Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new linters were added, that enabled by default. In order to comply with linter rules we're applying changes to the role. With that we also update metdata to reflect current state. Change-Id: I1920cd05ac5b4d32ad12bce42d9161a568f288b6
This commit is contained in:
parent
2c7889852c
commit
db5c6f2d66
@ -82,16 +82,17 @@ security_aide_exclude_dirs:
|
||||
|
||||
## Audit daemon (auditd)
|
||||
# Send audit records to a different system using audisp.
|
||||
#security_audisp_remote_server: '10.0.21.1' # V-72083
|
||||
# security_audisp_remote_server: '10.0.21.1' # V-72083
|
||||
# Encrypt audit records when they are transmitted over the network.
|
||||
#security_audisp_enable_krb5: yes # V-72085
|
||||
# security_audisp_enable_krb5: yes # V-72085
|
||||
# Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING!
|
||||
security_rhel7_audit_failure_flag: 1 # V-72081
|
||||
# Set the action to take when the disk is full or network events cannot be sent.
|
||||
security_rhel7_auditd_disk_full_action: syslog # V-72087
|
||||
security_rhel7_auditd_network_failure_action: syslog # V-72087
|
||||
# Size of remaining disk space (in MB) that triggers alerts.
|
||||
security_rhel7_auditd_space_left: "{{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # V-72089
|
||||
security_rhel7_auditd_space_left: >- # V-72089
|
||||
{{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}
|
||||
# Action to take when the space_left threshold is reached.
|
||||
security_rhel7_auditd_space_left_action: email # V-72091
|
||||
# Send auditd email alerts to this user.
|
||||
@ -179,8 +180,8 @@ security_password_encrypt_method: SHA512 # V-71921
|
||||
# Ensure user/group admin utilities only store encrypted passwords.
|
||||
security_libuser_crypt_style_sha512: yes # V-71923
|
||||
# Set a minimum/maximum lifetime limit for user passwords.
|
||||
#security_password_min_lifetime_days: 1 # V-71925
|
||||
#security_password_max_lifetime_days: 60 # V-71929
|
||||
# security_password_min_lifetime_days: 1 # V-71925
|
||||
# security_password_max_lifetime_days: 60 # V-71929
|
||||
# Set a delay (in seconds) between failed login attempts.
|
||||
security_shadow_utils_fail_delay: 4 # V-71951
|
||||
# Set a umask for all authenticated users.
|
||||
@ -188,7 +189,7 @@ security_shadow_utils_fail_delay: 4 # V-71951
|
||||
# Create home directories for new users by default.
|
||||
security_shadow_utils_create_home: yes # V-72013
|
||||
# How many old user password to remember to prevent password re-use.
|
||||
#security_password_remember_password: 5 # V-71933
|
||||
# security_password_remember_password: 5 # V-71933
|
||||
# Disable user accounts if the password expires.
|
||||
security_disable_account_if_password_expires: no # V-71941
|
||||
# Lock user accounts with excessive login failures. See documentation.
|
||||
@ -198,7 +199,7 @@ security_pam_faillock_attempts: 3
|
||||
security_pam_faillock_deny_root: yes # RHEL-07-010373
|
||||
security_pam_faillock_unlock_time: 604800 # V-71943
|
||||
# Limit the number of concurrent connections per account.
|
||||
#security_rhel7_concurrent_session_limit: 10 # V-72217
|
||||
# security_rhel7_concurrent_session_limit: 10 # V-72217
|
||||
# Remove .shosts and shosts.equiv files.
|
||||
security_rhel7_remove_shosts_files: no # V-72277
|
||||
# Exclude these directories from the shosts files find
|
||||
@ -263,7 +264,7 @@ security_enable_grub_update: yes
|
||||
# Require authentication in GRUB to boot into single-user or maintenance modes.
|
||||
security_require_grub_authentication: no # V-71961 / V-71963
|
||||
# The default password for grub authentication is 'secrete'.
|
||||
security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B
|
||||
security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B # noqa: yaml[line-length]
|
||||
# Set session timeout.
|
||||
security_rhel7_session_timeout: 600 # V-72223
|
||||
# Enable chrony for NTP time synchronization.
|
||||
|
@ -17,76 +17,48 @@
|
||||
#
|
||||
# NOTE(mhayden): It's not possible to use systemd to restart auditd on CentOS
|
||||
# since it's a special service. Using the old service scripts is required.
|
||||
- name: restart auditd
|
||||
- name: Restart auditd
|
||||
command: service auditd restart # noqa: command-instead-of-module
|
||||
changed_when: false
|
||||
|
||||
- name: restart chrony
|
||||
- name: Restart chrony
|
||||
service:
|
||||
name: "{{ chrony_service }}"
|
||||
state: restarted
|
||||
|
||||
- name: restart fail2ban
|
||||
service:
|
||||
name: fail2ban
|
||||
state: restarted
|
||||
|
||||
- name: restart postfix
|
||||
service:
|
||||
name: postfix
|
||||
state: restarted
|
||||
|
||||
- name: restart rsyslog
|
||||
service:
|
||||
name: rsyslog
|
||||
state: restarted
|
||||
|
||||
- name: restart samba
|
||||
service:
|
||||
name: smbd
|
||||
state: restarted
|
||||
|
||||
- name: restart ssh
|
||||
- name: Restart ssh
|
||||
service:
|
||||
name: "{{ ssh_service }}"
|
||||
state: restarted
|
||||
|
||||
- name: restart vsftpd
|
||||
service:
|
||||
name: vsftpd
|
||||
state: restarted
|
||||
|
||||
- name: restart clamav
|
||||
- name: Restart clamav
|
||||
service:
|
||||
name: "{{ clamav_service }}"
|
||||
state: restarted
|
||||
|
||||
# Miscellaneous ##############################################################
|
||||
- name: generate auditd rules
|
||||
- name: Generate auditd rules
|
||||
command: augenrules --load
|
||||
changed_when: false
|
||||
notify: restart auditd
|
||||
|
||||
- name: rehash aliases
|
||||
command: newaliases
|
||||
|
||||
- name: update grub config
|
||||
- name: Update grub config
|
||||
command: "{{ grub_update_cmd }}"
|
||||
changed_when: false
|
||||
when:
|
||||
- security_enable_grub_update | bool
|
||||
- grub_update_binary.stat.exists | bool
|
||||
- grub_update_binary.stat.executable | bool
|
||||
notify:
|
||||
- set bootloader file permissions after updating grub config
|
||||
- Set bootloader file permissions after updating grub config
|
||||
|
||||
# NOTE(mhayden): Running `update-grub` causes the bootloader permissions to
|
||||
# change, which breaks V-38583.
|
||||
- name: set bootloader file permissions after updating grub config
|
||||
- name: Set bootloader file permissions after updating grub config
|
||||
file:
|
||||
path: "{{ grub_config_file_boot }}"
|
||||
mode: "0644"
|
||||
|
||||
- name: dconf update
|
||||
- name: Dconf update
|
||||
command: dconf update
|
||||
|
||||
- name: reload systemd
|
||||
systemd:
|
||||
daemon-reload: yes
|
||||
changed_when: false
|
||||
|
@ -4,19 +4,22 @@ galaxy_info:
|
||||
description: Security hardening role for OpenStack-Ansible
|
||||
company: OpenStack
|
||||
license: Apache
|
||||
min_ansible_version: 2.10
|
||||
role_name: hardening
|
||||
namespace: openstack
|
||||
min_ansible_version: "2.10"
|
||||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- buster
|
||||
- bullseye
|
||||
- name: EL
|
||||
versions:
|
||||
- 8
|
||||
- "8"
|
||||
- "9"
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- bionic
|
||||
- focal
|
||||
categories:
|
||||
- jammy
|
||||
galaxy_tags:
|
||||
- cloud
|
||||
- security
|
||||
- system
|
||||
|
@ -44,8 +44,8 @@
|
||||
|
||||
- name: Set facts
|
||||
set_fact:
|
||||
check_mode: "{{ noop_result is skipped }}"
|
||||
linux_security_module: "{{ (ansible_facts['os_family'] == 'Debian') | ternary('apparmor','selinux') }}"
|
||||
check_mode: "{{ noop_result is skipped }}" # noqa: var-naming[no-reserved]
|
||||
linux_security_module: "{{ (ansible_facts['os_family'] == 'Debian') | ternary('apparmor', 'selinux') }}"
|
||||
grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}"
|
||||
tags:
|
||||
- always
|
||||
@ -57,8 +57,10 @@
|
||||
tags:
|
||||
- always
|
||||
|
||||
- import_tasks: "{{ stig_version }}stig/main.yml"
|
||||
- name: Importing STIG tasks
|
||||
import_tasks: "{{ stig_version }}stig/main.yml"
|
||||
|
||||
- include_tasks: contrib/main.yml
|
||||
- name: Including contrib tasks
|
||||
include_tasks: contrib/main.yml
|
||||
when:
|
||||
- security_contrib_enabled | bool
|
||||
|
@ -71,6 +71,7 @@
|
||||
option: crypt_style
|
||||
value: sha512
|
||||
backup: yes
|
||||
mode: "0644"
|
||||
when:
|
||||
- security_libuser_crypt_style_sha512 | bool
|
||||
- ansible_facts['os_family'] | lower == 'redhat'
|
||||
@ -84,6 +85,7 @@
|
||||
# system. See bug 1659232 for more details.
|
||||
- name: Set minimum password lifetime limit to 24 hours for interactive accounts
|
||||
command: "chage -m 1 {{ item.name }}"
|
||||
changed_when: false
|
||||
when:
|
||||
- item.shadow is mapping
|
||||
- item.shadow.min_days != 1
|
||||
@ -100,6 +102,7 @@
|
||||
# system. See bug 1659232 for more details.
|
||||
- name: Set maximum password lifetime limit to 60 days for interactive accounts
|
||||
command: "chage -M 60 {{ item.name }}"
|
||||
changed_when: false
|
||||
when:
|
||||
- item.shadow is mapping
|
||||
- item.shadow.max_days > 60
|
||||
@ -245,5 +248,3 @@
|
||||
- accounts
|
||||
- medium
|
||||
- V-73159
|
||||
|
||||
|
||||
|
@ -28,6 +28,7 @@
|
||||
template:
|
||||
src: ZZ_aide_exclusions.j2
|
||||
dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions
|
||||
mode: "0644"
|
||||
when: aide_conf.results[0].stat.exists | bool
|
||||
tags:
|
||||
- medium
|
||||
|
@ -103,6 +103,7 @@
|
||||
line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";"
|
||||
state: present
|
||||
create: yes
|
||||
mode: "0644"
|
||||
when:
|
||||
- security_package_clean_on_remove | bool
|
||||
- ansible_facts['os_family'] | lower == 'debian'
|
||||
@ -115,6 +116,7 @@
|
||||
copy:
|
||||
src: 20auto-upgrades
|
||||
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
||||
mode: "0644"
|
||||
when:
|
||||
- ansible_facts['os_family'] | lower == 'debian'
|
||||
- security_rhel7_automatic_package_updates | bool
|
||||
|
@ -38,7 +38,7 @@
|
||||
- security_audisp_remote_server is defined
|
||||
- audisp_remote_conf.stat.exists
|
||||
notify:
|
||||
- restart auditd
|
||||
- Restart auditd
|
||||
tags:
|
||||
- medium
|
||||
- auditd
|
||||
@ -53,7 +53,7 @@
|
||||
- security_audisp_enable_krb5 is defined
|
||||
- audisp_remote_conf.stat.exists
|
||||
notify:
|
||||
- restart auditd
|
||||
- Restart auditd
|
||||
tags:
|
||||
- medium
|
||||
- auditd
|
||||
@ -73,7 +73,7 @@
|
||||
when:
|
||||
- auditd_conf.stat.exists
|
||||
notify:
|
||||
- generate auditd rules
|
||||
- Generate auditd rules
|
||||
tags:
|
||||
- always
|
||||
|
||||
@ -84,7 +84,7 @@
|
||||
when:
|
||||
- auditd_conf.stat.exists
|
||||
notify:
|
||||
- generate auditd rules
|
||||
- Generate auditd rules
|
||||
tags:
|
||||
- always
|
||||
|
||||
@ -92,10 +92,11 @@
|
||||
template:
|
||||
src: osas-auditd-rhel7.j2
|
||||
dest: /etc/audit/rules.d/osas-auditd-rhel7.rules
|
||||
mode: "0644"
|
||||
when:
|
||||
- auditd_conf.stat.exists
|
||||
notify:
|
||||
- generate auditd rules
|
||||
- Generate auditd rules
|
||||
tags:
|
||||
- auditd
|
||||
- V-72167
|
||||
@ -163,7 +164,7 @@
|
||||
- auditd_conf.stat.exists
|
||||
- audisp_remote_conf.stat.exists
|
||||
notify:
|
||||
- restart auditd
|
||||
- Restart auditd
|
||||
tags:
|
||||
- high
|
||||
- auditd
|
||||
|
@ -54,7 +54,7 @@
|
||||
line: '\1\2'
|
||||
backup: yes
|
||||
backrefs: yes
|
||||
loop: "{{ ['auth', 'password'] |product(['{{ pam_auth_file }}', '{{ pam_password_file }}'])|list }}"
|
||||
loop: "{{ ['auth', 'password'] | product(['{{ pam_auth_file }}', '{{ pam_password_file }}']) | list }}"
|
||||
when:
|
||||
- ansible_facts['os_family'] == 'RedHat'
|
||||
- security_disallow_blank_password_login | bool
|
||||
@ -185,7 +185,7 @@
|
||||
password_pbkdf2 root {{ security_grub_password_hash }}
|
||||
state: present
|
||||
notify:
|
||||
- update grub config
|
||||
- Update grub config
|
||||
- name: Set CLASS for grub file
|
||||
lineinfile:
|
||||
path: "{{ grub_linux_file }}"
|
||||
@ -194,7 +194,7 @@
|
||||
state: present
|
||||
backrefs: yes
|
||||
notify:
|
||||
- update grub config
|
||||
- Update grub config
|
||||
when:
|
||||
- grub_custom_file_check.stat.exists | bool
|
||||
- security_require_grub_authentication | bool
|
||||
@ -208,6 +208,7 @@
|
||||
blockinfile:
|
||||
dest: /etc/security/limits.d/ansible-hardening-maxlogins.conf
|
||||
create: yes
|
||||
mode: "0644"
|
||||
block: |
|
||||
# Deployed by the ansible-hardening role
|
||||
# V-72217 - Limit concurrent sessions for all accounts/types
|
||||
|
@ -13,7 +13,8 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- include_tasks: rpm.yml
|
||||
- name: Including rpm tasks
|
||||
include_tasks: rpm.yml
|
||||
|
||||
- name: Check if /etc/dnf/automatic.conf exists
|
||||
stat:
|
||||
|
@ -56,6 +56,7 @@
|
||||
copy:
|
||||
src: dconf-user-profile
|
||||
dest: /etc/dconf/profile/user
|
||||
mode: "0644"
|
||||
when:
|
||||
- dconf_check.stat.exists
|
||||
tags:
|
||||
@ -69,6 +70,7 @@
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
mode: "0755"
|
||||
with_items:
|
||||
- /etc/dconf/db/local.d/
|
||||
- /etc/dconf/db/local.d/locks
|
||||
@ -87,10 +89,11 @@
|
||||
template:
|
||||
src: dconf-screensaver-lock.j2
|
||||
dest: /etc/dconf/db/local.d/00-screensaver
|
||||
mode: "0644"
|
||||
when:
|
||||
- dconf_check.stat.exists
|
||||
notify:
|
||||
- dconf update
|
||||
- Dconf update
|
||||
tags:
|
||||
- graphical
|
||||
- medium
|
||||
@ -102,10 +105,11 @@
|
||||
template:
|
||||
src: dconf-session-user-config-lockout.j2
|
||||
dest: /etc/dconf/db/local.d/locks/session
|
||||
mode: "0644"
|
||||
when:
|
||||
- dconf_check.stat.exists
|
||||
notify:
|
||||
- dconf update
|
||||
- Dconf update
|
||||
tags:
|
||||
- graphical
|
||||
- medium
|
||||
@ -117,10 +121,11 @@
|
||||
copy:
|
||||
src: dconf-profile-gdm
|
||||
dest: /etc/dconf/profile/gdm
|
||||
mode: "0644"
|
||||
when:
|
||||
- dconf_check.stat.exists
|
||||
notify:
|
||||
- dconf update
|
||||
- Dconf update
|
||||
tags:
|
||||
- graphical
|
||||
- medium
|
||||
@ -130,13 +135,14 @@
|
||||
template:
|
||||
src: dconf-gdm-banner-message.j2
|
||||
dest: "{{ item }}"
|
||||
mode: "0644"
|
||||
with_items:
|
||||
- /etc/dconf/db/gdm.d/01-banner-message
|
||||
- /etc/dconf/db/local.d/01-banner-message
|
||||
when:
|
||||
- dconf_check.stat.exists
|
||||
notify:
|
||||
- dconf update
|
||||
- Dconf update
|
||||
tags:
|
||||
- graphical
|
||||
- medium
|
||||
|
@ -18,6 +18,7 @@
|
||||
dest: /etc/modprobe.d/ansible-hardening-disable-usb-storage.conf
|
||||
line: install usb-storage /bin/true
|
||||
create: yes
|
||||
mode: "0644"
|
||||
when:
|
||||
- security_rhel7_disable_usb_storage | bool
|
||||
tags:
|
||||
@ -49,7 +50,7 @@
|
||||
- C-00001
|
||||
|
||||
- name: Check kdump service
|
||||
command: systemctl status kdump # noqa 303
|
||||
command: systemctl status kdump # noqa: command-instead-of-module
|
||||
register: kdump_service_check
|
||||
failed_when: kdump_service_check.rc not in [0,3,4]
|
||||
changed_when: False
|
||||
@ -101,6 +102,7 @@
|
||||
copy:
|
||||
src: ansible-hardening-disable-dccp.conf
|
||||
dest: /etc/modprobe.d/ansible-hardening-disable-dccp.conf
|
||||
mode: "0644"
|
||||
when:
|
||||
- security_rhel7_disable_dccp | bool
|
||||
tags:
|
||||
|
@ -32,7 +32,7 @@
|
||||
# started apparmor each time. This breaks idempotency and we check
|
||||
# systemd's status directly as an alternative.
|
||||
- name: Check if apparmor is running
|
||||
command: "systemctl status apparmor" # noqa 303
|
||||
command: "systemctl status apparmor" # noqa: command-instead-of-module
|
||||
register: systemctl_apparmor_status
|
||||
check_mode: no
|
||||
changed_when: false
|
||||
@ -96,6 +96,7 @@
|
||||
file:
|
||||
path: /.autorelabel
|
||||
state: touch
|
||||
mode: "0644"
|
||||
when:
|
||||
- ansible_facts['os_family'] == "RedHat"
|
||||
- security_rhel7_enable_linux_security_module | bool
|
||||
|
@ -34,7 +34,8 @@
|
||||
|
||||
# Some of the tasks in the role may take a long time to run. Let's start them
|
||||
# as early as possible so they have time to finish.
|
||||
- import_tasks: async_tasks.yml
|
||||
- name: Importing async_tasks tasks
|
||||
import_tasks: async_tasks.yml
|
||||
|
||||
- name: Get user data for all users on the system
|
||||
get_users:
|
||||
@ -67,29 +68,41 @@
|
||||
|
||||
# Package installations and removals must come first so that configuration
|
||||
# changes can be made later.
|
||||
- import_tasks: packages.yml
|
||||
- name: Importing packages tasks
|
||||
import_tasks: packages.yml
|
||||
tags:
|
||||
- always
|
||||
|
||||
# Package managers are managed first since the changes in these tasks will
|
||||
# affect the remainder of the tasks in the role.
|
||||
- include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml"
|
||||
- name: Including OS-specific tasks
|
||||
include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml"
|
||||
|
||||
# The bulk of the security changes are applied in these tasks. The tasks in
|
||||
# each file are tagged with the same name (for example, tasks in `auth.yml`
|
||||
# are tagged with `auth`). Also, the tag name matches up with the "STIG
|
||||
# Controls by Tag" section of the role documentation.
|
||||
- import_tasks: accounts.yml
|
||||
- import_tasks: aide.yml
|
||||
- name: Importing accounts tasks
|
||||
import_tasks: accounts.yml
|
||||
- name: Importing aide tasks
|
||||
import_tasks: aide.yml
|
||||
when: security_rhel7_enable_aide | bool
|
||||
- import_tasks: auditd.yml
|
||||
- import_tasks: auth.yml
|
||||
- import_tasks: file_perms.yml
|
||||
- import_tasks: graphical.yml
|
||||
- import_tasks: kernel.yml
|
||||
- import_tasks: lsm.yml
|
||||
- import_tasks: misc.yml
|
||||
- import_tasks: sshd.yml
|
||||
- name: Importing auditd tasks
|
||||
import_tasks: auditd.yml
|
||||
- name: Importing auth tasks
|
||||
import_tasks: auth.yml
|
||||
- name: Importing file_perms tasks
|
||||
import_tasks: file_perms.yml
|
||||
- name: Importing graphical tasks
|
||||
import_tasks: graphical.yml
|
||||
- name: Importing kernel tasks
|
||||
import_tasks: kernel.yml
|
||||
- name: Importing lsm tasks
|
||||
import_tasks: lsm.yml
|
||||
- name: Importing misc tasks
|
||||
import_tasks: misc.yml
|
||||
- name: Importing sshd tasks
|
||||
import_tasks: sshd.yml
|
||||
|
||||
- name: Remove the temporary directory
|
||||
file:
|
||||
|
@ -14,7 +14,7 @@
|
||||
# limitations under the License.
|
||||
|
||||
- name: Check autofs service
|
||||
command: systemctl status autofs # noqa 303
|
||||
command: systemctl status autofs # noqa: command-instead-of-module
|
||||
register: autofs_check
|
||||
failed_when: autofs_check.rc not in [0,3,4]
|
||||
changed_when: False
|
||||
@ -150,7 +150,7 @@
|
||||
- security_enable_virus_scanner | bool
|
||||
- ansible_facts['os_family'] | lower == 'redhat'
|
||||
notify:
|
||||
- restart clamav
|
||||
- Restart clamav
|
||||
tags:
|
||||
- misc
|
||||
- V-72213
|
||||
@ -166,7 +166,7 @@
|
||||
- security_enable_virus_scanner | bool
|
||||
- ansible_facts['os_family'] | lower == 'redhat'
|
||||
notify:
|
||||
- restart clamav
|
||||
- Restart clamav
|
||||
tags:
|
||||
- misc
|
||||
- V-72213
|
||||
@ -174,7 +174,7 @@
|
||||
- name: Ensure ClamAV socket directory exists
|
||||
file:
|
||||
path: "{{ clamav_service_details['socket_path'] | dirname }}"
|
||||
user: "{{ clamav_service_details['user'] }}"
|
||||
owner: "{{ clamav_service_details['user'] }}"
|
||||
group: "{{ clamav_service_details['group'] }}"
|
||||
mode: "{{ clamav_service_details['mode'] }}"
|
||||
when:
|
||||
@ -182,7 +182,7 @@
|
||||
- security_enable_virus_scanner | bool
|
||||
- ansible_facts['os_family'] | lower == 'redhat'
|
||||
notify:
|
||||
- restart clamav
|
||||
- Restart clamav
|
||||
tags:
|
||||
- misc
|
||||
- V-72213
|
||||
@ -197,7 +197,7 @@
|
||||
- security_enable_virus_scanner | bool
|
||||
- ansible_facts['os_family'] | lower == 'redhat'
|
||||
notify:
|
||||
- restart clamav
|
||||
- Restart clamav
|
||||
tags:
|
||||
- misc
|
||||
- V-72213
|
||||
@ -293,11 +293,12 @@
|
||||
template:
|
||||
src: chrony.conf.j2
|
||||
dest: "{{ chrony_conf_file }}"
|
||||
mode: "0644"
|
||||
when:
|
||||
- chrony_conf_check.stat.exists | bool
|
||||
- security_rhel7_enable_chrony | bool
|
||||
notify:
|
||||
- restart chrony
|
||||
- Restart chrony
|
||||
tags:
|
||||
- medium
|
||||
- misc
|
||||
@ -305,7 +306,7 @@
|
||||
|
||||
# Returns 0 if installed, 3 if not installed
|
||||
- name: Check firewalld status
|
||||
command: systemctl status firewalld # noqa 303
|
||||
command: systemctl status firewalld # noqa: command-instead-of-module
|
||||
register: firewalld_status_check
|
||||
failed_when: firewalld_status_check.rc not in [0,3,4]
|
||||
changed_when: False
|
||||
@ -327,7 +328,9 @@
|
||||
- V-72273
|
||||
|
||||
- name: Limit new TCP connections to 25/minute and allow bursting to 100
|
||||
command: "firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{ security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT"
|
||||
command: >-
|
||||
firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{
|
||||
security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT
|
||||
register: add_rate_limit_firewalld_rule
|
||||
changed_when: "'ALREADY_ENABLED' not in add_rate_limit_firewalld_rule.stdout"
|
||||
when:
|
||||
|
@ -19,6 +19,7 @@
|
||||
dest: "{{ security_sshd_banner_file }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
tags:
|
||||
- high
|
||||
- sshd
|
||||
@ -33,7 +34,7 @@
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
with_items: "{{ sshd_settings_rhel7 | selectattr('enabled') }}"
|
||||
notify:
|
||||
- restart ssh
|
||||
- Restart ssh
|
||||
tags:
|
||||
- high
|
||||
- sshd
|
||||
@ -71,7 +72,7 @@
|
||||
{{ option['name'] ~ ' ' ~ option['value'] }}
|
||||
{% endfor %}
|
||||
notify:
|
||||
- restart ssh
|
||||
- Restart ssh
|
||||
tags:
|
||||
- high
|
||||
- sshd
|
||||
|
@ -13,7 +13,8 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- include_tasks: rpm.yml
|
||||
- name: Including rpm tasks
|
||||
include_tasks: rpm.yml
|
||||
|
||||
- name: Check if /etc/yum/yum-cron.conf exists
|
||||
stat:
|
||||
|
@ -100,6 +100,7 @@
|
||||
copy:
|
||||
src: zypper-autoupdates
|
||||
dest: /etc/cron.daily/zypper-autoupdates
|
||||
mode: "0750"
|
||||
when:
|
||||
- security_rhel7_automatic_package_updates | bool
|
||||
tags:
|
||||
|
@ -327,7 +327,7 @@ sysctl_settings_rhel7:
|
||||
enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}"
|
||||
- name: net.ipv4.conf.default.accept_source_route
|
||||
value: 0
|
||||
enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool}}"
|
||||
enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}"
|
||||
- name: net.ipv4.icmp_echo_ignore_broadcasts
|
||||
value: 1
|
||||
enabled: "{{ security_disallow_echoes_broadcast_address | bool }}"
|
||||
@ -407,7 +407,7 @@ sshd_settings_rhel7:
|
||||
enabled: yes
|
||||
stig_id: V-72251
|
||||
- name: MACs
|
||||
value: "{{security_sshd_allowed_macs }}"
|
||||
value: "{{ security_sshd_allowed_macs }}"
|
||||
enabled: yes
|
||||
stig_id: V-72253
|
||||
- name: UsePrivilegeSeparation
|
||||
|
@ -45,7 +45,7 @@ clamav_service_details:
|
||||
user: clamscan
|
||||
group: virusgroup
|
||||
socket_path: /run/clamd.scan/clamd.sock
|
||||
mode: 0710
|
||||
mode: "0710"
|
||||
|
||||
# Commands
|
||||
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"
|
||||
|
@ -45,7 +45,7 @@ clamav_service_details:
|
||||
user: clamscan
|
||||
group: virusgroup
|
||||
socket_path: /run/clamd.scan/clamd.sock
|
||||
mode: 0710
|
||||
mode: "0710"
|
||||
|
||||
# Commands
|
||||
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"
|
||||
|
@ -45,7 +45,7 @@ clamav_service_details:
|
||||
user: clamscan
|
||||
group: virusgroup
|
||||
socket_path: /run/clamd.scan/clamd.sock
|
||||
mode: 0710
|
||||
mode: "0710"
|
||||
|
||||
# Commands
|
||||
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"
|
||||
|
@ -27,7 +27,8 @@ grub_conf_file: /boot/grub2/grub.cfg
|
||||
# NOTE(hwoarang) SUSE seems to be using the ID field from /etc/os-release to
|
||||
# create the EFI distro directory. Since this information is not available on
|
||||
# Ansible, we have to improvise a bit...
|
||||
grub_conf_file_efi: "{% set os_id = ansible_facts['distribution'].split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg"
|
||||
grub_conf_file_efi: >-
|
||||
{% set os_id = ansible_facts['distribution'].split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse', 'sles') }}/grub.cfg
|
||||
aide_cron_job_path: /etc/cron.daily/aide
|
||||
aide_database_file: /var/lib/aide/aide.db
|
||||
aide_database_out_file: /var/lib/aide/aide.db.new
|
||||
|
Loading…
Reference in New Issue
Block a user