From 4c792445d4200eea70d0326d552d9aeb9b7a66f8 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Fri, 18 Nov 2016 14:26:02 -0600 Subject: [PATCH] Move common variables to common.yml This patch creates a common.yml variables file to hold variables that apply to all distributions supported by the role. It also adds comments into the existing vars file to instruct developers and deployers about the proper location for variables. Implements: blueprint security-rhel7-stig Change-Id: Idad1cbfe0c6992a6333c4740080764a3ac776628 --- tasks/main.yml | 4 +- tasks/rhel7stig/auditd.yml | 5 --- vars/{audit.yml => common.yml} | 68 ++++++++++++++++++++++++++++++++++ vars/main.yml | 30 ++++++++++++++- vars/redhat.yml | 6 +++ vars/sysctl.yml | 37 ------------------ vars/ubuntu.yml | 6 +++ 7 files changed, 111 insertions(+), 45 deletions(-) rename vars/{audit.yml => common.yml} (58%) delete mode 100644 vars/sysctl.yml diff --git a/tasks/main.yml b/tasks/main.yml index 0a5323de..5f98253f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -24,8 +24,8 @@ tags: - always - - name: Gather additional variables about sysctl settings - include_vars: sysctl.yml + - name: Gather variables that apply to all operating systems + include_vars: common.yml tags: - always diff --git a/tasks/rhel7stig/auditd.yml b/tasks/rhel7stig/auditd.yml index b2417f72..907a64af 100644 --- a/tasks/rhel7stig/auditd.yml +++ b/tasks/rhel7stig/auditd.yml @@ -21,11 +21,6 @@ tags: - always -- name: Load variables for audited commands - include_vars: audit.yml - tags: - - always - - name: RHEL-07-030330 - The operating system must off-load audit records onto a different system or media from the system being audited lineinfile: dest: /etc/audisp/audisp-remote.conf diff --git a/vars/audit.yml b/vars/common.yml similarity index 58% rename from vars/audit.yml rename to vars/common.yml index dda450dc..b2a2f0aa 100644 --- a/vars/audit.yml +++ b/vars/common.yml @@ -1,5 +1,40 @@ --- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +## Common variables for all distributions +# This file contains variables that apply to all distributions that the +# security role supports. Distribution-specific variables should be placed in: +# +# - vars/redhat.yml +# - vars/ubuntu.yml + +## auditd rules +# This variable is used in tasks/rhel7stig/auditd.yml to deploy auditd rules +# for various commands and syscalls. +# +# Each dictionary has this structure: +# +# command: the command/syscall to audit (required) +# stig_id: the number/ID from the STIG (required) +# arch_specific: 'yes' if the rule depends on the architecture type, +# otherwise 'no' (required) +# path: the path to the command (optional, default is '/usr/bin') +# distro: restrict deployment to a single Linux distribution (optional, +# should be equal to 'ansible_os_family | lower', such as 'redhat' +# or 'ubuntu') +# audited_commands: - command: chsh stig_id: RHEL-07-030525 @@ -160,3 +195,36 @@ audited_commands: path: /usr/sbin stig_id: RHEL-07-030514 arch_specific: no + +## sysctl settings +# This variable is used in main/rhel7stig/kernel.yml to set sysctl +# configurations on hosts. +# +# Each dictionary has this structure: +# +# name: the sysctl configuration name +# value: the value to set for the sysctl configuration +# enabled: whether the variable should be set or not +# +sysctl_settings_rhel7: + - name: net.ipv4.conf.all.accept_source_route + value: 0 + enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}" + - name: net.ipv4.conf.default.accept_source_route + value: 0 + enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool}}" + - name: net.ipv4.icmp_echo_ignore_broadcasts + value: 1 + enabled: "{{ security_disallow_echoes_broadcast_address | bool }}" + - name: net.ipv4.conf.all.send_redirects + value: 0 + enabled: "{{ security_disallow_icmp_redirects | bool }}" + - name: net.ipv4.conf.default.send_redirects + value: 0 + enabled: "{{ security_disallow_icmp_redirects | bool }}" + - name: net.ipv4.ip_forward + value: 0 + enabled: "{{ security_disallow_ip_forwarding | bool }}" + - name: net.ipv6.conf.all.accept_source_route + value: 0 + enabled: "{{ security_disallow_source_routed_packet_forward_ipv6 | bool }}" diff --git a/vars/main.yml b/vars/main.yml index 00cd54af..2d1cd58f 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,2 +1,30 @@ --- -# vars file for openstack-ansible-security +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Variables +# The variable files in the 'vars' directory are intended to hold variables +# that deployers should not override. These variables are used internally by +# the role to create templates, execute commands, or adjust configurations. +# +# There are three main variable files: +# +# common.yml: variables that apply to all distributions +# redhat.yml: variables that apply only to CentOS 7 and Red Hat Enterprise +# Linux 7 +# ubuntu.yml: variables that apply only to Ubuntu 14.04 (trusty) and +# Ubuntu 16.04 (xenial) +# +# All variables that enable or disable functionality, or variables that a +# deployer might want to override should be placed in 'defaults/main.yml'. diff --git a/vars/redhat.yml b/vars/redhat.yml index 5b4f3857..4db127ce 100644 --- a/vars/redhat.yml +++ b/vars/redhat.yml @@ -13,6 +13,12 @@ # See the License for the specific language governing permissions and # limitations under the License. +## Variables for CentOS 7 and Red Hat Enterprise Linux 7 +# The following variables apply only to CentOS 7 and Red Hat Enterprise Linux 7 +# and deployers should not override them. +# +# For more details, see 'vars/main.yml'. + # Configuration file paths pam_auth_file: /etc/pam.d/system-auth pam_password_file: /etc/pam.d/password-auth diff --git a/vars/sysctl.yml b/vars/sysctl.yml deleted file mode 100644 index 28f3261d..00000000 --- a/vars/sysctl.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -sysctl_settings_rhel7: - - name: net.ipv4.conf.all.accept_source_route - value: 0 - enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}" - - name: net.ipv4.conf.default.accept_source_route - value: 0 - enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool}}" - - name: net.ipv4.icmp_echo_ignore_broadcasts - value: 1 - enabled: "{{ security_disallow_echoes_broadcast_address | bool }}" - - name: net.ipv4.conf.all.send_redirects - value: 0 - enabled: "{{ security_disallow_icmp_redirects | bool }}" - - name: net.ipv4.conf.default.send_redirects - value: 0 - enabled: "{{ security_disallow_icmp_redirects | bool }}" - - name: net.ipv4.ip_forward - value: 0 - enabled: "{{ security_disallow_ip_forwarding | bool }}" - - name: net.ipv6.conf.all.accept_source_route - value: 0 - enabled: "{{ security_disallow_source_routed_packet_forward_ipv6 | bool }}" diff --git a/vars/ubuntu.yml b/vars/ubuntu.yml index 6d466c38..43a11cf6 100644 --- a/vars/ubuntu.yml +++ b/vars/ubuntu.yml @@ -13,6 +13,12 @@ # See the License for the specific language governing permissions and # limitations under the License. +## Variables for Ubuntu 14.04 (trusty) and Ubuntu 16.04 (xenial) +# The following variables apply only to Ubuntu 14.04 (trusty) and Ubuntu 16.04 +# (xenial) and deployers should not override them. +# +# For more details, see 'vars/main.yml'. + # Maximum age of the apt cache before a refresh is required cache_timeout: 600