Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new linters were added, that enabled by default. In order to comply with linter rules we're applying changes to the role. With that we also update metdata to reflect current state. Change-Id: I1920cd05ac5b4d32ad12bce42d9161a568f288b6
This commit is contained in:
parent
2c7889852c
commit
db5c6f2d66
@ -91,7 +91,8 @@ security_rhel7_audit_failure_flag: 1 # V-72081
|
|||||||
security_rhel7_auditd_disk_full_action: syslog # V-72087
|
security_rhel7_auditd_disk_full_action: syslog # V-72087
|
||||||
security_rhel7_auditd_network_failure_action: syslog # V-72087
|
security_rhel7_auditd_network_failure_action: syslog # V-72087
|
||||||
# Size of remaining disk space (in MB) that triggers alerts.
|
# Size of remaining disk space (in MB) that triggers alerts.
|
||||||
security_rhel7_auditd_space_left: "{{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # V-72089
|
security_rhel7_auditd_space_left: >- # V-72089
|
||||||
|
{{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}
|
||||||
# Action to take when the space_left threshold is reached.
|
# Action to take when the space_left threshold is reached.
|
||||||
security_rhel7_auditd_space_left_action: email # V-72091
|
security_rhel7_auditd_space_left_action: email # V-72091
|
||||||
# Send auditd email alerts to this user.
|
# Send auditd email alerts to this user.
|
||||||
@ -263,7 +264,7 @@ security_enable_grub_update: yes
|
|||||||
# Require authentication in GRUB to boot into single-user or maintenance modes.
|
# Require authentication in GRUB to boot into single-user or maintenance modes.
|
||||||
security_require_grub_authentication: no # V-71961 / V-71963
|
security_require_grub_authentication: no # V-71961 / V-71963
|
||||||
# The default password for grub authentication is 'secrete'.
|
# The default password for grub authentication is 'secrete'.
|
||||||
security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B
|
security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B # noqa: yaml[line-length]
|
||||||
# Set session timeout.
|
# Set session timeout.
|
||||||
security_rhel7_session_timeout: 600 # V-72223
|
security_rhel7_session_timeout: 600 # V-72223
|
||||||
# Enable chrony for NTP time synchronization.
|
# Enable chrony for NTP time synchronization.
|
||||||
|
@ -17,76 +17,48 @@
|
|||||||
#
|
#
|
||||||
# NOTE(mhayden): It's not possible to use systemd to restart auditd on CentOS
|
# NOTE(mhayden): It's not possible to use systemd to restart auditd on CentOS
|
||||||
# since it's a special service. Using the old service scripts is required.
|
# since it's a special service. Using the old service scripts is required.
|
||||||
- name: restart auditd
|
- name: Restart auditd
|
||||||
command: service auditd restart # noqa: command-instead-of-module
|
command: service auditd restart # noqa: command-instead-of-module
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
- name: restart chrony
|
- name: Restart chrony
|
||||||
service:
|
service:
|
||||||
name: "{{ chrony_service }}"
|
name: "{{ chrony_service }}"
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: restart fail2ban
|
- name: Restart ssh
|
||||||
service:
|
|
||||||
name: fail2ban
|
|
||||||
state: restarted
|
|
||||||
|
|
||||||
- name: restart postfix
|
|
||||||
service:
|
|
||||||
name: postfix
|
|
||||||
state: restarted
|
|
||||||
|
|
||||||
- name: restart rsyslog
|
|
||||||
service:
|
|
||||||
name: rsyslog
|
|
||||||
state: restarted
|
|
||||||
|
|
||||||
- name: restart samba
|
|
||||||
service:
|
|
||||||
name: smbd
|
|
||||||
state: restarted
|
|
||||||
|
|
||||||
- name: restart ssh
|
|
||||||
service:
|
service:
|
||||||
name: "{{ ssh_service }}"
|
name: "{{ ssh_service }}"
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: restart vsftpd
|
- name: Restart clamav
|
||||||
service:
|
|
||||||
name: vsftpd
|
|
||||||
state: restarted
|
|
||||||
|
|
||||||
- name: restart clamav
|
|
||||||
service:
|
service:
|
||||||
name: "{{ clamav_service }}"
|
name: "{{ clamav_service }}"
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
# Miscellaneous ##############################################################
|
# Miscellaneous ##############################################################
|
||||||
- name: generate auditd rules
|
- name: Generate auditd rules
|
||||||
command: augenrules --load
|
command: augenrules --load
|
||||||
|
changed_when: false
|
||||||
notify: restart auditd
|
notify: restart auditd
|
||||||
|
|
||||||
- name: rehash aliases
|
- name: Update grub config
|
||||||
command: newaliases
|
|
||||||
|
|
||||||
- name: update grub config
|
|
||||||
command: "{{ grub_update_cmd }}"
|
command: "{{ grub_update_cmd }}"
|
||||||
|
changed_when: false
|
||||||
when:
|
when:
|
||||||
- security_enable_grub_update | bool
|
- security_enable_grub_update | bool
|
||||||
- grub_update_binary.stat.exists | bool
|
- grub_update_binary.stat.exists | bool
|
||||||
- grub_update_binary.stat.executable | bool
|
- grub_update_binary.stat.executable | bool
|
||||||
notify:
|
notify:
|
||||||
- set bootloader file permissions after updating grub config
|
- Set bootloader file permissions after updating grub config
|
||||||
|
|
||||||
# NOTE(mhayden): Running `update-grub` causes the bootloader permissions to
|
# NOTE(mhayden): Running `update-grub` causes the bootloader permissions to
|
||||||
# change, which breaks V-38583.
|
# change, which breaks V-38583.
|
||||||
- name: set bootloader file permissions after updating grub config
|
- name: Set bootloader file permissions after updating grub config
|
||||||
file:
|
file:
|
||||||
path: "{{ grub_config_file_boot }}"
|
path: "{{ grub_config_file_boot }}"
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
|
||||||
- name: dconf update
|
- name: Dconf update
|
||||||
command: dconf update
|
command: dconf update
|
||||||
|
changed_when: false
|
||||||
- name: reload systemd
|
|
||||||
systemd:
|
|
||||||
daemon-reload: yes
|
|
||||||
|
@ -4,19 +4,22 @@ galaxy_info:
|
|||||||
description: Security hardening role for OpenStack-Ansible
|
description: Security hardening role for OpenStack-Ansible
|
||||||
company: OpenStack
|
company: OpenStack
|
||||||
license: Apache
|
license: Apache
|
||||||
min_ansible_version: 2.10
|
role_name: hardening
|
||||||
|
namespace: openstack
|
||||||
|
min_ansible_version: "2.10"
|
||||||
platforms:
|
platforms:
|
||||||
- name: Debian
|
- name: Debian
|
||||||
versions:
|
versions:
|
||||||
- buster
|
- bullseye
|
||||||
- name: EL
|
- name: EL
|
||||||
versions:
|
versions:
|
||||||
- 8
|
- "8"
|
||||||
|
- "9"
|
||||||
- name: Ubuntu
|
- name: Ubuntu
|
||||||
versions:
|
versions:
|
||||||
- bionic
|
|
||||||
- focal
|
- focal
|
||||||
categories:
|
- jammy
|
||||||
|
galaxy_tags:
|
||||||
- cloud
|
- cloud
|
||||||
- security
|
- security
|
||||||
- system
|
- system
|
||||||
|
@ -44,7 +44,7 @@
|
|||||||
|
|
||||||
- name: Set facts
|
- name: Set facts
|
||||||
set_fact:
|
set_fact:
|
||||||
check_mode: "{{ noop_result is skipped }}"
|
check_mode: "{{ noop_result is skipped }}" # noqa: var-naming[no-reserved]
|
||||||
linux_security_module: "{{ (ansible_facts['os_family'] == 'Debian') | ternary('apparmor', 'selinux') }}"
|
linux_security_module: "{{ (ansible_facts['os_family'] == 'Debian') | ternary('apparmor', 'selinux') }}"
|
||||||
grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}"
|
grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}"
|
||||||
tags:
|
tags:
|
||||||
@ -57,8 +57,10 @@
|
|||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
- import_tasks: "{{ stig_version }}stig/main.yml"
|
- name: Importing STIG tasks
|
||||||
|
import_tasks: "{{ stig_version }}stig/main.yml"
|
||||||
|
|
||||||
- include_tasks: contrib/main.yml
|
- name: Including contrib tasks
|
||||||
|
include_tasks: contrib/main.yml
|
||||||
when:
|
when:
|
||||||
- security_contrib_enabled | bool
|
- security_contrib_enabled | bool
|
||||||
|
@ -71,6 +71,7 @@
|
|||||||
option: crypt_style
|
option: crypt_style
|
||||||
value: sha512
|
value: sha512
|
||||||
backup: yes
|
backup: yes
|
||||||
|
mode: "0644"
|
||||||
when:
|
when:
|
||||||
- security_libuser_crypt_style_sha512 | bool
|
- security_libuser_crypt_style_sha512 | bool
|
||||||
- ansible_facts['os_family'] | lower == 'redhat'
|
- ansible_facts['os_family'] | lower == 'redhat'
|
||||||
@ -84,6 +85,7 @@
|
|||||||
# system. See bug 1659232 for more details.
|
# system. See bug 1659232 for more details.
|
||||||
- name: Set minimum password lifetime limit to 24 hours for interactive accounts
|
- name: Set minimum password lifetime limit to 24 hours for interactive accounts
|
||||||
command: "chage -m 1 {{ item.name }}"
|
command: "chage -m 1 {{ item.name }}"
|
||||||
|
changed_when: false
|
||||||
when:
|
when:
|
||||||
- item.shadow is mapping
|
- item.shadow is mapping
|
||||||
- item.shadow.min_days != 1
|
- item.shadow.min_days != 1
|
||||||
@ -100,6 +102,7 @@
|
|||||||
# system. See bug 1659232 for more details.
|
# system. See bug 1659232 for more details.
|
||||||
- name: Set maximum password lifetime limit to 60 days for interactive accounts
|
- name: Set maximum password lifetime limit to 60 days for interactive accounts
|
||||||
command: "chage -M 60 {{ item.name }}"
|
command: "chage -M 60 {{ item.name }}"
|
||||||
|
changed_when: false
|
||||||
when:
|
when:
|
||||||
- item.shadow is mapping
|
- item.shadow is mapping
|
||||||
- item.shadow.max_days > 60
|
- item.shadow.max_days > 60
|
||||||
@ -245,5 +248,3 @@
|
|||||||
- accounts
|
- accounts
|
||||||
- medium
|
- medium
|
||||||
- V-73159
|
- V-73159
|
||||||
|
|
||||||
|
|
||||||
|
@ -28,6 +28,7 @@
|
|||||||
template:
|
template:
|
||||||
src: ZZ_aide_exclusions.j2
|
src: ZZ_aide_exclusions.j2
|
||||||
dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions
|
dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions
|
||||||
|
mode: "0644"
|
||||||
when: aide_conf.results[0].stat.exists | bool
|
when: aide_conf.results[0].stat.exists | bool
|
||||||
tags:
|
tags:
|
||||||
- medium
|
- medium
|
||||||
|
@ -103,6 +103,7 @@
|
|||||||
line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";"
|
line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";"
|
||||||
state: present
|
state: present
|
||||||
create: yes
|
create: yes
|
||||||
|
mode: "0644"
|
||||||
when:
|
when:
|
||||||
- security_package_clean_on_remove | bool
|
- security_package_clean_on_remove | bool
|
||||||
- ansible_facts['os_family'] | lower == 'debian'
|
- ansible_facts['os_family'] | lower == 'debian'
|
||||||
@ -115,6 +116,7 @@
|
|||||||
copy:
|
copy:
|
||||||
src: 20auto-upgrades
|
src: 20auto-upgrades
|
||||||
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
||||||
|
mode: "0644"
|
||||||
when:
|
when:
|
||||||
- ansible_facts['os_family'] | lower == 'debian'
|
- ansible_facts['os_family'] | lower == 'debian'
|
||||||
- security_rhel7_automatic_package_updates | bool
|
- security_rhel7_automatic_package_updates | bool
|
||||||
|
@ -38,7 +38,7 @@
|
|||||||
- security_audisp_remote_server is defined
|
- security_audisp_remote_server is defined
|
||||||
- audisp_remote_conf.stat.exists
|
- audisp_remote_conf.stat.exists
|
||||||
notify:
|
notify:
|
||||||
- restart auditd
|
- Restart auditd
|
||||||
tags:
|
tags:
|
||||||
- medium
|
- medium
|
||||||
- auditd
|
- auditd
|
||||||
@ -53,7 +53,7 @@
|
|||||||
- security_audisp_enable_krb5 is defined
|
- security_audisp_enable_krb5 is defined
|
||||||
- audisp_remote_conf.stat.exists
|
- audisp_remote_conf.stat.exists
|
||||||
notify:
|
notify:
|
||||||
- restart auditd
|
- Restart auditd
|
||||||
tags:
|
tags:
|
||||||
- medium
|
- medium
|
||||||
- auditd
|
- auditd
|
||||||
@ -73,7 +73,7 @@
|
|||||||
when:
|
when:
|
||||||
- auditd_conf.stat.exists
|
- auditd_conf.stat.exists
|
||||||
notify:
|
notify:
|
||||||
- generate auditd rules
|
- Generate auditd rules
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
@ -84,7 +84,7 @@
|
|||||||
when:
|
when:
|
||||||
- auditd_conf.stat.exists
|
- auditd_conf.stat.exists
|
||||||
notify:
|
notify:
|
||||||
- generate auditd rules
|
- Generate auditd rules
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
@ -92,10 +92,11 @@
|
|||||||
template:
|
template:
|
||||||
src: osas-auditd-rhel7.j2
|
src: osas-auditd-rhel7.j2
|
||||||
dest: /etc/audit/rules.d/osas-auditd-rhel7.rules
|
dest: /etc/audit/rules.d/osas-auditd-rhel7.rules
|
||||||
|
mode: "0644"
|
||||||
when:
|
when:
|
||||||
- auditd_conf.stat.exists
|
- auditd_conf.stat.exists
|
||||||
notify:
|
notify:
|
||||||
- generate auditd rules
|
- Generate auditd rules
|
||||||
tags:
|
tags:
|
||||||
- auditd
|
- auditd
|
||||||
- V-72167
|
- V-72167
|
||||||
@ -163,7 +164,7 @@
|
|||||||
- auditd_conf.stat.exists
|
- auditd_conf.stat.exists
|
||||||
- audisp_remote_conf.stat.exists
|
- audisp_remote_conf.stat.exists
|
||||||
notify:
|
notify:
|
||||||
- restart auditd
|
- Restart auditd
|
||||||
tags:
|
tags:
|
||||||
- high
|
- high
|
||||||
- auditd
|
- auditd
|
||||||
|
@ -185,7 +185,7 @@
|
|||||||
password_pbkdf2 root {{ security_grub_password_hash }}
|
password_pbkdf2 root {{ security_grub_password_hash }}
|
||||||
state: present
|
state: present
|
||||||
notify:
|
notify:
|
||||||
- update grub config
|
- Update grub config
|
||||||
- name: Set CLASS for grub file
|
- name: Set CLASS for grub file
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: "{{ grub_linux_file }}"
|
path: "{{ grub_linux_file }}"
|
||||||
@ -194,7 +194,7 @@
|
|||||||
state: present
|
state: present
|
||||||
backrefs: yes
|
backrefs: yes
|
||||||
notify:
|
notify:
|
||||||
- update grub config
|
- Update grub config
|
||||||
when:
|
when:
|
||||||
- grub_custom_file_check.stat.exists | bool
|
- grub_custom_file_check.stat.exists | bool
|
||||||
- security_require_grub_authentication | bool
|
- security_require_grub_authentication | bool
|
||||||
@ -208,6 +208,7 @@
|
|||||||
blockinfile:
|
blockinfile:
|
||||||
dest: /etc/security/limits.d/ansible-hardening-maxlogins.conf
|
dest: /etc/security/limits.d/ansible-hardening-maxlogins.conf
|
||||||
create: yes
|
create: yes
|
||||||
|
mode: "0644"
|
||||||
block: |
|
block: |
|
||||||
# Deployed by the ansible-hardening role
|
# Deployed by the ansible-hardening role
|
||||||
# V-72217 - Limit concurrent sessions for all accounts/types
|
# V-72217 - Limit concurrent sessions for all accounts/types
|
||||||
|
@ -13,7 +13,8 @@
|
|||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
- include_tasks: rpm.yml
|
- name: Including rpm tasks
|
||||||
|
include_tasks: rpm.yml
|
||||||
|
|
||||||
- name: Check if /etc/dnf/automatic.conf exists
|
- name: Check if /etc/dnf/automatic.conf exists
|
||||||
stat:
|
stat:
|
||||||
|
@ -56,6 +56,7 @@
|
|||||||
copy:
|
copy:
|
||||||
src: dconf-user-profile
|
src: dconf-user-profile
|
||||||
dest: /etc/dconf/profile/user
|
dest: /etc/dconf/profile/user
|
||||||
|
mode: "0644"
|
||||||
when:
|
when:
|
||||||
- dconf_check.stat.exists
|
- dconf_check.stat.exists
|
||||||
tags:
|
tags:
|
||||||
@ -69,6 +70,7 @@
|
|||||||
file:
|
file:
|
||||||
path: "{{ item }}"
|
path: "{{ item }}"
|
||||||
state: directory
|
state: directory
|
||||||
|
mode: "0755"
|
||||||
with_items:
|
with_items:
|
||||||
- /etc/dconf/db/local.d/
|
- /etc/dconf/db/local.d/
|
||||||
- /etc/dconf/db/local.d/locks
|
- /etc/dconf/db/local.d/locks
|
||||||
@ -87,10 +89,11 @@
|
|||||||
template:
|
template:
|
||||||
src: dconf-screensaver-lock.j2
|
src: dconf-screensaver-lock.j2
|
||||||
dest: /etc/dconf/db/local.d/00-screensaver
|
dest: /etc/dconf/db/local.d/00-screensaver
|
||||||
|
mode: "0644"
|
||||||
when:
|
when:
|
||||||
- dconf_check.stat.exists
|
- dconf_check.stat.exists
|
||||||
notify:
|
notify:
|
||||||
- dconf update
|
- Dconf update
|
||||||
tags:
|
tags:
|
||||||
- graphical
|
- graphical
|
||||||
- medium
|
- medium
|
||||||
@ -102,10 +105,11 @@
|
|||||||
template:
|
template:
|
||||||
src: dconf-session-user-config-lockout.j2
|
src: dconf-session-user-config-lockout.j2
|
||||||
dest: /etc/dconf/db/local.d/locks/session
|
dest: /etc/dconf/db/local.d/locks/session
|
||||||
|
mode: "0644"
|
||||||
when:
|
when:
|
||||||
- dconf_check.stat.exists
|
- dconf_check.stat.exists
|
||||||
notify:
|
notify:
|
||||||
- dconf update
|
- Dconf update
|
||||||
tags:
|
tags:
|
||||||
- graphical
|
- graphical
|
||||||
- medium
|
- medium
|
||||||
@ -117,10 +121,11 @@
|
|||||||
copy:
|
copy:
|
||||||
src: dconf-profile-gdm
|
src: dconf-profile-gdm
|
||||||
dest: /etc/dconf/profile/gdm
|
dest: /etc/dconf/profile/gdm
|
||||||
|
mode: "0644"
|
||||||
when:
|
when:
|
||||||
- dconf_check.stat.exists
|
- dconf_check.stat.exists
|
||||||
notify:
|
notify:
|
||||||
- dconf update
|
- Dconf update
|
||||||
tags:
|
tags:
|
||||||
- graphical
|
- graphical
|
||||||
- medium
|
- medium
|
||||||
@ -130,13 +135,14 @@
|
|||||||
template:
|
template:
|
||||||
src: dconf-gdm-banner-message.j2
|
src: dconf-gdm-banner-message.j2
|
||||||
dest: "{{ item }}"
|
dest: "{{ item }}"
|
||||||
|
mode: "0644"
|
||||||
with_items:
|
with_items:
|
||||||
- /etc/dconf/db/gdm.d/01-banner-message
|
- /etc/dconf/db/gdm.d/01-banner-message
|
||||||
- /etc/dconf/db/local.d/01-banner-message
|
- /etc/dconf/db/local.d/01-banner-message
|
||||||
when:
|
when:
|
||||||
- dconf_check.stat.exists
|
- dconf_check.stat.exists
|
||||||
notify:
|
notify:
|
||||||
- dconf update
|
- Dconf update
|
||||||
tags:
|
tags:
|
||||||
- graphical
|
- graphical
|
||||||
- medium
|
- medium
|
||||||
|
@ -18,6 +18,7 @@
|
|||||||
dest: /etc/modprobe.d/ansible-hardening-disable-usb-storage.conf
|
dest: /etc/modprobe.d/ansible-hardening-disable-usb-storage.conf
|
||||||
line: install usb-storage /bin/true
|
line: install usb-storage /bin/true
|
||||||
create: yes
|
create: yes
|
||||||
|
mode: "0644"
|
||||||
when:
|
when:
|
||||||
- security_rhel7_disable_usb_storage | bool
|
- security_rhel7_disable_usb_storage | bool
|
||||||
tags:
|
tags:
|
||||||
@ -49,7 +50,7 @@
|
|||||||
- C-00001
|
- C-00001
|
||||||
|
|
||||||
- name: Check kdump service
|
- name: Check kdump service
|
||||||
command: systemctl status kdump # noqa 303
|
command: systemctl status kdump # noqa: command-instead-of-module
|
||||||
register: kdump_service_check
|
register: kdump_service_check
|
||||||
failed_when: kdump_service_check.rc not in [0,3,4]
|
failed_when: kdump_service_check.rc not in [0,3,4]
|
||||||
changed_when: False
|
changed_when: False
|
||||||
@ -101,6 +102,7 @@
|
|||||||
copy:
|
copy:
|
||||||
src: ansible-hardening-disable-dccp.conf
|
src: ansible-hardening-disable-dccp.conf
|
||||||
dest: /etc/modprobe.d/ansible-hardening-disable-dccp.conf
|
dest: /etc/modprobe.d/ansible-hardening-disable-dccp.conf
|
||||||
|
mode: "0644"
|
||||||
when:
|
when:
|
||||||
- security_rhel7_disable_dccp | bool
|
- security_rhel7_disable_dccp | bool
|
||||||
tags:
|
tags:
|
||||||
|
@ -32,7 +32,7 @@
|
|||||||
# started apparmor each time. This breaks idempotency and we check
|
# started apparmor each time. This breaks idempotency and we check
|
||||||
# systemd's status directly as an alternative.
|
# systemd's status directly as an alternative.
|
||||||
- name: Check if apparmor is running
|
- name: Check if apparmor is running
|
||||||
command: "systemctl status apparmor" # noqa 303
|
command: "systemctl status apparmor" # noqa: command-instead-of-module
|
||||||
register: systemctl_apparmor_status
|
register: systemctl_apparmor_status
|
||||||
check_mode: no
|
check_mode: no
|
||||||
changed_when: false
|
changed_when: false
|
||||||
@ -96,6 +96,7 @@
|
|||||||
file:
|
file:
|
||||||
path: /.autorelabel
|
path: /.autorelabel
|
||||||
state: touch
|
state: touch
|
||||||
|
mode: "0644"
|
||||||
when:
|
when:
|
||||||
- ansible_facts['os_family'] == "RedHat"
|
- ansible_facts['os_family'] == "RedHat"
|
||||||
- security_rhel7_enable_linux_security_module | bool
|
- security_rhel7_enable_linux_security_module | bool
|
||||||
|
@ -34,7 +34,8 @@
|
|||||||
|
|
||||||
# Some of the tasks in the role may take a long time to run. Let's start them
|
# Some of the tasks in the role may take a long time to run. Let's start them
|
||||||
# as early as possible so they have time to finish.
|
# as early as possible so they have time to finish.
|
||||||
- import_tasks: async_tasks.yml
|
- name: Importing async_tasks tasks
|
||||||
|
import_tasks: async_tasks.yml
|
||||||
|
|
||||||
- name: Get user data for all users on the system
|
- name: Get user data for all users on the system
|
||||||
get_users:
|
get_users:
|
||||||
@ -67,29 +68,41 @@
|
|||||||
|
|
||||||
# Package installations and removals must come first so that configuration
|
# Package installations and removals must come first so that configuration
|
||||||
# changes can be made later.
|
# changes can be made later.
|
||||||
- import_tasks: packages.yml
|
- name: Importing packages tasks
|
||||||
|
import_tasks: packages.yml
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
# Package managers are managed first since the changes in these tasks will
|
# Package managers are managed first since the changes in these tasks will
|
||||||
# affect the remainder of the tasks in the role.
|
# affect the remainder of the tasks in the role.
|
||||||
- include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml"
|
- name: Including OS-specific tasks
|
||||||
|
include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml"
|
||||||
|
|
||||||
# The bulk of the security changes are applied in these tasks. The tasks in
|
# The bulk of the security changes are applied in these tasks. The tasks in
|
||||||
# each file are tagged with the same name (for example, tasks in `auth.yml`
|
# each file are tagged with the same name (for example, tasks in `auth.yml`
|
||||||
# are tagged with `auth`). Also, the tag name matches up with the "STIG
|
# are tagged with `auth`). Also, the tag name matches up with the "STIG
|
||||||
# Controls by Tag" section of the role documentation.
|
# Controls by Tag" section of the role documentation.
|
||||||
- import_tasks: accounts.yml
|
- name: Importing accounts tasks
|
||||||
- import_tasks: aide.yml
|
import_tasks: accounts.yml
|
||||||
|
- name: Importing aide tasks
|
||||||
|
import_tasks: aide.yml
|
||||||
when: security_rhel7_enable_aide | bool
|
when: security_rhel7_enable_aide | bool
|
||||||
- import_tasks: auditd.yml
|
- name: Importing auditd tasks
|
||||||
- import_tasks: auth.yml
|
import_tasks: auditd.yml
|
||||||
- import_tasks: file_perms.yml
|
- name: Importing auth tasks
|
||||||
- import_tasks: graphical.yml
|
import_tasks: auth.yml
|
||||||
- import_tasks: kernel.yml
|
- name: Importing file_perms tasks
|
||||||
- import_tasks: lsm.yml
|
import_tasks: file_perms.yml
|
||||||
- import_tasks: misc.yml
|
- name: Importing graphical tasks
|
||||||
- import_tasks: sshd.yml
|
import_tasks: graphical.yml
|
||||||
|
- name: Importing kernel tasks
|
||||||
|
import_tasks: kernel.yml
|
||||||
|
- name: Importing lsm tasks
|
||||||
|
import_tasks: lsm.yml
|
||||||
|
- name: Importing misc tasks
|
||||||
|
import_tasks: misc.yml
|
||||||
|
- name: Importing sshd tasks
|
||||||
|
import_tasks: sshd.yml
|
||||||
|
|
||||||
- name: Remove the temporary directory
|
- name: Remove the temporary directory
|
||||||
file:
|
file:
|
||||||
|
@ -14,7 +14,7 @@
|
|||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
- name: Check autofs service
|
- name: Check autofs service
|
||||||
command: systemctl status autofs # noqa 303
|
command: systemctl status autofs # noqa: command-instead-of-module
|
||||||
register: autofs_check
|
register: autofs_check
|
||||||
failed_when: autofs_check.rc not in [0,3,4]
|
failed_when: autofs_check.rc not in [0,3,4]
|
||||||
changed_when: False
|
changed_when: False
|
||||||
@ -150,7 +150,7 @@
|
|||||||
- security_enable_virus_scanner | bool
|
- security_enable_virus_scanner | bool
|
||||||
- ansible_facts['os_family'] | lower == 'redhat'
|
- ansible_facts['os_family'] | lower == 'redhat'
|
||||||
notify:
|
notify:
|
||||||
- restart clamav
|
- Restart clamav
|
||||||
tags:
|
tags:
|
||||||
- misc
|
- misc
|
||||||
- V-72213
|
- V-72213
|
||||||
@ -166,7 +166,7 @@
|
|||||||
- security_enable_virus_scanner | bool
|
- security_enable_virus_scanner | bool
|
||||||
- ansible_facts['os_family'] | lower == 'redhat'
|
- ansible_facts['os_family'] | lower == 'redhat'
|
||||||
notify:
|
notify:
|
||||||
- restart clamav
|
- Restart clamav
|
||||||
tags:
|
tags:
|
||||||
- misc
|
- misc
|
||||||
- V-72213
|
- V-72213
|
||||||
@ -174,7 +174,7 @@
|
|||||||
- name: Ensure ClamAV socket directory exists
|
- name: Ensure ClamAV socket directory exists
|
||||||
file:
|
file:
|
||||||
path: "{{ clamav_service_details['socket_path'] | dirname }}"
|
path: "{{ clamav_service_details['socket_path'] | dirname }}"
|
||||||
user: "{{ clamav_service_details['user'] }}"
|
owner: "{{ clamav_service_details['user'] }}"
|
||||||
group: "{{ clamav_service_details['group'] }}"
|
group: "{{ clamav_service_details['group'] }}"
|
||||||
mode: "{{ clamav_service_details['mode'] }}"
|
mode: "{{ clamav_service_details['mode'] }}"
|
||||||
when:
|
when:
|
||||||
@ -182,7 +182,7 @@
|
|||||||
- security_enable_virus_scanner | bool
|
- security_enable_virus_scanner | bool
|
||||||
- ansible_facts['os_family'] | lower == 'redhat'
|
- ansible_facts['os_family'] | lower == 'redhat'
|
||||||
notify:
|
notify:
|
||||||
- restart clamav
|
- Restart clamav
|
||||||
tags:
|
tags:
|
||||||
- misc
|
- misc
|
||||||
- V-72213
|
- V-72213
|
||||||
@ -197,7 +197,7 @@
|
|||||||
- security_enable_virus_scanner | bool
|
- security_enable_virus_scanner | bool
|
||||||
- ansible_facts['os_family'] | lower == 'redhat'
|
- ansible_facts['os_family'] | lower == 'redhat'
|
||||||
notify:
|
notify:
|
||||||
- restart clamav
|
- Restart clamav
|
||||||
tags:
|
tags:
|
||||||
- misc
|
- misc
|
||||||
- V-72213
|
- V-72213
|
||||||
@ -293,11 +293,12 @@
|
|||||||
template:
|
template:
|
||||||
src: chrony.conf.j2
|
src: chrony.conf.j2
|
||||||
dest: "{{ chrony_conf_file }}"
|
dest: "{{ chrony_conf_file }}"
|
||||||
|
mode: "0644"
|
||||||
when:
|
when:
|
||||||
- chrony_conf_check.stat.exists | bool
|
- chrony_conf_check.stat.exists | bool
|
||||||
- security_rhel7_enable_chrony | bool
|
- security_rhel7_enable_chrony | bool
|
||||||
notify:
|
notify:
|
||||||
- restart chrony
|
- Restart chrony
|
||||||
tags:
|
tags:
|
||||||
- medium
|
- medium
|
||||||
- misc
|
- misc
|
||||||
@ -305,7 +306,7 @@
|
|||||||
|
|
||||||
# Returns 0 if installed, 3 if not installed
|
# Returns 0 if installed, 3 if not installed
|
||||||
- name: Check firewalld status
|
- name: Check firewalld status
|
||||||
command: systemctl status firewalld # noqa 303
|
command: systemctl status firewalld # noqa: command-instead-of-module
|
||||||
register: firewalld_status_check
|
register: firewalld_status_check
|
||||||
failed_when: firewalld_status_check.rc not in [0,3,4]
|
failed_when: firewalld_status_check.rc not in [0,3,4]
|
||||||
changed_when: False
|
changed_when: False
|
||||||
@ -327,7 +328,9 @@
|
|||||||
- V-72273
|
- V-72273
|
||||||
|
|
||||||
- name: Limit new TCP connections to 25/minute and allow bursting to 100
|
- name: Limit new TCP connections to 25/minute and allow bursting to 100
|
||||||
command: "firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{ security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT"
|
command: >-
|
||||||
|
firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{
|
||||||
|
security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT
|
||||||
register: add_rate_limit_firewalld_rule
|
register: add_rate_limit_firewalld_rule
|
||||||
changed_when: "'ALREADY_ENABLED' not in add_rate_limit_firewalld_rule.stdout"
|
changed_when: "'ALREADY_ENABLED' not in add_rate_limit_firewalld_rule.stdout"
|
||||||
when:
|
when:
|
||||||
|
@ -19,6 +19,7 @@
|
|||||||
dest: "{{ security_sshd_banner_file }}"
|
dest: "{{ security_sshd_banner_file }}"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
mode: "0644"
|
||||||
tags:
|
tags:
|
||||||
- high
|
- high
|
||||||
- sshd
|
- sshd
|
||||||
@ -33,7 +34,7 @@
|
|||||||
validate: '/usr/sbin/sshd -T -f %s'
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
with_items: "{{ sshd_settings_rhel7 | selectattr('enabled') }}"
|
with_items: "{{ sshd_settings_rhel7 | selectattr('enabled') }}"
|
||||||
notify:
|
notify:
|
||||||
- restart ssh
|
- Restart ssh
|
||||||
tags:
|
tags:
|
||||||
- high
|
- high
|
||||||
- sshd
|
- sshd
|
||||||
@ -71,7 +72,7 @@
|
|||||||
{{ option['name'] ~ ' ' ~ option['value'] }}
|
{{ option['name'] ~ ' ' ~ option['value'] }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
notify:
|
notify:
|
||||||
- restart ssh
|
- Restart ssh
|
||||||
tags:
|
tags:
|
||||||
- high
|
- high
|
||||||
- sshd
|
- sshd
|
||||||
|
@ -13,7 +13,8 @@
|
|||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
- include_tasks: rpm.yml
|
- name: Including rpm tasks
|
||||||
|
include_tasks: rpm.yml
|
||||||
|
|
||||||
- name: Check if /etc/yum/yum-cron.conf exists
|
- name: Check if /etc/yum/yum-cron.conf exists
|
||||||
stat:
|
stat:
|
||||||
|
@ -100,6 +100,7 @@
|
|||||||
copy:
|
copy:
|
||||||
src: zypper-autoupdates
|
src: zypper-autoupdates
|
||||||
dest: /etc/cron.daily/zypper-autoupdates
|
dest: /etc/cron.daily/zypper-autoupdates
|
||||||
|
mode: "0750"
|
||||||
when:
|
when:
|
||||||
- security_rhel7_automatic_package_updates | bool
|
- security_rhel7_automatic_package_updates | bool
|
||||||
tags:
|
tags:
|
||||||
|
@ -45,7 +45,7 @@ clamav_service_details:
|
|||||||
user: clamscan
|
user: clamscan
|
||||||
group: virusgroup
|
group: virusgroup
|
||||||
socket_path: /run/clamd.scan/clamd.sock
|
socket_path: /run/clamd.scan/clamd.sock
|
||||||
mode: 0710
|
mode: "0710"
|
||||||
|
|
||||||
# Commands
|
# Commands
|
||||||
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"
|
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"
|
||||||
|
@ -45,7 +45,7 @@ clamav_service_details:
|
|||||||
user: clamscan
|
user: clamscan
|
||||||
group: virusgroup
|
group: virusgroup
|
||||||
socket_path: /run/clamd.scan/clamd.sock
|
socket_path: /run/clamd.scan/clamd.sock
|
||||||
mode: 0710
|
mode: "0710"
|
||||||
|
|
||||||
# Commands
|
# Commands
|
||||||
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"
|
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"
|
||||||
|
@ -45,7 +45,7 @@ clamav_service_details:
|
|||||||
user: clamscan
|
user: clamscan
|
||||||
group: virusgroup
|
group: virusgroup
|
||||||
socket_path: /run/clamd.scan/clamd.sock
|
socket_path: /run/clamd.scan/clamd.sock
|
||||||
mode: 0710
|
mode: "0710"
|
||||||
|
|
||||||
# Commands
|
# Commands
|
||||||
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"
|
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"
|
||||||
|
@ -27,7 +27,8 @@ grub_conf_file: /boot/grub2/grub.cfg
|
|||||||
# NOTE(hwoarang) SUSE seems to be using the ID field from /etc/os-release to
|
# NOTE(hwoarang) SUSE seems to be using the ID field from /etc/os-release to
|
||||||
# create the EFI distro directory. Since this information is not available on
|
# create the EFI distro directory. Since this information is not available on
|
||||||
# Ansible, we have to improvise a bit...
|
# Ansible, we have to improvise a bit...
|
||||||
grub_conf_file_efi: "{% set os_id = ansible_facts['distribution'].split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg"
|
grub_conf_file_efi: >-
|
||||||
|
{% set os_id = ansible_facts['distribution'].split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse', 'sles') }}/grub.cfg
|
||||||
aide_cron_job_path: /etc/cron.daily/aide
|
aide_cron_job_path: /etc/cron.daily/aide
|
||||||
aide_database_file: /var/lib/aide/aide.db
|
aide_database_file: /var/lib/aide/aide.db
|
||||||
aide_database_out_file: /var/lib/aide/aide.db.new
|
aide_database_out_file: /var/lib/aide/aide.db.new
|
||||||
|
Loading…
Reference in New Issue
Block a user