From db5c6f2d66cb1c78d2bff8bd24b016be1c6e4439 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Mon, 17 Jul 2023 14:25:21 +0200 Subject: [PATCH] Fix linters and metadata With update of ansible-lint to version >=6.0.0 a lot of new linters were added, that enabled by default. In order to comply with linter rules we're applying changes to the role. With that we also update metdata to reflect current state. Change-Id: I1920cd05ac5b4d32ad12bce42d9161a568f288b6 --- defaults/main.yml | 17 +++++------ handlers/main.yml | 54 +++++++++-------------------------- meta/main.yml | 33 +++++++++++---------- tasks/main.yml | 10 ++++--- tasks/rhel7stig/accounts.yml | 5 ++-- tasks/rhel7stig/aide.yml | 1 + tasks/rhel7stig/apt.yml | 2 ++ tasks/rhel7stig/auditd.yml | 13 +++++---- tasks/rhel7stig/auth.yml | 7 +++-- tasks/rhel7stig/dnf.yml | 3 +- tasks/rhel7stig/graphical.yml | 14 ++++++--- tasks/rhel7stig/kernel.yml | 4 ++- tasks/rhel7stig/lsm.yml | 3 +- tasks/rhel7stig/main.yml | 39 ++++++++++++++++--------- tasks/rhel7stig/misc.yml | 21 ++++++++------ tasks/rhel7stig/sshd.yml | 5 ++-- tasks/rhel7stig/yum.yml | 3 +- tasks/rhel7stig/zypper.yml | 1 + vars/main.yml | 4 +-- vars/redhat-7.yml | 2 +- vars/redhat-8.yml | 2 +- vars/redhat-9.yml | 2 +- vars/suse.yml | 3 +- 23 files changed, 131 insertions(+), 117 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 28a93611..43045465 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -82,16 +82,17 @@ security_aide_exclude_dirs: ## Audit daemon (auditd) # Send audit records to a different system using audisp. -#security_audisp_remote_server: '10.0.21.1' # V-72083 +# security_audisp_remote_server: '10.0.21.1' # V-72083 # Encrypt audit records when they are transmitted over the network. -#security_audisp_enable_krb5: yes # V-72085 +# security_audisp_enable_krb5: yes # V-72085 # Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING! security_rhel7_audit_failure_flag: 1 # V-72081 # Set the action to take when the disk is full or network events cannot be sent. security_rhel7_auditd_disk_full_action: syslog # V-72087 security_rhel7_auditd_network_failure_action: syslog # V-72087 # Size of remaining disk space (in MB) that triggers alerts. -security_rhel7_auditd_space_left: "{{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # V-72089 +security_rhel7_auditd_space_left: >- # V-72089 + {{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }} # Action to take when the space_left threshold is reached. security_rhel7_auditd_space_left_action: email # V-72091 # Send auditd email alerts to this user. @@ -179,8 +180,8 @@ security_password_encrypt_method: SHA512 # V-71921 # Ensure user/group admin utilities only store encrypted passwords. security_libuser_crypt_style_sha512: yes # V-71923 # Set a minimum/maximum lifetime limit for user passwords. -#security_password_min_lifetime_days: 1 # V-71925 -#security_password_max_lifetime_days: 60 # V-71929 +# security_password_min_lifetime_days: 1 # V-71925 +# security_password_max_lifetime_days: 60 # V-71929 # Set a delay (in seconds) between failed login attempts. security_shadow_utils_fail_delay: 4 # V-71951 # Set a umask for all authenticated users. @@ -188,7 +189,7 @@ security_shadow_utils_fail_delay: 4 # V-71951 # Create home directories for new users by default. security_shadow_utils_create_home: yes # V-72013 # How many old user password to remember to prevent password re-use. -#security_password_remember_password: 5 # V-71933 +# security_password_remember_password: 5 # V-71933 # Disable user accounts if the password expires. security_disable_account_if_password_expires: no # V-71941 # Lock user accounts with excessive login failures. See documentation. @@ -198,7 +199,7 @@ security_pam_faillock_attempts: 3 security_pam_faillock_deny_root: yes # RHEL-07-010373 security_pam_faillock_unlock_time: 604800 # V-71943 # Limit the number of concurrent connections per account. -#security_rhel7_concurrent_session_limit: 10 # V-72217 +# security_rhel7_concurrent_session_limit: 10 # V-72217 # Remove .shosts and shosts.equiv files. security_rhel7_remove_shosts_files: no # V-72277 # Exclude these directories from the shosts files find @@ -263,7 +264,7 @@ security_enable_grub_update: yes # Require authentication in GRUB to boot into single-user or maintenance modes. security_require_grub_authentication: no # V-71961 / V-71963 # The default password for grub authentication is 'secrete'. -security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B +security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B # noqa: yaml[line-length] # Set session timeout. security_rhel7_session_timeout: 600 # V-72223 # Enable chrony for NTP time synchronization. diff --git a/handlers/main.yml b/handlers/main.yml index 2dd5f16a..8b55dc6a 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -17,76 +17,48 @@ # # NOTE(mhayden): It's not possible to use systemd to restart auditd on CentOS # since it's a special service. Using the old service scripts is required. -- name: restart auditd +- name: Restart auditd command: service auditd restart # noqa: command-instead-of-module + changed_when: false -- name: restart chrony +- name: Restart chrony service: name: "{{ chrony_service }}" state: restarted -- name: restart fail2ban - service: - name: fail2ban - state: restarted - -- name: restart postfix - service: - name: postfix - state: restarted - -- name: restart rsyslog - service: - name: rsyslog - state: restarted - -- name: restart samba - service: - name: smbd - state: restarted - -- name: restart ssh +- name: Restart ssh service: name: "{{ ssh_service }}" state: restarted -- name: restart vsftpd - service: - name: vsftpd - state: restarted - -- name: restart clamav +- name: Restart clamav service: name: "{{ clamav_service }}" state: restarted # Miscellaneous ############################################################## -- name: generate auditd rules +- name: Generate auditd rules command: augenrules --load + changed_when: false notify: restart auditd -- name: rehash aliases - command: newaliases - -- name: update grub config +- name: Update grub config command: "{{ grub_update_cmd }}" + changed_when: false when: - security_enable_grub_update | bool - grub_update_binary.stat.exists | bool - grub_update_binary.stat.executable | bool notify: - - set bootloader file permissions after updating grub config + - Set bootloader file permissions after updating grub config # NOTE(mhayden): Running `update-grub` causes the bootloader permissions to # change, which breaks V-38583. -- name: set bootloader file permissions after updating grub config +- name: Set bootloader file permissions after updating grub config file: path: "{{ grub_config_file_boot }}" mode: "0644" -- name: dconf update +- name: Dconf update command: dconf update - -- name: reload systemd - systemd: - daemon-reload: yes + changed_when: false diff --git a/meta/main.yml b/meta/main.yml index 51e7aa3a..1851c79d 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -4,20 +4,23 @@ galaxy_info: description: Security hardening role for OpenStack-Ansible company: OpenStack license: Apache - min_ansible_version: 2.10 + role_name: hardening + namespace: openstack + min_ansible_version: "2.10" platforms: - - name: Debian - versions: - - buster - - name: EL - versions: - - 8 - - name: Ubuntu - versions: - - bionic - - focal - categories: - - cloud - - security - - system + - name: Debian + versions: + - bullseye + - name: EL + versions: + - "8" + - "9" + - name: Ubuntu + versions: + - focal + - jammy + galaxy_tags: + - cloud + - security + - system dependencies: [] diff --git a/tasks/main.yml b/tasks/main.yml index ab7c513e..db8b5083 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -44,8 +44,8 @@ - name: Set facts set_fact: - check_mode: "{{ noop_result is skipped }}" - linux_security_module: "{{ (ansible_facts['os_family'] == 'Debian') | ternary('apparmor','selinux') }}" + check_mode: "{{ noop_result is skipped }}" # noqa: var-naming[no-reserved] + linux_security_module: "{{ (ansible_facts['os_family'] == 'Debian') | ternary('apparmor', 'selinux') }}" grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}" tags: - always @@ -57,8 +57,10 @@ tags: - always -- import_tasks: "{{ stig_version }}stig/main.yml" +- name: Importing STIG tasks + import_tasks: "{{ stig_version }}stig/main.yml" -- include_tasks: contrib/main.yml +- name: Including contrib tasks + include_tasks: contrib/main.yml when: - security_contrib_enabled | bool diff --git a/tasks/rhel7stig/accounts.yml b/tasks/rhel7stig/accounts.yml index 90551de4..ddff52ed 100644 --- a/tasks/rhel7stig/accounts.yml +++ b/tasks/rhel7stig/accounts.yml @@ -71,6 +71,7 @@ option: crypt_style value: sha512 backup: yes + mode: "0644" when: - security_libuser_crypt_style_sha512 | bool - ansible_facts['os_family'] | lower == 'redhat' @@ -84,6 +85,7 @@ # system. See bug 1659232 for more details. - name: Set minimum password lifetime limit to 24 hours for interactive accounts command: "chage -m 1 {{ item.name }}" + changed_when: false when: - item.shadow is mapping - item.shadow.min_days != 1 @@ -100,6 +102,7 @@ # system. See bug 1659232 for more details. - name: Set maximum password lifetime limit to 60 days for interactive accounts command: "chage -M 60 {{ item.name }}" + changed_when: false when: - item.shadow is mapping - item.shadow.max_days > 60 @@ -245,5 +248,3 @@ - accounts - medium - V-73159 - - diff --git a/tasks/rhel7stig/aide.yml b/tasks/rhel7stig/aide.yml index 4c66866d..8801f97d 100644 --- a/tasks/rhel7stig/aide.yml +++ b/tasks/rhel7stig/aide.yml @@ -28,6 +28,7 @@ template: src: ZZ_aide_exclusions.j2 dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions + mode: "0644" when: aide_conf.results[0].stat.exists | bool tags: - medium diff --git a/tasks/rhel7stig/apt.yml b/tasks/rhel7stig/apt.yml index 94b8cab0..35c3c372 100644 --- a/tasks/rhel7stig/apt.yml +++ b/tasks/rhel7stig/apt.yml @@ -103,6 +103,7 @@ line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";" state: present create: yes + mode: "0644" when: - security_package_clean_on_remove | bool - ansible_facts['os_family'] | lower == 'debian' @@ -115,6 +116,7 @@ copy: src: 20auto-upgrades dest: /etc/apt/apt.conf.d/20auto-upgrades + mode: "0644" when: - ansible_facts['os_family'] | lower == 'debian' - security_rhel7_automatic_package_updates | bool diff --git a/tasks/rhel7stig/auditd.yml b/tasks/rhel7stig/auditd.yml index 096b115c..fbe94995 100644 --- a/tasks/rhel7stig/auditd.yml +++ b/tasks/rhel7stig/auditd.yml @@ -38,7 +38,7 @@ - security_audisp_remote_server is defined - audisp_remote_conf.stat.exists notify: - - restart auditd + - Restart auditd tags: - medium - auditd @@ -53,7 +53,7 @@ - security_audisp_enable_krb5 is defined - audisp_remote_conf.stat.exists notify: - - restart auditd + - Restart auditd tags: - medium - auditd @@ -73,7 +73,7 @@ when: - auditd_conf.stat.exists notify: - - generate auditd rules + - Generate auditd rules tags: - always @@ -84,7 +84,7 @@ when: - auditd_conf.stat.exists notify: - - generate auditd rules + - Generate auditd rules tags: - always @@ -92,10 +92,11 @@ template: src: osas-auditd-rhel7.j2 dest: /etc/audit/rules.d/osas-auditd-rhel7.rules + mode: "0644" when: - auditd_conf.stat.exists notify: - - generate auditd rules + - Generate auditd rules tags: - auditd - V-72167 @@ -163,7 +164,7 @@ - auditd_conf.stat.exists - audisp_remote_conf.stat.exists notify: - - restart auditd + - Restart auditd tags: - high - auditd diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml index 21660d58..ded697e2 100644 --- a/tasks/rhel7stig/auth.yml +++ b/tasks/rhel7stig/auth.yml @@ -54,7 +54,7 @@ line: '\1\2' backup: yes backrefs: yes - loop: "{{ ['auth', 'password'] |product(['{{ pam_auth_file }}', '{{ pam_password_file }}'])|list }}" + loop: "{{ ['auth', 'password'] | product(['{{ pam_auth_file }}', '{{ pam_password_file }}']) | list }}" when: - ansible_facts['os_family'] == 'RedHat' - security_disallow_blank_password_login | bool @@ -185,7 +185,7 @@ password_pbkdf2 root {{ security_grub_password_hash }} state: present notify: - - update grub config + - Update grub config - name: Set CLASS for grub file lineinfile: path: "{{ grub_linux_file }}" @@ -194,7 +194,7 @@ state: present backrefs: yes notify: - - update grub config + - Update grub config when: - grub_custom_file_check.stat.exists | bool - security_require_grub_authentication | bool @@ -208,6 +208,7 @@ blockinfile: dest: /etc/security/limits.d/ansible-hardening-maxlogins.conf create: yes + mode: "0644" block: | # Deployed by the ansible-hardening role # V-72217 - Limit concurrent sessions for all accounts/types diff --git a/tasks/rhel7stig/dnf.yml b/tasks/rhel7stig/dnf.yml index e58073d8..abe1ef7a 100644 --- a/tasks/rhel7stig/dnf.yml +++ b/tasks/rhel7stig/dnf.yml @@ -13,7 +13,8 @@ # See the License for the specific language governing permissions and # limitations under the License. -- include_tasks: rpm.yml +- name: Including rpm tasks + include_tasks: rpm.yml - name: Check if /etc/dnf/automatic.conf exists stat: diff --git a/tasks/rhel7stig/graphical.yml b/tasks/rhel7stig/graphical.yml index b86ae02a..48b6f6cf 100644 --- a/tasks/rhel7stig/graphical.yml +++ b/tasks/rhel7stig/graphical.yml @@ -56,6 +56,7 @@ copy: src: dconf-user-profile dest: /etc/dconf/profile/user + mode: "0644" when: - dconf_check.stat.exists tags: @@ -69,6 +70,7 @@ file: path: "{{ item }}" state: directory + mode: "0755" with_items: - /etc/dconf/db/local.d/ - /etc/dconf/db/local.d/locks @@ -87,10 +89,11 @@ template: src: dconf-screensaver-lock.j2 dest: /etc/dconf/db/local.d/00-screensaver + mode: "0644" when: - dconf_check.stat.exists notify: - - dconf update + - Dconf update tags: - graphical - medium @@ -102,10 +105,11 @@ template: src: dconf-session-user-config-lockout.j2 dest: /etc/dconf/db/local.d/locks/session + mode: "0644" when: - dconf_check.stat.exists notify: - - dconf update + - Dconf update tags: - graphical - medium @@ -117,10 +121,11 @@ copy: src: dconf-profile-gdm dest: /etc/dconf/profile/gdm + mode: "0644" when: - dconf_check.stat.exists notify: - - dconf update + - Dconf update tags: - graphical - medium @@ -130,13 +135,14 @@ template: src: dconf-gdm-banner-message.j2 dest: "{{ item }}" + mode: "0644" with_items: - /etc/dconf/db/gdm.d/01-banner-message - /etc/dconf/db/local.d/01-banner-message when: - dconf_check.stat.exists notify: - - dconf update + - Dconf update tags: - graphical - medium diff --git a/tasks/rhel7stig/kernel.yml b/tasks/rhel7stig/kernel.yml index af4f362e..49577a2e 100644 --- a/tasks/rhel7stig/kernel.yml +++ b/tasks/rhel7stig/kernel.yml @@ -18,6 +18,7 @@ dest: /etc/modprobe.d/ansible-hardening-disable-usb-storage.conf line: install usb-storage /bin/true create: yes + mode: "0644" when: - security_rhel7_disable_usb_storage | bool tags: @@ -49,7 +50,7 @@ - C-00001 - name: Check kdump service - command: systemctl status kdump # noqa 303 + command: systemctl status kdump # noqa: command-instead-of-module register: kdump_service_check failed_when: kdump_service_check.rc not in [0,3,4] changed_when: False @@ -101,6 +102,7 @@ copy: src: ansible-hardening-disable-dccp.conf dest: /etc/modprobe.d/ansible-hardening-disable-dccp.conf + mode: "0644" when: - security_rhel7_disable_dccp | bool tags: diff --git a/tasks/rhel7stig/lsm.yml b/tasks/rhel7stig/lsm.yml index c424b5bf..b52892fa 100644 --- a/tasks/rhel7stig/lsm.yml +++ b/tasks/rhel7stig/lsm.yml @@ -32,7 +32,7 @@ # started apparmor each time. This breaks idempotency and we check # systemd's status directly as an alternative. - name: Check if apparmor is running - command: "systemctl status apparmor" # noqa 303 + command: "systemctl status apparmor" # noqa: command-instead-of-module register: systemctl_apparmor_status check_mode: no changed_when: false @@ -96,6 +96,7 @@ file: path: /.autorelabel state: touch + mode: "0644" when: - ansible_facts['os_family'] == "RedHat" - security_rhel7_enable_linux_security_module | bool diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml index 07a2e835..ab886a43 100644 --- a/tasks/rhel7stig/main.yml +++ b/tasks/rhel7stig/main.yml @@ -34,7 +34,8 @@ # Some of the tasks in the role may take a long time to run. Let's start them # as early as possible so they have time to finish. -- import_tasks: async_tasks.yml +- name: Importing async_tasks tasks + import_tasks: async_tasks.yml - name: Get user data for all users on the system get_users: @@ -67,29 +68,41 @@ # Package installations and removals must come first so that configuration # changes can be made later. -- import_tasks: packages.yml +- name: Importing packages tasks + import_tasks: packages.yml tags: - always # Package managers are managed first since the changes in these tasks will # affect the remainder of the tasks in the role. -- include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml" +- name: Including OS-specific tasks + include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml" # The bulk of the security changes are applied in these tasks. The tasks in # each file are tagged with the same name (for example, tasks in `auth.yml` # are tagged with `auth`). Also, the tag name matches up with the "STIG # Controls by Tag" section of the role documentation. -- import_tasks: accounts.yml -- import_tasks: aide.yml +- name: Importing accounts tasks + import_tasks: accounts.yml +- name: Importing aide tasks + import_tasks: aide.yml when: security_rhel7_enable_aide | bool -- import_tasks: auditd.yml -- import_tasks: auth.yml -- import_tasks: file_perms.yml -- import_tasks: graphical.yml -- import_tasks: kernel.yml -- import_tasks: lsm.yml -- import_tasks: misc.yml -- import_tasks: sshd.yml +- name: Importing auditd tasks + import_tasks: auditd.yml +- name: Importing auth tasks + import_tasks: auth.yml +- name: Importing file_perms tasks + import_tasks: file_perms.yml +- name: Importing graphical tasks + import_tasks: graphical.yml +- name: Importing kernel tasks + import_tasks: kernel.yml +- name: Importing lsm tasks + import_tasks: lsm.yml +- name: Importing misc tasks + import_tasks: misc.yml +- name: Importing sshd tasks + import_tasks: sshd.yml - name: Remove the temporary directory file: diff --git a/tasks/rhel7stig/misc.yml b/tasks/rhel7stig/misc.yml index 98a00453..82deccd3 100644 --- a/tasks/rhel7stig/misc.yml +++ b/tasks/rhel7stig/misc.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: Check autofs service - command: systemctl status autofs # noqa 303 + command: systemctl status autofs # noqa: command-instead-of-module register: autofs_check failed_when: autofs_check.rc not in [0,3,4] changed_when: False @@ -150,7 +150,7 @@ - security_enable_virus_scanner | bool - ansible_facts['os_family'] | lower == 'redhat' notify: - - restart clamav + - Restart clamav tags: - misc - V-72213 @@ -166,7 +166,7 @@ - security_enable_virus_scanner | bool - ansible_facts['os_family'] | lower == 'redhat' notify: - - restart clamav + - Restart clamav tags: - misc - V-72213 @@ -174,7 +174,7 @@ - name: Ensure ClamAV socket directory exists file: path: "{{ clamav_service_details['socket_path'] | dirname }}" - user: "{{ clamav_service_details['user'] }}" + owner: "{{ clamav_service_details['user'] }}" group: "{{ clamav_service_details['group'] }}" mode: "{{ clamav_service_details['mode'] }}" when: @@ -182,7 +182,7 @@ - security_enable_virus_scanner | bool - ansible_facts['os_family'] | lower == 'redhat' notify: - - restart clamav + - Restart clamav tags: - misc - V-72213 @@ -197,7 +197,7 @@ - security_enable_virus_scanner | bool - ansible_facts['os_family'] | lower == 'redhat' notify: - - restart clamav + - Restart clamav tags: - misc - V-72213 @@ -293,11 +293,12 @@ template: src: chrony.conf.j2 dest: "{{ chrony_conf_file }}" + mode: "0644" when: - chrony_conf_check.stat.exists | bool - security_rhel7_enable_chrony | bool notify: - - restart chrony + - Restart chrony tags: - medium - misc @@ -305,7 +306,7 @@ # Returns 0 if installed, 3 if not installed - name: Check firewalld status - command: systemctl status firewalld # noqa 303 + command: systemctl status firewalld # noqa: command-instead-of-module register: firewalld_status_check failed_when: firewalld_status_check.rc not in [0,3,4] changed_when: False @@ -327,7 +328,9 @@ - V-72273 - name: Limit new TCP connections to 25/minute and allow bursting to 100 - command: "firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{ security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT" + command: >- + firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{ + security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT register: add_rate_limit_firewalld_rule changed_when: "'ALREADY_ENABLED' not in add_rate_limit_firewalld_rule.stdout" when: diff --git a/tasks/rhel7stig/sshd.yml b/tasks/rhel7stig/sshd.yml index 008b04ae..72e7b722 100644 --- a/tasks/rhel7stig/sshd.yml +++ b/tasks/rhel7stig/sshd.yml @@ -19,6 +19,7 @@ dest: "{{ security_sshd_banner_file }}" owner: root group: root + mode: "0644" tags: - high - sshd @@ -33,7 +34,7 @@ validate: '/usr/sbin/sshd -T -f %s' with_items: "{{ sshd_settings_rhel7 | selectattr('enabled') }}" notify: - - restart ssh + - Restart ssh tags: - high - sshd @@ -71,7 +72,7 @@ {{ option['name'] ~ ' ' ~ option['value'] }} {% endfor %} notify: - - restart ssh + - Restart ssh tags: - high - sshd diff --git a/tasks/rhel7stig/yum.yml b/tasks/rhel7stig/yum.yml index 66cc3960..025406ab 100644 --- a/tasks/rhel7stig/yum.yml +++ b/tasks/rhel7stig/yum.yml @@ -13,7 +13,8 @@ # See the License for the specific language governing permissions and # limitations under the License. -- include_tasks: rpm.yml +- name: Including rpm tasks + include_tasks: rpm.yml - name: Check if /etc/yum/yum-cron.conf exists stat: diff --git a/tasks/rhel7stig/zypper.yml b/tasks/rhel7stig/zypper.yml index 68655356..88428fe8 100644 --- a/tasks/rhel7stig/zypper.yml +++ b/tasks/rhel7stig/zypper.yml @@ -100,6 +100,7 @@ copy: src: zypper-autoupdates dest: /etc/cron.daily/zypper-autoupdates + mode: "0750" when: - security_rhel7_automatic_package_updates | bool tags: diff --git a/vars/main.yml b/vars/main.yml index 71f289df..7e4356f9 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -327,7 +327,7 @@ sysctl_settings_rhel7: enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}" - name: net.ipv4.conf.default.accept_source_route value: 0 - enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool}}" + enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}" - name: net.ipv4.icmp_echo_ignore_broadcasts value: 1 enabled: "{{ security_disallow_echoes_broadcast_address | bool }}" @@ -407,7 +407,7 @@ sshd_settings_rhel7: enabled: yes stig_id: V-72251 - name: MACs - value: "{{security_sshd_allowed_macs }}" + value: "{{ security_sshd_allowed_macs }}" enabled: yes stig_id: V-72253 - name: UsePrivilegeSeparation diff --git a/vars/redhat-7.yml b/vars/redhat-7.yml index 058ddb4b..eb183c59 100644 --- a/vars/redhat-7.yml +++ b/vars/redhat-7.yml @@ -45,7 +45,7 @@ clamav_service_details: user: clamscan group: virusgroup socket_path: /run/clamd.scan/clamd.sock - mode: 0710 + mode: "0710" # Commands grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}" diff --git a/vars/redhat-8.yml b/vars/redhat-8.yml index a0a64d01..8c53c17d 100644 --- a/vars/redhat-8.yml +++ b/vars/redhat-8.yml @@ -45,7 +45,7 @@ clamav_service_details: user: clamscan group: virusgroup socket_path: /run/clamd.scan/clamd.sock - mode: 0710 + mode: "0710" # Commands grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}" diff --git a/vars/redhat-9.yml b/vars/redhat-9.yml index a0a64d01..8c53c17d 100644 --- a/vars/redhat-9.yml +++ b/vars/redhat-9.yml @@ -45,7 +45,7 @@ clamav_service_details: user: clamscan group: virusgroup socket_path: /run/clamd.scan/clamd.sock - mode: 0710 + mode: "0710" # Commands grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}" diff --git a/vars/suse.yml b/vars/suse.yml index debd511b..cb1b24b5 100644 --- a/vars/suse.yml +++ b/vars/suse.yml @@ -27,7 +27,8 @@ grub_conf_file: /boot/grub2/grub.cfg # NOTE(hwoarang) SUSE seems to be using the ID field from /etc/os-release to # create the EFI distro directory. Since this information is not available on # Ansible, we have to improvise a bit... -grub_conf_file_efi: "{% set os_id = ansible_facts['distribution'].split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg" +grub_conf_file_efi: >- + {% set os_id = ansible_facts['distribution'].split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse', 'sles') }}/grub.cfg aide_cron_job_path: /etc/cron.daily/aide aide_database_file: /var/lib/aide/aide.db aide_database_out_file: /var/lib/aide/aide.db.new