openstack/ansible-hardening
Code Issues Proposed changes

Fix linters and metadata

Browse Source 
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Change-Id: I1920cd05ac5b4d32ad12bce42d9161a568f288b6
This commit is contained in:
Dmitriy Rabotyagov 2023-07-17 14:25:21 +02:00
parent 2c7889852c
commit db5c6f2d66
23 changed files with 131 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
defaults/main.yml
View File

@ -82,16 +82,17 @@ security_aide_exclude_dirs:
## Audit daemon (auditd) ## Audit daemon (auditd)
# Send audit records to a different system using audisp. # Send audit records to a different system using audisp.
#security_audisp_remote_server: '10.0.21.1' # V-72083 # security_audisp_remote_server: '10.0.21.1' # V-72083
# Encrypt audit records when they are transmitted over the network. # Encrypt audit records when they are transmitted over the network.
#security_audisp_enable_krb5: yes # V-72085 # security_audisp_enable_krb5: yes # V-72085
# Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING! # Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING!
security_rhel7_audit_failure_flag: 1 # V-72081 security_rhel7_audit_failure_flag: 1 # V-72081
# Set the action to take when the disk is full or network events cannot be sent. # Set the action to take when the disk is full or network events cannot be sent.
security_rhel7_auditd_disk_full_action: syslog # V-72087 security_rhel7_auditd_disk_full_action: syslog # V-72087
security_rhel7_auditd_network_failure_action: syslog # V-72087 security_rhel7_auditd_network_failure_action: syslog # V-72087
# Size of remaining disk space (in MB) that triggers alerts. # Size of remaining disk space (in MB) that triggers alerts.
security_rhel7_auditd_space_left: "{{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # V-72089 security_rhel7_auditd_space_left: >- # V-72089
{{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}
# Action to take when the space_left threshold is reached. # Action to take when the space_left threshold is reached.
security_rhel7_auditd_space_left_action: email # V-72091 security_rhel7_auditd_space_left_action: email # V-72091
# Send auditd email alerts to this user. # Send auditd email alerts to this user.
@ -179,8 +180,8 @@ security_password_encrypt_method: SHA512 # V-71921
# Ensure user/group admin utilities only store encrypted passwords. # Ensure user/group admin utilities only store encrypted passwords.
security_libuser_crypt_style_sha512: yes # V-71923 security_libuser_crypt_style_sha512: yes # V-71923
# Set a minimum/maximum lifetime limit for user passwords. # Set a minimum/maximum lifetime limit for user passwords.
#security_password_min_lifetime_days: 1 # V-71925 # security_password_min_lifetime_days: 1 # V-71925
#security_password_max_lifetime_days: 60 # V-71929 # security_password_max_lifetime_days: 60 # V-71929
# Set a delay (in seconds) between failed login attempts. # Set a delay (in seconds) between failed login attempts.
security_shadow_utils_fail_delay: 4 # V-71951 security_shadow_utils_fail_delay: 4 # V-71951
# Set a umask for all authenticated users. # Set a umask for all authenticated users.
@ -188,7 +189,7 @@ security_shadow_utils_fail_delay: 4 # V-71951
# Create home directories for new users by default. # Create home directories for new users by default.
security_shadow_utils_create_home: yes # V-72013 security_shadow_utils_create_home: yes # V-72013
# How many old user password to remember to prevent password re-use. # How many old user password to remember to prevent password re-use.
#security_password_remember_password: 5 # V-71933 # security_password_remember_password: 5 # V-71933
# Disable user accounts if the password expires. # Disable user accounts if the password expires.
security_disable_account_if_password_expires: no # V-71941 security_disable_account_if_password_expires: no # V-71941
# Lock user accounts with excessive login failures. See documentation. # Lock user accounts with excessive login failures. See documentation.
@ -198,7 +199,7 @@ security_pam_faillock_attempts: 3
security_pam_faillock_deny_root: yes # RHEL-07-010373 security_pam_faillock_deny_root: yes # RHEL-07-010373
security_pam_faillock_unlock_time: 604800 # V-71943 security_pam_faillock_unlock_time: 604800 # V-71943
# Limit the number of concurrent connections per account. # Limit the number of concurrent connections per account.
#security_rhel7_concurrent_session_limit: 10 # V-72217 # security_rhel7_concurrent_session_limit: 10 # V-72217
# Remove .shosts and shosts.equiv files. # Remove .shosts and shosts.equiv files.
security_rhel7_remove_shosts_files: no # V-72277 security_rhel7_remove_shosts_files: no # V-72277
# Exclude these directories from the shosts files find # Exclude these directories from the shosts files find
@ -263,7 +264,7 @@ security_enable_grub_update: yes
# Require authentication in GRUB to boot into single-user or maintenance modes. # Require authentication in GRUB to boot into single-user or maintenance modes.
security_require_grub_authentication: no # V-71961 / V-71963 security_require_grub_authentication: no # V-71961 / V-71963
# The default password for grub authentication is 'secrete'. # The default password for grub authentication is 'secrete'.
security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B # noqa: yaml[line-length]
# Set session timeout. # Set session timeout.
security_rhel7_session_timeout: 600 # V-72223 security_rhel7_session_timeout: 600 # V-72223
# Enable chrony for NTP time synchronization. # Enable chrony for NTP time synchronization.

54
handlers/main.yml
View File

@ -17,76 +17,48 @@
# #
# NOTE(mhayden): It's not possible to use systemd to restart auditd on CentOS # NOTE(mhayden): It's not possible to use systemd to restart auditd on CentOS
# since it's a special service. Using the old service scripts is required. # since it's a special service. Using the old service scripts is required.
- name: restart auditd - name: Restart auditd
command: service auditd restart # noqa: command-instead-of-module command: service auditd restart # noqa: command-instead-of-module
changed_when: false
- name: restart chrony - name: Restart chrony
service: service:
name: "{{ chrony_service }}" name: "{{ chrony_service }}"
state: restarted state: restarted
- name: restart fail2ban - name: Restart ssh
service:
name: fail2ban
state: restarted
- name: restart postfix
service:
name: postfix
state: restarted
- name: restart rsyslog
service:
name: rsyslog
state: restarted
- name: restart samba
service:
name: smbd
state: restarted
- name: restart ssh
service: service:
name: "{{ ssh_service }}" name: "{{ ssh_service }}"
state: restarted state: restarted
- name: restart vsftpd - name: Restart clamav
service:
name: vsftpd
state: restarted
- name: restart clamav
service: service:
name: "{{ clamav_service }}" name: "{{ clamav_service }}"
state: restarted state: restarted
# Miscellaneous ############################################################## # Miscellaneous ##############################################################
- name: generate auditd rules - name: Generate auditd rules
command: augenrules --load command: augenrules --load
changed_when: false
notify: restart auditd notify: restart auditd
- name: rehash aliases - name: Update grub config
command: newaliases
- name: update grub config
command: "{{ grub_update_cmd }}" command: "{{ grub_update_cmd }}"
changed_when: false
when: when:
- security_enable_grub_update | bool - security_enable_grub_update | bool
- grub_update_binary.stat.exists | bool - grub_update_binary.stat.exists | bool
- grub_update_binary.stat.executable | bool - grub_update_binary.stat.executable | bool
notify: notify:
- set bootloader file permissions after updating grub config - Set bootloader file permissions after updating grub config
# NOTE(mhayden): Running `update-grub` causes the bootloader permissions to # NOTE(mhayden): Running `update-grub` causes the bootloader permissions to
# change, which breaks V-38583. # change, which breaks V-38583.
- name: set bootloader file permissions after updating grub config - name: Set bootloader file permissions after updating grub config
file: file:
path: "{{ grub_config_file_boot }}" path: "{{ grub_config_file_boot }}"
mode: "0644" mode: "0644"
- name: dconf update - name: Dconf update
command: dconf update command: dconf update
changed_when: false
- name: reload systemd
systemd:
daemon-reload: yes

13
meta/main.yml
View File

@ -4,19 +4,22 @@ galaxy_info:
description: Security hardening role for OpenStack-Ansible description: Security hardening role for OpenStack-Ansible
company: OpenStack company: OpenStack
license: Apache license: Apache
min_ansible_version: 2.10 role_name: hardening
namespace: openstack
min_ansible_version: "2.10"
platforms: platforms:
- name: Debian - name: Debian
versions: versions:
- buster - bullseye
- name: EL - name: EL
versions: versions:
- 8 - "8"
- "9"
- name: Ubuntu - name: Ubuntu
versions: versions:
- bionic
- focal - focal
categories: - jammy
galaxy_tags:
- cloud - cloud
- security - security
- system - system

10
tasks/main.yml
View File

@ -44,8 +44,8 @@
- name: Set facts - name: Set facts
set_fact: set_fact:
check_mode: "{{ noop_result is skipped }}" check_mode: "{{ noop_result is skipped }}" # noqa: var-naming[no-reserved]
linux_security_module: "{{ (ansible_facts['os_family'] == 'Debian') | ternary('apparmor','selinux') }}" linux_security_module: "{{ (ansible_facts['os_family'] == 'Debian') | ternary('apparmor', 'selinux') }}"
grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}" grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}"
tags: tags:
- always - always
@ -57,8 +57,10 @@
tags: tags:
- always - always
- import_tasks: "{{ stig_version }}stig/main.yml" - name: Importing STIG tasks
import_tasks: "{{ stig_version }}stig/main.yml"
- include_tasks: contrib/main.yml - name: Including contrib tasks
include_tasks: contrib/main.yml
when: when:
- security_contrib_enabled | bool - security_contrib_enabled | bool

5
tasks/rhel7stig/accounts.yml
View File

@ -71,6 +71,7 @@
option: crypt_style option: crypt_style
value: sha512 value: sha512
backup: yes backup: yes
mode: "0644"
when: when:
- security_libuser_crypt_style_sha512 | bool - security_libuser_crypt_style_sha512 | bool
- ansible_facts['os_family'] | lower == 'redhat' - ansible_facts['os_family'] | lower == 'redhat'
@ -84,6 +85,7 @@
# system. See bug 1659232 for more details. # system. See bug 1659232 for more details.
- name: Set minimum password lifetime limit to 24 hours for interactive accounts - name: Set minimum password lifetime limit to 24 hours for interactive accounts
command: "chage -m 1 {{ item.name }}" command: "chage -m 1 {{ item.name }}"
changed_when: false
when: when:
- item.shadow is mapping - item.shadow is mapping
- item.shadow.min_days != 1 - item.shadow.min_days != 1
@ -100,6 +102,7 @@
# system. See bug 1659232 for more details. # system. See bug 1659232 for more details.
- name: Set maximum password lifetime limit to 60 days for interactive accounts - name: Set maximum password lifetime limit to 60 days for interactive accounts
command: "chage -M 60 {{ item.name }}" command: "chage -M 60 {{ item.name }}"
changed_when: false
when: when:
- item.shadow is mapping - item.shadow is mapping
- item.shadow.max_days > 60 - item.shadow.max_days > 60
@ -245,5 +248,3 @@
- accounts - accounts
- medium - medium
- V-73159 - V-73159

1
tasks/rhel7stig/aide.yml
View File

@ -28,6 +28,7 @@
template: template:
src: ZZ_aide_exclusions.j2 src: ZZ_aide_exclusions.j2
dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions
mode: "0644"
when: aide_conf.results[0].stat.exists | bool when: aide_conf.results[0].stat.exists | bool
tags: tags:
- medium - medium

2
tasks/rhel7stig/apt.yml
View File

@ -103,6 +103,7 @@
line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";" line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";"
state: present state: present
create: yes create: yes
mode: "0644"
when: when:
- security_package_clean_on_remove | bool - security_package_clean_on_remove | bool
- ansible_facts['os_family'] | lower == 'debian' - ansible_facts['os_family'] | lower == 'debian'
@ -115,6 +116,7 @@
copy: copy:
src: 20auto-upgrades src: 20auto-upgrades
dest: /etc/apt/apt.conf.d/20auto-upgrades dest: /etc/apt/apt.conf.d/20auto-upgrades
mode: "0644"
when: when:
- ansible_facts['os_family'] | lower == 'debian' - ansible_facts['os_family'] | lower == 'debian'
- security_rhel7_automatic_package_updates | bool - security_rhel7_automatic_package_updates | bool

13
tasks/rhel7stig/auditd.yml
View File

@ -38,7 +38,7 @@
- security_audisp_remote_server is defined - security_audisp_remote_server is defined
- audisp_remote_conf.stat.exists - audisp_remote_conf.stat.exists
notify: notify:
- restart auditd - Restart auditd
tags: tags:
- medium - medium
- auditd - auditd
@ -53,7 +53,7 @@
- security_audisp_enable_krb5 is defined - security_audisp_enable_krb5 is defined
- audisp_remote_conf.stat.exists - audisp_remote_conf.stat.exists
notify: notify:
- restart auditd - Restart auditd
tags: tags:
- medium - medium
- auditd - auditd
@ -73,7 +73,7 @@
when: when:
- auditd_conf.stat.exists - auditd_conf.stat.exists
notify: notify:
- generate auditd rules - Generate auditd rules
tags: tags:
- always - always
@ -84,7 +84,7 @@
when: when:
- auditd_conf.stat.exists - auditd_conf.stat.exists
notify: notify:
- generate auditd rules - Generate auditd rules
tags: tags:
- always - always
@ -92,10 +92,11 @@
template: template:
src: osas-auditd-rhel7.j2 src: osas-auditd-rhel7.j2
dest: /etc/audit/rules.d/osas-auditd-rhel7.rules dest: /etc/audit/rules.d/osas-auditd-rhel7.rules
mode: "0644"
when: when:
- auditd_conf.stat.exists - auditd_conf.stat.exists
notify: notify:
- generate auditd rules - Generate auditd rules
tags: tags:
- auditd - auditd
- V-72167 - V-72167
@ -163,7 +164,7 @@
- auditd_conf.stat.exists - auditd_conf.stat.exists
- audisp_remote_conf.stat.exists - audisp_remote_conf.stat.exists
notify: notify:
- restart auditd - Restart auditd
tags: tags:
- high - high
- auditd - auditd

7
tasks/rhel7stig/auth.yml
View File

@ -54,7 +54,7 @@
line: '\1\2' line: '\1\2'
backup: yes backup: yes
backrefs: yes backrefs: yes
loop: "{{ ['auth', 'password'] |product(['{{ pam_auth_file }}', '{{ pam_password_file }}'])|list }}" loop: "{{ ['auth', 'password'] | product(['{{ pam_auth_file }}', '{{ pam_password_file }}']) | list }}"
when: when:
- ansible_facts['os_family'] == 'RedHat' - ansible_facts['os_family'] == 'RedHat'
- security_disallow_blank_password_login | bool - security_disallow_blank_password_login | bool
@ -185,7 +185,7 @@
password_pbkdf2 root {{ security_grub_password_hash }} password_pbkdf2 root {{ security_grub_password_hash }}
state: present state: present
notify: notify:
- update grub config - Update grub config
- name: Set CLASS for grub file - name: Set CLASS for grub file
lineinfile: lineinfile:
path: "{{ grub_linux_file }}" path: "{{ grub_linux_file }}"
@ -194,7 +194,7 @@
state: present state: present
backrefs: yes backrefs: yes
notify: notify:
- update grub config - Update grub config
when: when:
- grub_custom_file_check.stat.exists | bool - grub_custom_file_check.stat.exists | bool
- security_require_grub_authentication | bool - security_require_grub_authentication | bool
@ -208,6 +208,7 @@
blockinfile: blockinfile:
dest: /etc/security/limits.d/ansible-hardening-maxlogins.conf dest: /etc/security/limits.d/ansible-hardening-maxlogins.conf
create: yes create: yes
mode: "0644"
block: | block: |
# Deployed by the ansible-hardening role # Deployed by the ansible-hardening role
# V-72217 - Limit concurrent sessions for all accounts/types # V-72217 - Limit concurrent sessions for all accounts/types

3
tasks/rhel7stig/dnf.yml
View File

@ -13,7 +13,8 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
- include_tasks: rpm.yml - name: Including rpm tasks
include_tasks: rpm.yml
- name: Check if /etc/dnf/automatic.conf exists - name: Check if /etc/dnf/automatic.conf exists
stat: stat:

14
tasks/rhel7stig/graphical.yml
View File

@ -56,6 +56,7 @@
copy: copy:
src: dconf-user-profile src: dconf-user-profile
dest: /etc/dconf/profile/user dest: /etc/dconf/profile/user
mode: "0644"
when: when:
- dconf_check.stat.exists - dconf_check.stat.exists
tags: tags:
@ -69,6 +70,7 @@
file: file:
path: "{{ item }}" path: "{{ item }}"
state: directory state: directory
mode: "0755"
with_items: with_items:
- /etc/dconf/db/local.d/ - /etc/dconf/db/local.d/
- /etc/dconf/db/local.d/locks - /etc/dconf/db/local.d/locks
@ -87,10 +89,11 @@
template: template:
src: dconf-screensaver-lock.j2 src: dconf-screensaver-lock.j2
dest: /etc/dconf/db/local.d/00-screensaver dest: /etc/dconf/db/local.d/00-screensaver
mode: "0644"
when: when:
- dconf_check.stat.exists - dconf_check.stat.exists
notify: notify:
- dconf update - Dconf update
tags: tags:
- graphical - graphical
- medium - medium
@ -102,10 +105,11 @@
template: template:
src: dconf-session-user-config-lockout.j2 src: dconf-session-user-config-lockout.j2
dest: /etc/dconf/db/local.d/locks/session dest: /etc/dconf/db/local.d/locks/session
mode: "0644"
when: when:
- dconf_check.stat.exists - dconf_check.stat.exists
notify: notify:
- dconf update - Dconf update
tags: tags:
- graphical - graphical
- medium - medium
@ -117,10 +121,11 @@
copy: copy:
src: dconf-profile-gdm src: dconf-profile-gdm
dest: /etc/dconf/profile/gdm dest: /etc/dconf/profile/gdm
mode: "0644"
when: when:
- dconf_check.stat.exists - dconf_check.stat.exists
notify: notify:
- dconf update - Dconf update
tags: tags:
- graphical - graphical
- medium - medium
@ -130,13 +135,14 @@
template: template:
src: dconf-gdm-banner-message.j2 src: dconf-gdm-banner-message.j2
dest: "{{ item }}" dest: "{{ item }}"
mode: "0644"
with_items: with_items:
- /etc/dconf/db/gdm.d/01-banner-message - /etc/dconf/db/gdm.d/01-banner-message
- /etc/dconf/db/local.d/01-banner-message - /etc/dconf/db/local.d/01-banner-message
when: when:
- dconf_check.stat.exists - dconf_check.stat.exists
notify: notify:
- dconf update - Dconf update
tags: tags:
- graphical - graphical
- medium - medium

4
tasks/rhel7stig/kernel.yml
View File

@ -18,6 +18,7 @@
dest: /etc/modprobe.d/ansible-hardening-disable-usb-storage.conf dest: /etc/modprobe.d/ansible-hardening-disable-usb-storage.conf
line: install usb-storage /bin/true line: install usb-storage /bin/true
create: yes create: yes
mode: "0644"
when: when:
- security_rhel7_disable_usb_storage | bool - security_rhel7_disable_usb_storage | bool
tags: tags:
@ -49,7 +50,7 @@
- C-00001 - C-00001
- name: Check kdump service - name: Check kdump service
command: systemctl status kdump # noqa 303 command: systemctl status kdump # noqa: command-instead-of-module
register: kdump_service_check register: kdump_service_check
failed_when: kdump_service_check.rc not in [0,3,4] failed_when: kdump_service_check.rc not in [0,3,4]
changed_when: False changed_when: False
@ -101,6 +102,7 @@
copy: copy:
src: ansible-hardening-disable-dccp.conf src: ansible-hardening-disable-dccp.conf
dest: /etc/modprobe.d/ansible-hardening-disable-dccp.conf dest: /etc/modprobe.d/ansible-hardening-disable-dccp.conf
mode: "0644"
when: when:
- security_rhel7_disable_dccp | bool - security_rhel7_disable_dccp | bool
tags: tags:

3
tasks/rhel7stig/lsm.yml
View File

@ -32,7 +32,7 @@
# started apparmor each time. This breaks idempotency and we check # started apparmor each time. This breaks idempotency and we check
# systemd's status directly as an alternative. # systemd's status directly as an alternative.
- name: Check if apparmor is running - name: Check if apparmor is running
command: "systemctl status apparmor" # noqa 303 command: "systemctl status apparmor" # noqa: command-instead-of-module
register: systemctl_apparmor_status register: systemctl_apparmor_status
check_mode: no check_mode: no
changed_when: false changed_when: false
@ -96,6 +96,7 @@
file: file:
path: /.autorelabel path: /.autorelabel
state: touch state: touch
mode: "0644"
when: when:
- ansible_facts['os_family'] == "RedHat" - ansible_facts['os_family'] == "RedHat"
- security_rhel7_enable_linux_security_module | bool - security_rhel7_enable_linux_security_module | bool

39
tasks/rhel7stig/main.yml
View File

@ -34,7 +34,8 @@
# Some of the tasks in the role may take a long time to run. Let's start them # Some of the tasks in the role may take a long time to run. Let's start them
# as early as possible so they have time to finish. # as early as possible so they have time to finish.
- import_tasks: async_tasks.yml - name: Importing async_tasks tasks
import_tasks: async_tasks.yml
- name: Get user data for all users on the system - name: Get user data for all users on the system
get_users: get_users:
@ -67,29 +68,41 @@
# Package installations and removals must come first so that configuration # Package installations and removals must come first so that configuration
# changes can be made later. # changes can be made later.
- import_tasks: packages.yml - name: Importing packages tasks
import_tasks: packages.yml
tags: tags:
- always - always
# Package managers are managed first since the changes in these tasks will # Package managers are managed first since the changes in these tasks will
# affect the remainder of the tasks in the role. # affect the remainder of the tasks in the role.
- include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml" - name: Including OS-specific tasks
include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml"
# The bulk of the security changes are applied in these tasks. The tasks in # The bulk of the security changes are applied in these tasks. The tasks in
# each file are tagged with the same name (for example, tasks in `auth.yml` # each file are tagged with the same name (for example, tasks in `auth.yml`
# are tagged with `auth`). Also, the tag name matches up with the "STIG # are tagged with `auth`). Also, the tag name matches up with the "STIG
# Controls by Tag" section of the role documentation. # Controls by Tag" section of the role documentation.
- import_tasks: accounts.yml - name: Importing accounts tasks
- import_tasks: aide.yml import_tasks: accounts.yml
- name: Importing aide tasks
import_tasks: aide.yml
when: security_rhel7_enable_aide | bool when: security_rhel7_enable_aide | bool
- import_tasks: auditd.yml - name: Importing auditd tasks
- import_tasks: auth.yml import_tasks: auditd.yml
- import_tasks: file_perms.yml - name: Importing auth tasks
- import_tasks: graphical.yml import_tasks: auth.yml
- import_tasks: kernel.yml - name: Importing file_perms tasks
- import_tasks: lsm.yml import_tasks: file_perms.yml
- import_tasks: misc.yml - name: Importing graphical tasks
- import_tasks: sshd.yml import_tasks: graphical.yml
- name: Importing kernel tasks
import_tasks: kernel.yml
- name: Importing lsm tasks
import_tasks: lsm.yml
- name: Importing misc tasks
import_tasks: misc.yml
- name: Importing sshd tasks
import_tasks: sshd.yml
- name: Remove the temporary directory - name: Remove the temporary directory
file: file:

21
tasks/rhel7stig/misc.yml
View File

@ -14,7 +14,7 @@
# limitations under the License. # limitations under the License.
- name: Check autofs service - name: Check autofs service
command: systemctl status autofs # noqa 303 command: systemctl status autofs # noqa: command-instead-of-module
register: autofs_check register: autofs_check
failed_when: autofs_check.rc not in [0,3,4] failed_when: autofs_check.rc not in [0,3,4]
changed_when: False changed_when: False
@ -150,7 +150,7 @@
- security_enable_virus_scanner | bool - security_enable_virus_scanner | bool
- ansible_facts['os_family'] | lower == 'redhat' - ansible_facts['os_family'] | lower == 'redhat'
notify: notify:
- restart clamav - Restart clamav
tags: tags:
- misc - misc
- V-72213 - V-72213
@ -166,7 +166,7 @@
- security_enable_virus_scanner | bool - security_enable_virus_scanner | bool
- ansible_facts['os_family'] | lower == 'redhat' - ansible_facts['os_family'] | lower == 'redhat'
notify: notify:
- restart clamav - Restart clamav
tags: tags:
- misc - misc
- V-72213 - V-72213
@ -174,7 +174,7 @@
- name: Ensure ClamAV socket directory exists - name: Ensure ClamAV socket directory exists
file: file:
path: "{{ clamav_service_details['socket_path'] | dirname }}" path: "{{ clamav_service_details['socket_path'] | dirname }}"
user: "{{ clamav_service_details['user'] }}" owner: "{{ clamav_service_details['user'] }}"
group: "{{ clamav_service_details['group'] }}" group: "{{ clamav_service_details['group'] }}"
mode: "{{ clamav_service_details['mode'] }}" mode: "{{ clamav_service_details['mode'] }}"
when: when:
@ -182,7 +182,7 @@
- security_enable_virus_scanner | bool - security_enable_virus_scanner | bool
- ansible_facts['os_family'] | lower == 'redhat' - ansible_facts['os_family'] | lower == 'redhat'
notify: notify:
- restart clamav - Restart clamav
tags: tags:
- misc - misc
- V-72213 - V-72213
@ -197,7 +197,7 @@
- security_enable_virus_scanner | bool - security_enable_virus_scanner | bool
- ansible_facts['os_family'] | lower == 'redhat' - ansible_facts['os_family'] | lower == 'redhat'
notify: notify:
- restart clamav - Restart clamav
tags: tags:
- misc - misc
- V-72213 - V-72213
@ -293,11 +293,12 @@
template: template:
src: chrony.conf.j2 src: chrony.conf.j2
dest: "{{ chrony_conf_file }}" dest: "{{ chrony_conf_file }}"
mode: "0644"
when: when:
- chrony_conf_check.stat.exists | bool - chrony_conf_check.stat.exists | bool
- security_rhel7_enable_chrony | bool - security_rhel7_enable_chrony | bool
notify: notify:
- restart chrony - Restart chrony
tags: tags:
- medium - medium
- misc - misc
@ -305,7 +306,7 @@
# Returns 0 if installed, 3 if not installed # Returns 0 if installed, 3 if not installed
- name: Check firewalld status - name: Check firewalld status
command: systemctl status firewalld # noqa 303 command: systemctl status firewalld # noqa: command-instead-of-module
register: firewalld_status_check register: firewalld_status_check
failed_when: firewalld_status_check.rc not in [0,3,4] failed_when: firewalld_status_check.rc not in [0,3,4]
changed_when: False changed_when: False
@ -327,7 +328,9 @@
- V-72273 - V-72273
- name: Limit new TCP connections to 25/minute and allow bursting to 100 - name: Limit new TCP connections to 25/minute and allow bursting to 100
command: "firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{ security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT" command: >-
firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{
security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT
register: add_rate_limit_firewalld_rule register: add_rate_limit_firewalld_rule
changed_when: "'ALREADY_ENABLED' not in add_rate_limit_firewalld_rule.stdout" changed_when: "'ALREADY_ENABLED' not in add_rate_limit_firewalld_rule.stdout"
when: when:

5
tasks/rhel7stig/sshd.yml
View File

@ -19,6 +19,7 @@
dest: "{{ security_sshd_banner_file }}" dest: "{{ security_sshd_banner_file }}"
owner: root owner: root
group: root group: root
mode: "0644"
tags: tags:
- high - high
- sshd - sshd
@ -33,7 +34,7 @@
validate: '/usr/sbin/sshd -T -f %s' validate: '/usr/sbin/sshd -T -f %s'
with_items: "{{ sshd_settings_rhel7 | selectattr('enabled') }}" with_items: "{{ sshd_settings_rhel7 | selectattr('enabled') }}"
notify: notify:
- restart ssh - Restart ssh
tags: tags:
- high - high
- sshd - sshd
@ -71,7 +72,7 @@
{{ option['name'] ~ ' ' ~ option['value'] }} {{ option['name'] ~ ' ' ~ option['value'] }}
{% endfor %} {% endfor %}
notify: notify:
- restart ssh - Restart ssh
tags: tags:
- high - high
- sshd - sshd

3
tasks/rhel7stig/yum.yml
View File

@ -13,7 +13,8 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
- include_tasks: rpm.yml - name: Including rpm tasks
include_tasks: rpm.yml
- name: Check if /etc/yum/yum-cron.conf exists - name: Check if /etc/yum/yum-cron.conf exists
stat: stat:

1
tasks/rhel7stig/zypper.yml
View File

@ -100,6 +100,7 @@
copy: copy:
src: zypper-autoupdates src: zypper-autoupdates
dest: /etc/cron.daily/zypper-autoupdates dest: /etc/cron.daily/zypper-autoupdates
mode: "0750"
when: when:
- security_rhel7_automatic_package_updates | bool - security_rhel7_automatic_package_updates | bool
tags: tags:

4
vars/main.yml
View File

@ -327,7 +327,7 @@ sysctl_settings_rhel7:
enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}" enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}"
- name: net.ipv4.conf.default.accept_source_route - name: net.ipv4.conf.default.accept_source_route
value: 0 value: 0
enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool}}" enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}"
- name: net.ipv4.icmp_echo_ignore_broadcasts - name: net.ipv4.icmp_echo_ignore_broadcasts
value: 1 value: 1
enabled: "{{ security_disallow_echoes_broadcast_address | bool }}" enabled: "{{ security_disallow_echoes_broadcast_address | bool }}"
@ -407,7 +407,7 @@ sshd_settings_rhel7:
enabled: yes enabled: yes
stig_id: V-72251 stig_id: V-72251
- name: MACs - name: MACs
value: "{{security_sshd_allowed_macs }}" value: "{{ security_sshd_allowed_macs }}"
enabled: yes enabled: yes
stig_id: V-72253 stig_id: V-72253
- name: UsePrivilegeSeparation - name: UsePrivilegeSeparation

2
vars/redhat-7.yml
View File

@ -45,7 +45,7 @@ clamav_service_details:
user: clamscan user: clamscan
group: virusgroup group: virusgroup
socket_path: /run/clamd.scan/clamd.sock socket_path: /run/clamd.scan/clamd.sock
mode: 0710 mode: "0710"
# Commands # Commands
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}" grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"

2
vars/redhat-8.yml
View File

@ -45,7 +45,7 @@ clamav_service_details:
user: clamscan user: clamscan
group: virusgroup group: virusgroup
socket_path: /run/clamd.scan/clamd.sock socket_path: /run/clamd.scan/clamd.sock
mode: 0710 mode: "0710"
# Commands # Commands
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}" grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"

2
vars/redhat-9.yml
View File

@ -45,7 +45,7 @@ clamav_service_details:
user: clamscan user: clamscan
group: virusgroup group: virusgroup
socket_path: /run/clamd.scan/clamd.sock socket_path: /run/clamd.scan/clamd.sock
mode: 0710 mode: "0710"
# Commands # Commands
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}" grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"

3
vars/suse.yml
View File

@ -27,7 +27,8 @@ grub_conf_file: /boot/grub2/grub.cfg
# NOTE(hwoarang) SUSE seems to be using the ID field from /etc/os-release to # NOTE(hwoarang) SUSE seems to be using the ID field from /etc/os-release to
# create the EFI distro directory. Since this information is not available on # create the EFI distro directory. Since this information is not available on
# Ansible, we have to improvise a bit... # Ansible, we have to improvise a bit...
grub_conf_file_efi: "{% set os_id = ansible_facts['distribution'].split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg" grub_conf_file_efi: >-
{% set os_id = ansible_facts['distribution'].split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse', 'sles') }}/grub.cfg
aide_cron_job_path: /etc/cron.daily/aide aide_cron_job_path: /etc/cron.daily/aide
aide_database_file: /var/lib/aide/aide.db aide_database_file: /var/lib/aide/aide.db
aide_database_out_file: /var/lib/aide/aide.db.new aide_database_out_file: /var/lib/aide/aide.db.new