"
register: v38674_result
always_run: True
failed_when: v38674_result.rc > 1
when: systemd_running | bool
tags:
- cat2
- V-38674
- name: V-38674 - X Windows must not be enabled
fail:
msg: "FAILED: Graphical target must not be enabled in systemd."
when:
- systemd_running | bool
- v38674_result.rc == 0
tags:
- cat2
- V-38674
@ -312,6 +418,7 @@
register: v51337_result
changed_when: False
always_run: True
when: ansible_pkg_mgr == 'apt'
tags:
- cat2
- V-51337
@ -319,7 +426,30 @@
- name: V-51337 - The system must use a Linux Security Module at boot time
fail:
msg: "FAILED: AppArmor isn't enabled"
when: "'apparmor module is loaded' not in v51337_result.stdout"
when:
- ansible_pkg_mgr == 'apt'
- "'apparmor module is loaded' not in v51337_result.stdout"
tags:
- cat2
- V-51337
- name: Check if SELinux is enforcing (for V-51337)
command: getenforce
register: v51337_result
changed_when: False
always_run: True
when: ansible_pkg_mgr == 'yum'
tags:
- cat2
- V-51337
- name: V-51337 - The system must use a Linux Security Module at boot time
fail:
msg: "FAILED: SELinux is not in enforcing mode."
when:
- ansible_pkg_mgr == 'yum'
- "'Enforcing' not in v51337_result.stdout"
tags:
- cat2
- V-51337

2
tasks/nfsd.yml
View File

@ -29,6 +29,7 @@
shell: grep all_squash /etc/exports
register: v38460_result
changed_when: v38460_result.rc == 0
failed_when: False
when: exports.stat.exists
tags:
- nfs
@ -49,6 +50,7 @@
shell: grep insecure_locks /etc/exports
register: v38677_result
changed_when: v38677_result.rc == 0
failed_when: False
when: exports.stat.exists
tags:
- nfs

76
tasks/rpm.yml Normal file
View File

@ -0,0 +1,76 @@
---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Check if CentOS 7 GPG keys are installed (for V-38476)
command: rpm -qi gpg-pubkey-f4a80eb5-53a7ff4b
register: v38476_result
changed_when: "v38476_result.rc != 0"
failed_when: False
always_run: True
tags:
- package
- cat1
- V-38476
- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
fail:
msg: "FAILED: Missing CentOS 7 GPG keys"
when: "v38476_result.rc != 0"
tags:
- package
- cat1
- V-38476
- name: Search for yum repositories with GPG checks disabled
command: grep -r "gpgcheck=0" /etc/yum.repos.d/
register: v38462_result
changed_when: False
failed_when: False
always_run: True
tags:
- package
- cat1
- V-38462
- name: V-38462 - Package management tool must verify authenticity of packages
fail:
msg: "FAILED: Ensure all repo files in /etc/yum.repos.d/ have 'gpgcheck=1' set."
when: "v38462_result.rc == 0"
tags:
- package
- cat1
- V-38462
- name: V-38481 - Install yum-cron for automatic updates
yum:
name: yum-cron
state: installed
when: security_unattended_upgrades_enabled | bool
tags:
- package
- cat2
- V-38481
- name: V-38481 - System security patches and updates must be installed and up-to-date
lineinfile:
dest: /etc/yum/yum-cron.conf
regexp: "^apply_updates"
line: "apply_updates = yes"
state: present
when: security_unattended_upgrades_enabled | bool
tags:
- package
- cat2
- V-38481

167
tasks/services.yml
View File

@ -13,9 +13,9 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Generate list of sysv_services
- name: Generate list of services_installed
shell: "find /etc/init.d/ -printf '%f\n'"
register: sysv_services
register: sysv_services_installed
changed_when: false
always_run: True
tags:
@ -24,12 +24,29 @@
- cat2
- cat3
- name: Generate a list of systemd service unit files
shell: "systemctl list-units --type=service --no-legend | awk '{print $1}'"
register: systemd_services_installed
changed_when: false
always_run: True
tags:
- services
- cat1
- cat2
- cat3
- name: Register which services are installed depending on platform
set_fact:
services_installed: "{{ (systemd_running | bool) | ternary (systemd_services_installed, sysv_services_installed)}}"
- name: V-38437 - Automated file system mounting tools must be disabled
service:
name: autofs
state: stopped
enabled: no
when: security_disable_autofs | bool and 'autofs' in sysv_services.stdout
when:
- security_disable_autofs | bool
- "'autofs' in services_installed.stdout"
tags:
- services
- cat3
@ -40,7 +57,9 @@
name: abrtd
state: stopped
enabled: no
when: security_disable_abrtd | bool and 'abrtd' in sysv_services.stdout
when:
- security_disable_abrtd | bool
- "'abrtd' in services_installed.stdout"
tags:
- services
- cat3
@ -51,7 +70,9 @@
name: atd
state: stopped
enabled: no
when: security_disable_atd | bool and 'atd' in sysv_services.stdout
when:
- security_disable_atd | bool
- "'atd' in services_installed.stdout"
tags:
- services
- cat3
@ -62,7 +83,9 @@
name: qpidd
state: stopped
enabled: no
when: security_disable_qpidd | bool and 'qpidd' in sysv_services.stdout
when:
- security_disable_qpidd | bool
- "'qpidd' in services_installed.stdout"
tags:
- services
- cat3
@ -73,7 +96,9 @@
name: bluetooth
state: stopped
enabled: no
when: security_disable_bluetooth | bool and 'bluetooth' in sysv_services.stdout
when:
- security_disable_bluetooth | bool
- "'bluetooth' in services_installed.stdout"
tags:
- services
- cat2
@ -84,28 +109,58 @@
name: xinetd
state: stopped
enabled: no
when: security_disable_xinetd | bool and 'xinetd' in sysv_services.stdout
when:
- security_disable_xinetd | bool
- "'xinetd' in services_installed.stdout"
tags:
- services
- cat2
- V-38582
- name: V-38584 - xinetd must be uninstalled if not in use
- name: V-38584 - xinetd must be uninstalled if not in use (apt)
apt:
name: xinetd
state: absent
when: security_remove_xinetd | bool
when:
- ansible_pkg_mgr == 'apt'
- security_remove_xinetd | bool
tags:
- services
- cat3
- V-38584
- name: V-38584 - xinetd must be uninstalled if not in use (yum)
yum:
name: xinetd
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_xinetd | bool
tags:
- services
- cat3
- V-38584
# Ubuntu's equivalent of Red Hat's ypserv package is 'nis'
- name: V-38603 - Remove ypserv (nis) package
- name: V-38603 - Remove ypserv package with apt
apt:
name: nis
name: "{{ ypserv_pkg }}"
state: absent
when: security_remove_ypserv | bool
when:
- ansible_pkg_mgr == 'apt'
- security_remove_ypserv | bool
tags:
- services
- cat2
- V-38603
- name: V-38603 - Remove ypserv package with yum
yum:
name: "{{ ypserv_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_ypserv | bool
tags:
- services
- cat2
@ -113,7 +168,7 @@
- name: V-38605 - The cron service must be running
service:
name: cron
name: "{{ cron_service }}"
state: started
enabled: yes
tags:
@ -121,11 +176,25 @@
- cat2
- V-38605
- name: V-38606 - The tftp-server package must not be installed unless required
- name: V-38606 - The tftp-server package must not be installed unless required (apt)
apt:
name: tftpd
name: "{{ tftp_pkg }}"
state: absent
when: security_remove_tftp_server | bool
when:
- ansible_pkg_mgr == 'apt'
- security_remove_tftp_server | bool
tags:
- services
- cat2
- V-38606
- name: V-38606 - The tftp-server package must not be installed unless required (yum)
yum:
name: "{{ tftp_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_tftp_server | bool
tags:
- services
- cat2
@ -136,37 +205,81 @@
name: avahi-daemon
state: stopped
enabled: no
when: security_disable_avahi | bool and 'avahi' in sysv_services.stdout
when:
- security_disable_avahi | bool
- "'avahi' in services_installed.stdout"
tags:
- services
- cat3
- V-38618
- name: V-38627 - Remove LDAP servers unless required
- name: V-38627 - Remove LDAP servers unless required (apt)
apt:
name: slapd
name: "{{ ldap_server_pkg }}"
state: absent
when: security_remove_ldap_server | bool
when:
- ansible_pkg_mgr == 'apt'
- security_remove_ldap_server | bool
tags:
- services
- cat3
- V-38627
- name: V-38671 - Remove sendmail
- name: V-38627 - Remove LDAP servers unless required (yum)
yum:
name: "{{ ldap_server_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_ldap_server | bool
tags:
- services
- cat3
- V-38627
- name: V-38671 - Remove sendmail with apt
apt:
name: sendmail
state: absent
when: security_remove_sendmail | bool
when:
- ansible_pkg_mgr == 'apt'
- security_remove_sendmail | bool
tags:
- services
- cat2
- V-38671
- name: V-38676 - The X windows package must not be installed
apt:
name: xserver-xorg
- name: V-38671 - Remove sendmail with yum
yum:
name: sendmail
state: absent
when: security_remove_xorg | bool
when:
- ansible_pkg_mgr == 'yum'
- security_remove_sendmail | bool
tags:
- services
- cat2
- V-38671
- name: V-38676 - The X windows package must not be installed (apt)
apt:
name: "{{ xserver_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_xorg | bool
tags:
- services
- cat3
- V-38676
- name: V-38676 - The X windows package must not be installed (yum)
yum:
name: "{{ xserver_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_xorg | bool
tags:
- services
- cat3

6
tests/test.yml
View File

@ -19,26 +19,32 @@
- name: Ensure apt cache is updated before testing
apt:
update_cache: yes
when: ansible_pkg_mgr == 'apt'
post_tasks:
- name: Stat 20auto-upgrades file
stat:
path: /etc/apt/apt.conf.d/20auto-upgrades
register: auto_upgrades_file
when: ansible_pkg_mgr == 'apt'
- name: Slurp contents of 50unattended-upgrades file
slurp:
src: /etc/apt/apt.conf.d/50unattended-upgrades
register: unattended_upgrades_file_encoded
when: ansible_pkg_mgr == 'apt'
- name: Decode slurp'd 50-unattended-upgrades file
set_fact:
unattended_upgrades_file: "{{ unattended_upgrades_file_encoded.content | b64decode }}"
when: ansible_pkg_mgr == 'apt'
- name: Ensure auto updates has been enabled
assert:
that:
- auto_upgrades_file.stat.exists
when: ansible_pkg_mgr == 'apt'
- name: Ensure that auto update notifications has been enabled
assert:
that:
- "'\nUnattended-Upgrade::Mail \"root\";\n' in unattended_upgrades_file"
when: ansible_pkg_mgr == 'apt'
roles:
- role: "{{ rolename }}"
vars:

15
tox.ini
View File

@ -13,6 +13,7 @@ passenv =
HOME
whitelist_externals =
bash
cat
git
rm
setenv =
@ -91,6 +92,7 @@ commands =
--syntax-check \
--list-tasks \
-e "rolename={toxinidir}" \
-t ssh \
{toxinidir}/tests/test.yml
@ -103,16 +105,21 @@ commands =
# NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now building
# images with apt config Apt::Get::AllowUnauthenticated set
# to true.
# NOTE(mhayden): Some infra images don't have AppArmor enabled, so V-51337
# must be skipped.
# NOTE(mhayden): V-51337: OpenStack infra images don't have AppArmor
# enabled, so it must be skipped.
# V-38674: OpenStack infra images have graphical target
# enabled, so it must be skipped.
# V-38574: OpenStack infra images have non-standard pam
# configurations that don't match a standard CentOS 7 server
# or cloud image. It must be skipped.
commands =
rm -rf {homedir}/.ansible
git clone https://git.openstack.org/openstack/openstack-ansible-plugins \
{homedir}/.ansible/plugins
ansible-playbook -i {toxinidir}/tests/inventory \
-e "rolename={toxinidir}" \
{toxinidir}/tests/test.yml \
--skip-tag V-38462,V-51337
--skip-tag V-38462,V-51337,V-38574,V-38674 \
{toxinidir}/tests/test.yml
[testenv:linters]

31
vars/redhat.yml Normal file
View File

@ -0,0 +1,31 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Configuration file paths
pam_auth_file: /etc/pam.d/system-auth
pam_password_file: /etc/pam.d/password-auth-ac
vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
# Package names
auditd_pkg: audit
ldap_server_pkg: openldap-servers
telnet_server_pkg: telnet-server
tftp_pkg: tftp-server
xserver_pkg: xorg-x11-server-Xorg
ypserv_pkg: ypserv
# Service names
cron_service: crond
ssh_service: sshd

34
vars/ubuntu.yml Normal file
View File

@ -0,0 +1,34 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Maximum age of the apt cache before a refresh is required
cache_timeout: 600
# Configuration file paths
pam_auth_file: /etc/pam.d/common-auth
pam_password_file: /etc/pam.d/common-password
vsftpd_conf_file: /etc/vsftpd.conf
# Package names
auditd_pkg: auditd
ldap_server_pkg: slapd
telnet_server_pkg: telnetd
tftp_pkg: tftpd
xserver_pkg: xorg-xserver
ypserv_pkg: nis
# Service name
cron_service: cron
ssh_service: ssh