From 78d844a0084837ae73027ef1ba8e0301dd302ae9 Mon Sep 17 00:00:00 2001 From: Jesse Pretorius Date: Mon, 13 Mar 2017 18:30:43 +0000 Subject: [PATCH] Rename vars/common.yml to vars/main.yml The file vars/main.yml is automatically loaded so by using this file name we're able to get rid of the task that loads vars/common.yml which is a small optimisation. Change-Id: I4e0a1b81c42a90b7cd28830f1c2e72c7bd62efaf --- tasks/main.yml | 5 - vars/common.yml | 343 ------------------------------------------------ vars/main.yml | 337 +++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 325 insertions(+), 360 deletions(-) delete mode 100644 vars/common.yml diff --git a/tasks/main.yml b/tasks/main.yml index b25759a1..18fa5ddb 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -24,11 +24,6 @@ tags: - always - - name: Gather variables that apply to all operating systems - include_vars: common.yml - tags: - - always - - name: Check for check/audit mode command: /bin/true register: noop_result diff --git a/vars/common.yml b/vars/common.yml deleted file mode 100644 index 6935e8d0..00000000 --- a/vars/common.yml +++ /dev/null @@ -1,343 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## Common variables for all distributions -# This file contains variables that apply to all distributions that the -# security role supports. Distribution-specific variables should be placed in: -# -# - vars/redhat.yml -# - vars/ubuntu.yml - -## auditd configuration -auditd_config: - - parameter: disk_full_action - value: "{{ security_rhel7_auditd_disk_full_action }}" - config: /etc/audisp/audisp-remote.conf - - parameter: network_failure_action - value: "{{ security_rhel7_auditd_network_failure_action }}" - config: /etc/audisp/audisp-remote.conf - - parameter: space_left - value: "{{ security_rhel7_auditd_space_left }}" - config: /etc/audit/auditd.conf - - parameter: space_left_action - value: "{{ security_rhel7_auditd_space_left_action }}" - config: /etc/audit/auditd.conf - - parameter: action_mail_acct - value: "{{ security_rhel7_auditd_action_mail_acct }}" - config: /etc/audit/auditd.conf - -## auditd rules -# This variable is used in tasks/rhel7stig/auditd.yml to deploy auditd rules -# for various commands and syscalls. -# -# Each dictionary has this structure: -# -# command: the command/syscall to audit (required) -# stig_id: the number/ID from the STIG (required) -# arch_specific: 'yes' if the rule depends on the architecture type, -# otherwise 'no' (required) -# path: the path to the command (optional, default is '/usr/bin') -# distro: restrict deployment to a single Linux distribution (optional, -# should be equal to 'ansible_os_family | lower', such as 'redhat' -# or 'ubuntu') -# -audited_commands: - - command: chsh - stig_id: RHEL-07-030525 - arch_specific: no - - command: chage - stig_id: RHEL-07-030513 - arch_specific: no - - command: chcon - stig_id: RHEL-07-030443 - arch_specific: no - - command: chmod - stig_id: RHEL-07-030390 - arch_specific: yes - - command: chown - stig_id: RHEL-07-030380 - arch_specific: yes - - command: creat - stig_id: RHEL-07-030420 - arch_specific: yes - - command: crontab - stig_id: RHEL-07-030561 - arch_specific: no - - command: delete_module - stig_id: RHEL-07-030671 - arch_specific: yes - - command: fchmod - stig_id: RHEL-07-030391 - arch_specific: yes - - command: fchmodat - stig_id: RHEL-07-030392 - arch_specific: yes - - command: fchown - stig_id: RHEL-07-030381 - arch_specific: yes - - command: fchownat - stig_id: RHEL-07-030383 - arch_specific: yes - - command: fremovexattr - stig_id: RHEL-07-030404 - arch_specific: yes - - command: fsetxattr - stig_id: RHEL-07-030401 - arch_specific: yes - - command: ftruncate - stig_id: RHEL-07-030425 - arch_specific: yes - - command: init_module - stig_id: RHEL-07-030670 - arch_specific: yes - - command: gpasswd - stig_id: RHEL-07-030512 - arch_specific: no - - command: lchown - stig_id: RHEL-07-030382 - arch_specific: yes - - command: lremovexattr - stig_id: RHEL-07-030405 - arch_specific: yes - - command: lsetxattr - stig_id: RHEL-07-030402 - arch_specific: yes - - command: mount - path: /bin - stig_id: RHEL-07-030530 - arch_specific: no - - command: newgrp - stig_id: RHEL-07-030524 - arch_specific: no - - command: open - stig_id: RHEL-07-030421 - arch_specific: yes - - command: openat - stig_id: RHEL-07-030422 - arch_specific: yes - - command: open_by_handle_at - stig_id: RHEL-07-030423 - arch_specific: yes - - command: pam_timestamp_check - path: /sbin - stig_id: RHEL-07-030630 - arch_specific: no - - command: passwd - stig_id: RHEL-07-030510 - arch_specific: no - - command: postdrop - path: /usr/sbin - stig_id: RHEL-07-030540 - arch_specific: no - - command: postqueue - path: /usr/sbin - stig_id: RHEL-07-030541 - arch_specific: no - - command: pt_chown - path: /usr/libexec - stig_id: RHEL-07-030560 - arch_specific: no - distro: redhat - - command: removexattr - stig_id: RHEL-07-030403 - arch_specific: yes - - command: rename - stig_id: RHEL-07-030750 - arch_specific: yes - - command: renameat - stig_id: RHEL-07-030751 - arch_specific: yes - - command: restorecon - path: /usr/sbin - stig_id: RHEL-07-030444 - arch_specific: no - - command: rmdir - stig_id: RHEL-07-030752 - arch_specific: yes - - command: semanage - path: /usr/sbin - stig_id: RHEL-07-030441 - arch_specific: no - - command: setsebool - path: /usr/sbin - stig_id: RHEL-07-030442 - arch_specific: no - - command: setxattr - stig_id: RHEL-07-030400 - arch_specific: yes - - command: ssh-keysign - path: "{{ ssh_keysign_path }}" - stig_id: RHEL-07-030550 - arch_specific: no - - command: su - path: /bin - stig_id: RHEL-07-030521 - arch_specific: no - - command: sudo - stig_id: RHEL-07-030522 - arch_specific: no - - command: sudoedit - path: /bin - stig_id: RHEL-07-030526 - arch_specific: no - - command: truncate - stig_id: RHEL-07-030424 - arch_specific: yes - - command: umount - path: /bin - stig_id: RHEL-07-030531 - arch_specific: no - - command: unix_chkpwd - path: /sbin - stig_id: RHEL-07-030511 - arch_specific: no - - command: unlink - stig_id: RHEL-07-030753 - arch_specific: yes - - command: unlinkat - stig_id: RHEL-07-030754 - arch_specific: yes - - command: userhelper - path: /usr/sbin - stig_id: RHEL-07-030514 - arch_specific: no - -## Password quality settings -# This variable is used in main/rhel7stig/auth.yml to set password quality -# requirements. -# -# Each dictionary has this structure: -# -# parameter: the pwquality parameter to set -# value: the value of the parameter -# stig_id: the STIG id number -# description: description of the control from the STIG -# enabled: whether the change should be applied -# -password_quality_rhel7: - - parameter: ucredit - value: -1 - stig_id: RHEL-07-010090 - description: "Password must contain at least one upper-case character" - enabled: "{{ security_pwquality_require_uppercase }}" - - parameter: lcredit - value: -1 - stig_id: RHEL-07-010100 - description: "Password must contain at least one lower-case character" - enabled: "{{ security_pwquality_require_lowercase }}" - - parameter: dcredit - value: -1 - stig_id: RHEL-07-010110 - description: "Password must contain at least one numeric character" - enabled: "{{ security_pwquality_require_numeric }}" - - parameter: ocredit - value: -1 - stig_id: RHEL-07-010120 - description: "Password must contain at least one special character" - enabled: "{{ security_pwquality_require_special }}" - - parameter: difok - value: 8 - stig_id: RHEL-07-010130 - description: "Password must have at least eight characters changed" - enabled: "{{ security_pwquality_require_characters_changed }}" - - parameter: minclass - value: 4 - stig_id: RHEL-07-010140 - description: "Password must have at least four character classes changed" - enabled: "{{ security_pwquality_require_character_classes_changed }}" - - parameter: maxrepeat - value: 4 - stig_id: RHEL-07-010150 - description: "Password must have at most four characters repeated consecutively" - enabled: "{{ security_pwquality_limit_repeated_characters }}" - - parameter: maxclassrepeat - value: 4 - stig_id: RHEL-07-010160 - description: "Password must have at most four characters in the same character class repeated consecutively" - enabled: "{{ security_pwquality_limit_repeated_character_classes }}" - - parameter: minlen - value: 15 - stig_id: RHEL-07-010250 - description: "Passwords must be a minimum of 15 characters in length" - enabled: "{{ security_pwquality_require_minimum_password_length }}" - -## shadow-utils settings -# This variable is used in main/rhel7stig/auth.yml to set shadow file-related -# configurations in /etc/login.defs. -# -# Each dictionary has this structure: -# -# parameter: the parameter to set -# value: the value for the parameter -# stig_id: the STIG ID number for the requirement -# -shadow_utils_rhel7: - - parameter: ENCRYPT_METHOD - value: "{{ security_password_encrypt_method | default('') }}" - stig_id: RHEL-07-010180 - ansible_os_family: all - - parameter: PASS_MIN_DAYS - value: "{{ security_password_min_lifetime_days | default('') }}" - stig_id: RHEL-07-010200 - ansible_os_family: all - - parameter: PASS_MAX_DAYS - value: "{{ security_password_max_lifetime_days | default('') }}" - stig_id: RHEL-07-010220 - ansible_os_family: all - - parameter: FAIL_DELAY - value: "{{ security_shadow_utils_fail_delay | default('') }}" - stig_id: RHEL-07-010420 - ansible_os_family: RedHat - - parameter: UMASK - value: "{{ security_shadow_utils_umask | default('') }}" - stig_id: RHEL-07-020230 - ansible_os_family: all - - parameter: CREATE_HOME - value: "{{ security_shadow_utils_create_home | default('') }}" - stig_id: RHEL-07-020630 - ansible_os_family: all - -## sysctl settings -# This variable is used in main/rhel7stig/kernel.yml to set sysctl -# configurations on hosts. -# -# Each dictionary has this structure: -# -# name: the sysctl configuration name -# value: the value to set for the sysctl configuration -# enabled: whether the variable should be set or not -# -sysctl_settings_rhel7: - - name: net.ipv4.conf.all.accept_source_route - value: 0 - enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}" - - name: net.ipv4.conf.default.accept_source_route - value: 0 - enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool}}" - - name: net.ipv4.icmp_echo_ignore_broadcasts - value: 1 - enabled: "{{ security_disallow_echoes_broadcast_address | bool }}" - - name: net.ipv4.conf.all.send_redirects - value: 0 - enabled: "{{ security_disallow_icmp_redirects | bool }}" - - name: net.ipv4.conf.default.send_redirects - value: 0 - enabled: "{{ security_disallow_icmp_redirects | bool }}" - - name: net.ipv4.ip_forward - value: 0 - enabled: "{{ security_disallow_ip_forwarding | bool }}" - - name: net.ipv6.conf.all.accept_source_route - value: 0 - enabled: "{{ security_disallow_source_routed_packet_forward_ipv6 | bool }}" diff --git a/vars/main.yml b/vars/main.yml index 2d1cd58f..6935e8d0 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -13,18 +13,331 @@ # See the License for the specific language governing permissions and # limitations under the License. -## Variables -# The variable files in the 'vars' directory are intended to hold variables -# that deployers should not override. These variables are used internally by -# the role to create templates, execute commands, or adjust configurations. +## Common variables for all distributions +# This file contains variables that apply to all distributions that the +# security role supports. Distribution-specific variables should be placed in: # -# There are three main variable files: +# - vars/redhat.yml +# - vars/ubuntu.yml + +## auditd configuration +auditd_config: + - parameter: disk_full_action + value: "{{ security_rhel7_auditd_disk_full_action }}" + config: /etc/audisp/audisp-remote.conf + - parameter: network_failure_action + value: "{{ security_rhel7_auditd_network_failure_action }}" + config: /etc/audisp/audisp-remote.conf + - parameter: space_left + value: "{{ security_rhel7_auditd_space_left }}" + config: /etc/audit/auditd.conf + - parameter: space_left_action + value: "{{ security_rhel7_auditd_space_left_action }}" + config: /etc/audit/auditd.conf + - parameter: action_mail_acct + value: "{{ security_rhel7_auditd_action_mail_acct }}" + config: /etc/audit/auditd.conf + +## auditd rules +# This variable is used in tasks/rhel7stig/auditd.yml to deploy auditd rules +# for various commands and syscalls. # -# common.yml: variables that apply to all distributions -# redhat.yml: variables that apply only to CentOS 7 and Red Hat Enterprise -# Linux 7 -# ubuntu.yml: variables that apply only to Ubuntu 14.04 (trusty) and -# Ubuntu 16.04 (xenial) +# Each dictionary has this structure: # -# All variables that enable or disable functionality, or variables that a -# deployer might want to override should be placed in 'defaults/main.yml'. +# command: the command/syscall to audit (required) +# stig_id: the number/ID from the STIG (required) +# arch_specific: 'yes' if the rule depends on the architecture type, +# otherwise 'no' (required) +# path: the path to the command (optional, default is '/usr/bin') +# distro: restrict deployment to a single Linux distribution (optional, +# should be equal to 'ansible_os_family | lower', such as 'redhat' +# or 'ubuntu') +# +audited_commands: + - command: chsh + stig_id: RHEL-07-030525 + arch_specific: no + - command: chage + stig_id: RHEL-07-030513 + arch_specific: no + - command: chcon + stig_id: RHEL-07-030443 + arch_specific: no + - command: chmod + stig_id: RHEL-07-030390 + arch_specific: yes + - command: chown + stig_id: RHEL-07-030380 + arch_specific: yes + - command: creat + stig_id: RHEL-07-030420 + arch_specific: yes + - command: crontab + stig_id: RHEL-07-030561 + arch_specific: no + - command: delete_module + stig_id: RHEL-07-030671 + arch_specific: yes + - command: fchmod + stig_id: RHEL-07-030391 + arch_specific: yes + - command: fchmodat + stig_id: RHEL-07-030392 + arch_specific: yes + - command: fchown + stig_id: RHEL-07-030381 + arch_specific: yes + - command: fchownat + stig_id: RHEL-07-030383 + arch_specific: yes + - command: fremovexattr + stig_id: RHEL-07-030404 + arch_specific: yes + - command: fsetxattr + stig_id: RHEL-07-030401 + arch_specific: yes + - command: ftruncate + stig_id: RHEL-07-030425 + arch_specific: yes + - command: init_module + stig_id: RHEL-07-030670 + arch_specific: yes + - command: gpasswd + stig_id: RHEL-07-030512 + arch_specific: no + - command: lchown + stig_id: RHEL-07-030382 + arch_specific: yes + - command: lremovexattr + stig_id: RHEL-07-030405 + arch_specific: yes + - command: lsetxattr + stig_id: RHEL-07-030402 + arch_specific: yes + - command: mount + path: /bin + stig_id: RHEL-07-030530 + arch_specific: no + - command: newgrp + stig_id: RHEL-07-030524 + arch_specific: no + - command: open + stig_id: RHEL-07-030421 + arch_specific: yes + - command: openat + stig_id: RHEL-07-030422 + arch_specific: yes + - command: open_by_handle_at + stig_id: RHEL-07-030423 + arch_specific: yes + - command: pam_timestamp_check + path: /sbin + stig_id: RHEL-07-030630 + arch_specific: no + - command: passwd + stig_id: RHEL-07-030510 + arch_specific: no + - command: postdrop + path: /usr/sbin + stig_id: RHEL-07-030540 + arch_specific: no + - command: postqueue + path: /usr/sbin + stig_id: RHEL-07-030541 + arch_specific: no + - command: pt_chown + path: /usr/libexec + stig_id: RHEL-07-030560 + arch_specific: no + distro: redhat + - command: removexattr + stig_id: RHEL-07-030403 + arch_specific: yes + - command: rename + stig_id: RHEL-07-030750 + arch_specific: yes + - command: renameat + stig_id: RHEL-07-030751 + arch_specific: yes + - command: restorecon + path: /usr/sbin + stig_id: RHEL-07-030444 + arch_specific: no + - command: rmdir + stig_id: RHEL-07-030752 + arch_specific: yes + - command: semanage + path: /usr/sbin + stig_id: RHEL-07-030441 + arch_specific: no + - command: setsebool + path: /usr/sbin + stig_id: RHEL-07-030442 + arch_specific: no + - command: setxattr + stig_id: RHEL-07-030400 + arch_specific: yes + - command: ssh-keysign + path: "{{ ssh_keysign_path }}" + stig_id: RHEL-07-030550 + arch_specific: no + - command: su + path: /bin + stig_id: RHEL-07-030521 + arch_specific: no + - command: sudo + stig_id: RHEL-07-030522 + arch_specific: no + - command: sudoedit + path: /bin + stig_id: RHEL-07-030526 + arch_specific: no + - command: truncate + stig_id: RHEL-07-030424 + arch_specific: yes + - command: umount + path: /bin + stig_id: RHEL-07-030531 + arch_specific: no + - command: unix_chkpwd + path: /sbin + stig_id: RHEL-07-030511 + arch_specific: no + - command: unlink + stig_id: RHEL-07-030753 + arch_specific: yes + - command: unlinkat + stig_id: RHEL-07-030754 + arch_specific: yes + - command: userhelper + path: /usr/sbin + stig_id: RHEL-07-030514 + arch_specific: no + +## Password quality settings +# This variable is used in main/rhel7stig/auth.yml to set password quality +# requirements. +# +# Each dictionary has this structure: +# +# parameter: the pwquality parameter to set +# value: the value of the parameter +# stig_id: the STIG id number +# description: description of the control from the STIG +# enabled: whether the change should be applied +# +password_quality_rhel7: + - parameter: ucredit + value: -1 + stig_id: RHEL-07-010090 + description: "Password must contain at least one upper-case character" + enabled: "{{ security_pwquality_require_uppercase }}" + - parameter: lcredit + value: -1 + stig_id: RHEL-07-010100 + description: "Password must contain at least one lower-case character" + enabled: "{{ security_pwquality_require_lowercase }}" + - parameter: dcredit + value: -1 + stig_id: RHEL-07-010110 + description: "Password must contain at least one numeric character" + enabled: "{{ security_pwquality_require_numeric }}" + - parameter: ocredit + value: -1 + stig_id: RHEL-07-010120 + description: "Password must contain at least one special character" + enabled: "{{ security_pwquality_require_special }}" + - parameter: difok + value: 8 + stig_id: RHEL-07-010130 + description: "Password must have at least eight characters changed" + enabled: "{{ security_pwquality_require_characters_changed }}" + - parameter: minclass + value: 4 + stig_id: RHEL-07-010140 + description: "Password must have at least four character classes changed" + enabled: "{{ security_pwquality_require_character_classes_changed }}" + - parameter: maxrepeat + value: 4 + stig_id: RHEL-07-010150 + description: "Password must have at most four characters repeated consecutively" + enabled: "{{ security_pwquality_limit_repeated_characters }}" + - parameter: maxclassrepeat + value: 4 + stig_id: RHEL-07-010160 + description: "Password must have at most four characters in the same character class repeated consecutively" + enabled: "{{ security_pwquality_limit_repeated_character_classes }}" + - parameter: minlen + value: 15 + stig_id: RHEL-07-010250 + description: "Passwords must be a minimum of 15 characters in length" + enabled: "{{ security_pwquality_require_minimum_password_length }}" + +## shadow-utils settings +# This variable is used in main/rhel7stig/auth.yml to set shadow file-related +# configurations in /etc/login.defs. +# +# Each dictionary has this structure: +# +# parameter: the parameter to set +# value: the value for the parameter +# stig_id: the STIG ID number for the requirement +# +shadow_utils_rhel7: + - parameter: ENCRYPT_METHOD + value: "{{ security_password_encrypt_method | default('') }}" + stig_id: RHEL-07-010180 + ansible_os_family: all + - parameter: PASS_MIN_DAYS + value: "{{ security_password_min_lifetime_days | default('') }}" + stig_id: RHEL-07-010200 + ansible_os_family: all + - parameter: PASS_MAX_DAYS + value: "{{ security_password_max_lifetime_days | default('') }}" + stig_id: RHEL-07-010220 + ansible_os_family: all + - parameter: FAIL_DELAY + value: "{{ security_shadow_utils_fail_delay | default('') }}" + stig_id: RHEL-07-010420 + ansible_os_family: RedHat + - parameter: UMASK + value: "{{ security_shadow_utils_umask | default('') }}" + stig_id: RHEL-07-020230 + ansible_os_family: all + - parameter: CREATE_HOME + value: "{{ security_shadow_utils_create_home | default('') }}" + stig_id: RHEL-07-020630 + ansible_os_family: all + +## sysctl settings +# This variable is used in main/rhel7stig/kernel.yml to set sysctl +# configurations on hosts. +# +# Each dictionary has this structure: +# +# name: the sysctl configuration name +# value: the value to set for the sysctl configuration +# enabled: whether the variable should be set or not +# +sysctl_settings_rhel7: + - name: net.ipv4.conf.all.accept_source_route + value: 0 + enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}" + - name: net.ipv4.conf.default.accept_source_route + value: 0 + enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool}}" + - name: net.ipv4.icmp_echo_ignore_broadcasts + value: 1 + enabled: "{{ security_disallow_echoes_broadcast_address | bool }}" + - name: net.ipv4.conf.all.send_redirects + value: 0 + enabled: "{{ security_disallow_icmp_redirects | bool }}" + - name: net.ipv4.conf.default.send_redirects + value: 0 + enabled: "{{ security_disallow_icmp_redirects | bool }}" + - name: net.ipv4.ip_forward + value: 0 + enabled: "{{ security_disallow_ip_forwarding | bool }}" + - name: net.ipv6.conf.all.accept_source_route + value: 0 + enabled: "{{ security_disallow_source_routed_packet_forward_ipv6 | bool }}"