diff --git a/defaults/main.yml b/defaults/main.yml index 28a93611..43045465 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -82,16 +82,17 @@ security_aide_exclude_dirs: ## Audit daemon (auditd) # Send audit records to a different system using audisp. -#security_audisp_remote_server: '10.0.21.1' # V-72083 +# security_audisp_remote_server: '10.0.21.1' # V-72083 # Encrypt audit records when they are transmitted over the network. -#security_audisp_enable_krb5: yes # V-72085 +# security_audisp_enable_krb5: yes # V-72085 # Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING! security_rhel7_audit_failure_flag: 1 # V-72081 # Set the action to take when the disk is full or network events cannot be sent. security_rhel7_auditd_disk_full_action: syslog # V-72087 security_rhel7_auditd_network_failure_action: syslog # V-72087 # Size of remaining disk space (in MB) that triggers alerts. -security_rhel7_auditd_space_left: "{{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # V-72089 +security_rhel7_auditd_space_left: >- # V-72089 + {{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }} # Action to take when the space_left threshold is reached. security_rhel7_auditd_space_left_action: email # V-72091 # Send auditd email alerts to this user. @@ -179,8 +180,8 @@ security_password_encrypt_method: SHA512 # V-71921 # Ensure user/group admin utilities only store encrypted passwords. security_libuser_crypt_style_sha512: yes # V-71923 # Set a minimum/maximum lifetime limit for user passwords. -#security_password_min_lifetime_days: 1 # V-71925 -#security_password_max_lifetime_days: 60 # V-71929 +# security_password_min_lifetime_days: 1 # V-71925 +# security_password_max_lifetime_days: 60 # V-71929 # Set a delay (in seconds) between failed login attempts. security_shadow_utils_fail_delay: 4 # V-71951 # Set a umask for all authenticated users. @@ -188,7 +189,7 @@ security_shadow_utils_fail_delay: 4 # V-71951 # Create home directories for new users by default. security_shadow_utils_create_home: yes # V-72013 # How many old user password to remember to prevent password re-use. -#security_password_remember_password: 5 # V-71933 +# security_password_remember_password: 5 # V-71933 # Disable user accounts if the password expires. security_disable_account_if_password_expires: no # V-71941 # Lock user accounts with excessive login failures. See documentation. @@ -198,7 +199,7 @@ security_pam_faillock_attempts: 3 security_pam_faillock_deny_root: yes # RHEL-07-010373 security_pam_faillock_unlock_time: 604800 # V-71943 # Limit the number of concurrent connections per account. -#security_rhel7_concurrent_session_limit: 10 # V-72217 +# security_rhel7_concurrent_session_limit: 10 # V-72217 # Remove .shosts and shosts.equiv files. security_rhel7_remove_shosts_files: no # V-72277 # Exclude these directories from the shosts files find @@ -263,7 +264,7 @@ security_enable_grub_update: yes # Require authentication in GRUB to boot into single-user or maintenance modes. security_require_grub_authentication: no # V-71961 / V-71963 # The default password for grub authentication is 'secrete'. -security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B +security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B # noqa: yaml[line-length] # Set session timeout. security_rhel7_session_timeout: 600 # V-72223 # Enable chrony for NTP time synchronization. diff --git a/handlers/main.yml b/handlers/main.yml index 2dd5f16a..8b55dc6a 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -17,76 +17,48 @@ # # NOTE(mhayden): It's not possible to use systemd to restart auditd on CentOS # since it's a special service. Using the old service scripts is required. -- name: restart auditd +- name: Restart auditd command: service auditd restart # noqa: command-instead-of-module + changed_when: false -- name: restart chrony +- name: Restart chrony service: name: "{{ chrony_service }}" state: restarted -- name: restart fail2ban - service: - name: fail2ban - state: restarted - -- name: restart postfix - service: - name: postfix - state: restarted - -- name: restart rsyslog - service: - name: rsyslog - state: restarted - -- name: restart samba - service: - name: smbd - state: restarted - -- name: restart ssh +- name: Restart ssh service: name: "{{ ssh_service }}" state: restarted -- name: restart vsftpd - service: - name: vsftpd - state: restarted - -- name: restart clamav +- name: Restart clamav service: name: "{{ clamav_service }}" state: restarted # Miscellaneous ############################################################## -- name: generate auditd rules +- name: Generate auditd rules command: augenrules --load + changed_when: false notify: restart auditd -- name: rehash aliases - command: newaliases - -- name: update grub config +- name: Update grub config command: "{{ grub_update_cmd }}" + changed_when: false when: - security_enable_grub_update | bool - grub_update_binary.stat.exists | bool - grub_update_binary.stat.executable | bool notify: - - set bootloader file permissions after updating grub config + - Set bootloader file permissions after updating grub config # NOTE(mhayden): Running `update-grub` causes the bootloader permissions to # change, which breaks V-38583. -- name: set bootloader file permissions after updating grub config +- name: Set bootloader file permissions after updating grub config file: path: "{{ grub_config_file_boot }}" mode: "0644" -- name: dconf update +- name: Dconf update command: dconf update - -- name: reload systemd - systemd: - daemon-reload: yes + changed_when: false diff --git a/meta/main.yml b/meta/main.yml index 51e7aa3a..1851c79d 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -4,20 +4,23 @@ galaxy_info: description: Security hardening role for OpenStack-Ansible company: OpenStack license: Apache - min_ansible_version: 2.10 + role_name: hardening + namespace: openstack + min_ansible_version: "2.10" platforms: - - name: Debian - versions: - - buster - - name: EL - versions: - - 8 - - name: Ubuntu - versions: - - bionic - - focal - categories: - - cloud - - security - - system + - name: Debian + versions: + - bullseye + - name: EL + versions: + - "8" + - "9" + - name: Ubuntu + versions: + - focal + - jammy + galaxy_tags: + - cloud + - security + - system dependencies: [] diff --git a/tasks/main.yml b/tasks/main.yml index ab7c513e..db8b5083 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -44,8 +44,8 @@ - name: Set facts set_fact: - check_mode: "{{ noop_result is skipped }}" - linux_security_module: "{{ (ansible_facts['os_family'] == 'Debian') | ternary('apparmor','selinux') }}" + check_mode: "{{ noop_result is skipped }}" # noqa: var-naming[no-reserved] + linux_security_module: "{{ (ansible_facts['os_family'] == 'Debian') | ternary('apparmor', 'selinux') }}" grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}" tags: - always @@ -57,8 +57,10 @@ tags: - always -- import_tasks: "{{ stig_version }}stig/main.yml" +- name: Importing STIG tasks + import_tasks: "{{ stig_version }}stig/main.yml" -- include_tasks: contrib/main.yml +- name: Including contrib tasks + include_tasks: contrib/main.yml when: - security_contrib_enabled | bool diff --git a/tasks/rhel7stig/accounts.yml b/tasks/rhel7stig/accounts.yml index 90551de4..ddff52ed 100644 --- a/tasks/rhel7stig/accounts.yml +++ b/tasks/rhel7stig/accounts.yml @@ -71,6 +71,7 @@ option: crypt_style value: sha512 backup: yes + mode: "0644" when: - security_libuser_crypt_style_sha512 | bool - ansible_facts['os_family'] | lower == 'redhat' @@ -84,6 +85,7 @@ # system. See bug 1659232 for more details. - name: Set minimum password lifetime limit to 24 hours for interactive accounts command: "chage -m 1 {{ item.name }}" + changed_when: false when: - item.shadow is mapping - item.shadow.min_days != 1 @@ -100,6 +102,7 @@ # system. See bug 1659232 for more details. - name: Set maximum password lifetime limit to 60 days for interactive accounts command: "chage -M 60 {{ item.name }}" + changed_when: false when: - item.shadow is mapping - item.shadow.max_days > 60 @@ -245,5 +248,3 @@ - accounts - medium - V-73159 - - diff --git a/tasks/rhel7stig/aide.yml b/tasks/rhel7stig/aide.yml index 4c66866d..8801f97d 100644 --- a/tasks/rhel7stig/aide.yml +++ b/tasks/rhel7stig/aide.yml @@ -28,6 +28,7 @@ template: src: ZZ_aide_exclusions.j2 dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions + mode: "0644" when: aide_conf.results[0].stat.exists | bool tags: - medium diff --git a/tasks/rhel7stig/apt.yml b/tasks/rhel7stig/apt.yml index 94b8cab0..35c3c372 100644 --- a/tasks/rhel7stig/apt.yml +++ b/tasks/rhel7stig/apt.yml @@ -103,6 +103,7 @@ line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";" state: present create: yes + mode: "0644" when: - security_package_clean_on_remove | bool - ansible_facts['os_family'] | lower == 'debian' @@ -115,6 +116,7 @@ copy: src: 20auto-upgrades dest: /etc/apt/apt.conf.d/20auto-upgrades + mode: "0644" when: - ansible_facts['os_family'] | lower == 'debian' - security_rhel7_automatic_package_updates | bool diff --git a/tasks/rhel7stig/auditd.yml b/tasks/rhel7stig/auditd.yml index 096b115c..fbe94995 100644 --- a/tasks/rhel7stig/auditd.yml +++ b/tasks/rhel7stig/auditd.yml @@ -38,7 +38,7 @@ - security_audisp_remote_server is defined - audisp_remote_conf.stat.exists notify: - - restart auditd + - Restart auditd tags: - medium - auditd @@ -53,7 +53,7 @@ - security_audisp_enable_krb5 is defined - audisp_remote_conf.stat.exists notify: - - restart auditd + - Restart auditd tags: - medium - auditd @@ -73,7 +73,7 @@ when: - auditd_conf.stat.exists notify: - - generate auditd rules + - Generate auditd rules tags: - always @@ -84,7 +84,7 @@ when: - auditd_conf.stat.exists notify: - - generate auditd rules + - Generate auditd rules tags: - always @@ -92,10 +92,11 @@ template: src: osas-auditd-rhel7.j2 dest: /etc/audit/rules.d/osas-auditd-rhel7.rules + mode: "0644" when: - auditd_conf.stat.exists notify: - - generate auditd rules + - Generate auditd rules tags: - auditd - V-72167 @@ -163,7 +164,7 @@ - auditd_conf.stat.exists - audisp_remote_conf.stat.exists notify: - - restart auditd + - Restart auditd tags: - high - auditd diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml index 21660d58..ded697e2 100644 --- a/tasks/rhel7stig/auth.yml +++ b/tasks/rhel7stig/auth.yml @@ -54,7 +54,7 @@ line: '\1\2' backup: yes backrefs: yes - loop: "{{ ['auth', 'password'] |product(['{{ pam_auth_file }}', '{{ pam_password_file }}'])|list }}" + loop: "{{ ['auth', 'password'] | product(['{{ pam_auth_file }}', '{{ pam_password_file }}']) | list }}" when: - ansible_facts['os_family'] == 'RedHat' - security_disallow_blank_password_login | bool @@ -185,7 +185,7 @@ password_pbkdf2 root {{ security_grub_password_hash }} state: present notify: - - update grub config + - Update grub config - name: Set CLASS for grub file lineinfile: path: "{{ grub_linux_file }}" @@ -194,7 +194,7 @@ state: present backrefs: yes notify: - - update grub config + - Update grub config when: - grub_custom_file_check.stat.exists | bool - security_require_grub_authentication | bool @@ -208,6 +208,7 @@ blockinfile: dest: /etc/security/limits.d/ansible-hardening-maxlogins.conf create: yes + mode: "0644" block: | # Deployed by the ansible-hardening role # V-72217 - Limit concurrent sessions for all accounts/types diff --git a/tasks/rhel7stig/dnf.yml b/tasks/rhel7stig/dnf.yml index e58073d8..abe1ef7a 100644 --- a/tasks/rhel7stig/dnf.yml +++ b/tasks/rhel7stig/dnf.yml @@ -13,7 +13,8 @@ # See the License for the specific language governing permissions and # limitations under the License. -- include_tasks: rpm.yml +- name: Including rpm tasks + include_tasks: rpm.yml - name: Check if /etc/dnf/automatic.conf exists stat: diff --git a/tasks/rhel7stig/graphical.yml b/tasks/rhel7stig/graphical.yml index b86ae02a..48b6f6cf 100644 --- a/tasks/rhel7stig/graphical.yml +++ b/tasks/rhel7stig/graphical.yml @@ -56,6 +56,7 @@ copy: src: dconf-user-profile dest: /etc/dconf/profile/user + mode: "0644" when: - dconf_check.stat.exists tags: @@ -69,6 +70,7 @@ file: path: "{{ item }}" state: directory + mode: "0755" with_items: - /etc/dconf/db/local.d/ - /etc/dconf/db/local.d/locks @@ -87,10 +89,11 @@ template: src: dconf-screensaver-lock.j2 dest: /etc/dconf/db/local.d/00-screensaver + mode: "0644" when: - dconf_check.stat.exists notify: - - dconf update + - Dconf update tags: - graphical - medium @@ -102,10 +105,11 @@ template: src: dconf-session-user-config-lockout.j2 dest: /etc/dconf/db/local.d/locks/session + mode: "0644" when: - dconf_check.stat.exists notify: - - dconf update + - Dconf update tags: - graphical - medium @@ -117,10 +121,11 @@ copy: src: dconf-profile-gdm dest: /etc/dconf/profile/gdm + mode: "0644" when: - dconf_check.stat.exists notify: - - dconf update + - Dconf update tags: - graphical - medium @@ -130,13 +135,14 @@ template: src: dconf-gdm-banner-message.j2 dest: "{{ item }}" + mode: "0644" with_items: - /etc/dconf/db/gdm.d/01-banner-message - /etc/dconf/db/local.d/01-banner-message when: - dconf_check.stat.exists notify: - - dconf update + - Dconf update tags: - graphical - medium diff --git a/tasks/rhel7stig/kernel.yml b/tasks/rhel7stig/kernel.yml index af4f362e..49577a2e 100644 --- a/tasks/rhel7stig/kernel.yml +++ b/tasks/rhel7stig/kernel.yml @@ -18,6 +18,7 @@ dest: /etc/modprobe.d/ansible-hardening-disable-usb-storage.conf line: install usb-storage /bin/true create: yes + mode: "0644" when: - security_rhel7_disable_usb_storage | bool tags: @@ -49,7 +50,7 @@ - C-00001 - name: Check kdump service - command: systemctl status kdump # noqa 303 + command: systemctl status kdump # noqa: command-instead-of-module register: kdump_service_check failed_when: kdump_service_check.rc not in [0,3,4] changed_when: False @@ -101,6 +102,7 @@ copy: src: ansible-hardening-disable-dccp.conf dest: /etc/modprobe.d/ansible-hardening-disable-dccp.conf + mode: "0644" when: - security_rhel7_disable_dccp | bool tags: diff --git a/tasks/rhel7stig/lsm.yml b/tasks/rhel7stig/lsm.yml index c424b5bf..b52892fa 100644 --- a/tasks/rhel7stig/lsm.yml +++ b/tasks/rhel7stig/lsm.yml @@ -32,7 +32,7 @@ # started apparmor each time. This breaks idempotency and we check # systemd's status directly as an alternative. - name: Check if apparmor is running - command: "systemctl status apparmor" # noqa 303 + command: "systemctl status apparmor" # noqa: command-instead-of-module register: systemctl_apparmor_status check_mode: no changed_when: false @@ -96,6 +96,7 @@ file: path: /.autorelabel state: touch + mode: "0644" when: - ansible_facts['os_family'] == "RedHat" - security_rhel7_enable_linux_security_module | bool diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml index 07a2e835..ab886a43 100644 --- a/tasks/rhel7stig/main.yml +++ b/tasks/rhel7stig/main.yml @@ -34,7 +34,8 @@ # Some of the tasks in the role may take a long time to run. Let's start them # as early as possible so they have time to finish. -- import_tasks: async_tasks.yml +- name: Importing async_tasks tasks + import_tasks: async_tasks.yml - name: Get user data for all users on the system get_users: @@ -67,29 +68,41 @@ # Package installations and removals must come first so that configuration # changes can be made later. -- import_tasks: packages.yml +- name: Importing packages tasks + import_tasks: packages.yml tags: - always # Package managers are managed first since the changes in these tasks will # affect the remainder of the tasks in the role. -- include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml" +- name: Including OS-specific tasks + include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml" # The bulk of the security changes are applied in these tasks. The tasks in # each file are tagged with the same name (for example, tasks in `auth.yml` # are tagged with `auth`). Also, the tag name matches up with the "STIG # Controls by Tag" section of the role documentation. -- import_tasks: accounts.yml -- import_tasks: aide.yml +- name: Importing accounts tasks + import_tasks: accounts.yml +- name: Importing aide tasks + import_tasks: aide.yml when: security_rhel7_enable_aide | bool -- import_tasks: auditd.yml -- import_tasks: auth.yml -- import_tasks: file_perms.yml -- import_tasks: graphical.yml -- import_tasks: kernel.yml -- import_tasks: lsm.yml -- import_tasks: misc.yml -- import_tasks: sshd.yml +- name: Importing auditd tasks + import_tasks: auditd.yml +- name: Importing auth tasks + import_tasks: auth.yml +- name: Importing file_perms tasks + import_tasks: file_perms.yml +- name: Importing graphical tasks + import_tasks: graphical.yml +- name: Importing kernel tasks + import_tasks: kernel.yml +- name: Importing lsm tasks + import_tasks: lsm.yml +- name: Importing misc tasks + import_tasks: misc.yml +- name: Importing sshd tasks + import_tasks: sshd.yml - name: Remove the temporary directory file: diff --git a/tasks/rhel7stig/misc.yml b/tasks/rhel7stig/misc.yml index 98a00453..82deccd3 100644 --- a/tasks/rhel7stig/misc.yml +++ b/tasks/rhel7stig/misc.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: Check autofs service - command: systemctl status autofs # noqa 303 + command: systemctl status autofs # noqa: command-instead-of-module register: autofs_check failed_when: autofs_check.rc not in [0,3,4] changed_when: False @@ -150,7 +150,7 @@ - security_enable_virus_scanner | bool - ansible_facts['os_family'] | lower == 'redhat' notify: - - restart clamav + - Restart clamav tags: - misc - V-72213 @@ -166,7 +166,7 @@ - security_enable_virus_scanner | bool - ansible_facts['os_family'] | lower == 'redhat' notify: - - restart clamav + - Restart clamav tags: - misc - V-72213 @@ -174,7 +174,7 @@ - name: Ensure ClamAV socket directory exists file: path: "{{ clamav_service_details['socket_path'] | dirname }}" - user: "{{ clamav_service_details['user'] }}" + owner: "{{ clamav_service_details['user'] }}" group: "{{ clamav_service_details['group'] }}" mode: "{{ clamav_service_details['mode'] }}" when: @@ -182,7 +182,7 @@ - security_enable_virus_scanner | bool - ansible_facts['os_family'] | lower == 'redhat' notify: - - restart clamav + - Restart clamav tags: - misc - V-72213 @@ -197,7 +197,7 @@ - security_enable_virus_scanner | bool - ansible_facts['os_family'] | lower == 'redhat' notify: - - restart clamav + - Restart clamav tags: - misc - V-72213 @@ -293,11 +293,12 @@ template: src: chrony.conf.j2 dest: "{{ chrony_conf_file }}" + mode: "0644" when: - chrony_conf_check.stat.exists | bool - security_rhel7_enable_chrony | bool notify: - - restart chrony + - Restart chrony tags: - medium - misc @@ -305,7 +306,7 @@ # Returns 0 if installed, 3 if not installed - name: Check firewalld status - command: systemctl status firewalld # noqa 303 + command: systemctl status firewalld # noqa: command-instead-of-module register: firewalld_status_check failed_when: firewalld_status_check.rc not in [0,3,4] changed_when: False @@ -327,7 +328,9 @@ - V-72273 - name: Limit new TCP connections to 25/minute and allow bursting to 100 - command: "firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{ security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT" + command: >- + firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{ + security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT register: add_rate_limit_firewalld_rule changed_when: "'ALREADY_ENABLED' not in add_rate_limit_firewalld_rule.stdout" when: diff --git a/tasks/rhel7stig/sshd.yml b/tasks/rhel7stig/sshd.yml index 008b04ae..72e7b722 100644 --- a/tasks/rhel7stig/sshd.yml +++ b/tasks/rhel7stig/sshd.yml @@ -19,6 +19,7 @@ dest: "{{ security_sshd_banner_file }}" owner: root group: root + mode: "0644" tags: - high - sshd @@ -33,7 +34,7 @@ validate: '/usr/sbin/sshd -T -f %s' with_items: "{{ sshd_settings_rhel7 | selectattr('enabled') }}" notify: - - restart ssh + - Restart ssh tags: - high - sshd @@ -71,7 +72,7 @@ {{ option['name'] ~ ' ' ~ option['value'] }} {% endfor %} notify: - - restart ssh + - Restart ssh tags: - high - sshd diff --git a/tasks/rhel7stig/yum.yml b/tasks/rhel7stig/yum.yml index 66cc3960..025406ab 100644 --- a/tasks/rhel7stig/yum.yml +++ b/tasks/rhel7stig/yum.yml @@ -13,7 +13,8 @@ # See the License for the specific language governing permissions and # limitations under the License. -- include_tasks: rpm.yml +- name: Including rpm tasks + include_tasks: rpm.yml - name: Check if /etc/yum/yum-cron.conf exists stat: diff --git a/tasks/rhel7stig/zypper.yml b/tasks/rhel7stig/zypper.yml index 68655356..88428fe8 100644 --- a/tasks/rhel7stig/zypper.yml +++ b/tasks/rhel7stig/zypper.yml @@ -100,6 +100,7 @@ copy: src: zypper-autoupdates dest: /etc/cron.daily/zypper-autoupdates + mode: "0750" when: - security_rhel7_automatic_package_updates | bool tags: diff --git a/vars/main.yml b/vars/main.yml index 71f289df..7e4356f9 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -327,7 +327,7 @@ sysctl_settings_rhel7: enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}" - name: net.ipv4.conf.default.accept_source_route value: 0 - enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool}}" + enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}" - name: net.ipv4.icmp_echo_ignore_broadcasts value: 1 enabled: "{{ security_disallow_echoes_broadcast_address | bool }}" @@ -407,7 +407,7 @@ sshd_settings_rhel7: enabled: yes stig_id: V-72251 - name: MACs - value: "{{security_sshd_allowed_macs }}" + value: "{{ security_sshd_allowed_macs }}" enabled: yes stig_id: V-72253 - name: UsePrivilegeSeparation diff --git a/vars/redhat-7.yml b/vars/redhat-7.yml index 058ddb4b..eb183c59 100644 --- a/vars/redhat-7.yml +++ b/vars/redhat-7.yml @@ -45,7 +45,7 @@ clamav_service_details: user: clamscan group: virusgroup socket_path: /run/clamd.scan/clamd.sock - mode: 0710 + mode: "0710" # Commands grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}" diff --git a/vars/redhat-8.yml b/vars/redhat-8.yml index a0a64d01..8c53c17d 100644 --- a/vars/redhat-8.yml +++ b/vars/redhat-8.yml @@ -45,7 +45,7 @@ clamav_service_details: user: clamscan group: virusgroup socket_path: /run/clamd.scan/clamd.sock - mode: 0710 + mode: "0710" # Commands grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}" diff --git a/vars/redhat-9.yml b/vars/redhat-9.yml index a0a64d01..8c53c17d 100644 --- a/vars/redhat-9.yml +++ b/vars/redhat-9.yml @@ -45,7 +45,7 @@ clamav_service_details: user: clamscan group: virusgroup socket_path: /run/clamd.scan/clamd.sock - mode: 0710 + mode: "0710" # Commands grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}" diff --git a/vars/suse.yml b/vars/suse.yml index debd511b..cb1b24b5 100644 --- a/vars/suse.yml +++ b/vars/suse.yml @@ -27,7 +27,8 @@ grub_conf_file: /boot/grub2/grub.cfg # NOTE(hwoarang) SUSE seems to be using the ID field from /etc/os-release to # create the EFI distro directory. Since this information is not available on # Ansible, we have to improvise a bit... -grub_conf_file_efi: "{% set os_id = ansible_facts['distribution'].split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg" +grub_conf_file_efi: >- + {% set os_id = ansible_facts['distribution'].split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse', 'sles') }}/grub.cfg aide_cron_job_path: /etc/cron.daily/aide aide_database_file: /var/lib/aide/aide.db aide_database_out_file: /var/lib/aide/aide.db.new