diff --git a/tasks/rhel7stig/apt.yml b/tasks/rhel7stig/apt.yml index d4781c08..84163749 100644 --- a/tasks/rhel7stig/apt.yml +++ b/tasks/rhel7stig/apt.yml @@ -90,3 +90,30 @@ tags: - high - V-71979 + +- name: V-71987 - Clean requirements/dependencies when removing packages (dpkg) + lineinfile: + dest: /etc/apt/apt.conf.d/security-autoremove + regexp: "^(#)?APT::Get::AutomaticRemove" + line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";" + state: present + create: yes + when: + - security_package_clean_on_remove | bool + - ansible_os_family | lower == 'debian' + tags: + - low + - packages + - V-71987 + +- name: Enable automatic package updates (apt) + copy: + src: 20auto-upgrades + dest: /etc/apt/apt.conf.d/20auto-upgrades + when: + - ansible_os_family | lower == 'debian' + - security_rhel7_automatic_package_updates | bool + tags: + - packages + - cat2 + - V-71999 diff --git a/tasks/rhel7stig/dnf.yml b/tasks/rhel7stig/dnf.yml deleted file mode 120000 index 8608996d..00000000 --- a/tasks/rhel7stig/dnf.yml +++ /dev/null @@ -1 +0,0 @@ -yum.yml \ No newline at end of file diff --git a/tasks/rhel7stig/dnf.yml b/tasks/rhel7stig/dnf.yml new file mode 100644 index 00000000..25bf3b51 --- /dev/null +++ b/tasks/rhel7stig/dnf.yml @@ -0,0 +1,58 @@ +--- +# Copyright 2017, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- include: rpm.yml + +- name: Check if /etc/dnf/automatic.conf exists + stat: + path: /etc/dnf/automatic.conf + check_mode: no + register: dnf_automatic_config_check + when: + - ansible_os_family | lower == 'redhat' + - ansible_pkg_mgr == 'dnf' + tags: + - always + +- name: Enable automatic package updates (dnf) + lineinfile: + dest: /etc/dnf/automatic.conf + regexp: "^apply_updates" + line: "apply_updates = yes" + state: present + when: + - ansible_os_family | lower == 'redhat' + - ansible_pkg_mgr == 'dnf' + - dnf_automatic_config_check.stat.exists | bool + - security_rhel7_automatic_package_updates | bool + tags: + - packages + - medium + - V-71999 + +- name: Enable dnf-automatic timer for automatic package updates + systemd: + name: dnf-automatic.timer + enabled: yes + state: started + when: + - ansible_os_family | lower == 'redhat' + - ansible_pkg_mgr == 'dnf' + - dnf_automatic_config_check.stat.exists | bool + - security_rhel7_automatic_package_updates | bool + tags: + - packages + - medium + - V-71999 diff --git a/tasks/rhel7stig/packages.yml b/tasks/rhel7stig/packages.yml index 6e193926..36bc752f 100644 --- a/tasks/rhel7stig/packages.yml +++ b/tasks/rhel7stig/packages.yml @@ -33,139 +33,3 @@ - V-72233 - V-72301 - V-72307 - -- name: V-71987 - Clean requirements/dependencies when removing packages (RedHat) - lineinfile: - dest: "{{ pkg_mgr_config }}" - regexp: "^(#)?clean_requirements_on_remove" - line: "clean_requirements_on_remove=1" - state: present - when: - - security_package_clean_on_remove | bool - - ansible_os_family | lower == 'redhat' - tags: - - low - - packages - - V-71987 - -- name: V-71987 - Clean requirements/dependencies when removing packages (SUSE) - lineinfile: - dest: "{{ pkg_mgr_config }}" - regexp: '^(#)?\s*solver\.cleandepsOnRemove' - line: 'solver.cleandepsOnRemove = true' - state: present - when: - - security_package_clean_on_remove | bool - - ansible_pkg_mgr == 'zypper' - tags: - - low - - packages - - V-71987 - -- name: V-71987 - Clean requirements/dependencies when removing packages (dpkg) - lineinfile: - dest: /etc/apt/apt.conf.d/security-autoremove - regexp: "^(#)?APT::Get::AutomaticRemove" - line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";" - state: present - create: yes - when: - - security_package_clean_on_remove | bool - - ansible_os_family | lower == 'debian' - tags: - - low - - packages - - V-71987 - -- name: Check if /etc/yum/yum-cron.conf exists - stat: - path: /etc/yum/yum-cron.conf - check_mode: no - register: yum_cron_config_check - when: - - ansible_os_family | lower == 'redhat' - - ansible_pkg_mgr == 'yum' - tags: - - always - -- name: Enable automatic package updates (yum) - lineinfile: - dest: /etc/yum/yum-cron.conf - regexp: "^apply_updates" - line: "apply_updates = yes" - state: present - when: - - ansible_os_family | lower == 'redhat' - - ansible_pkg_mgr == 'yum' - - yum_cron_config_check.stat.exists | bool - - security_rhel7_automatic_package_updates | bool - tags: - - packages - - medium - - V-71999 - -- name: Check if /etc/dnf/automatic.conf exists - stat: - path: /etc/dnf/automatic.conf - check_mode: no - register: dnf_automatic_config_check - when: - - ansible_os_family | lower == 'redhat' - - ansible_pkg_mgr == 'dnf' - tags: - - always - -- name: Enable automatic package updates (dnf) - lineinfile: - dest: /etc/dnf/automatic.conf - regexp: "^apply_updates" - line: "apply_updates = yes" - state: present - when: - - ansible_os_family | lower == 'redhat' - - ansible_pkg_mgr == 'dnf' - - dnf_automatic_config_check.stat.exists | bool - - security_rhel7_automatic_package_updates | bool - tags: - - packages - - medium - - V-71999 - -- name: Enable dnf-automatic timer for automatic package updates - systemd: - name: dnf-automatic.timer - enabled: yes - state: started - when: - - ansible_os_family | lower == 'redhat' - - ansible_pkg_mgr == 'dnf' - - dnf_automatic_config_check.stat.exists | bool - - security_rhel7_automatic_package_updates | bool - tags: - - packages - - medium - - V-71999 - -- name: Enable automatic package updates (apt) - copy: - src: 20auto-upgrades - dest: /etc/apt/apt.conf.d/20auto-upgrades - when: - - ansible_os_family | lower == 'debian' - - security_rhel7_automatic_package_updates | bool - tags: - - packages - - cat2 - - V-71999 - -- name: Enable automatic package updates (SUSE) - copy: - src: zypper-autoupdates - dest: /etc/cron.daily/zypper-autoupdates - when: - - ansible_pkg_mgr == 'zypper' - - security_rhel7_automatic_package_updates | bool - tags: - - packages - - cat2 - - V-71999 diff --git a/tasks/rhel7stig/rpm.yml b/tasks/rhel7stig/rpm.yml new file mode 100644 index 00000000..61b56014 --- /dev/null +++ b/tasks/rhel7stig/rpm.yml @@ -0,0 +1,85 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Ensure RPM verification task has finished + async_status: + jid: "{{ rpmverify_task.ansible_job_id }}" + failed_when: False + changed_when: False + register: job_result + until: job_result.finished + retries: 30 + when: + - not rpmverify_task | skipped + +- name: V-71855 - Get files with invalid checksums (rpm) + shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" + register: invalid_checksum_files + changed_when: False + when: + - not check_mode | bool + - ansible_os_family | lower == 'redhat' + tags: + - rpm + - high + - V-71855 + +- name: V-71855 - The cryptographic hash of system files and commands must match vendor values (rpm) + debug: + msg: | + The following files have checksums that differ from the checksum provided + with their package. Each of these should be verified manually to ensure + they have not been modified by an unauthorized user. + + {% for filename in invalid_checksum_files.stdout_lines %} + {{ filename }} + {% endfor %} + when: + - not check_mode | bool + - ansible_os_family | lower == 'redhat' + - invalid_checksum_files is defined + - invalid_checksum_files.stdout is defined + tags: + - rpm + - high + - V-71855 + +- name: V-71977 - Require digital signatures for all packages + lineinfile: + dest: "{{ pkg_mgr_config }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + state: present + with_items: "{{ rpm_gpgchecks | default([]) }}" + tags: + - rpm + - high + - V-71977 + - V-71979 + - V-71981 + +- name: V-71987 - Clean requirements/dependencies when removing packages (RedHat) + lineinfile: + dest: "{{ pkg_mgr_config }}" + regexp: "^(#)?clean_requirements_on_remove" + line: "clean_requirements_on_remove=1" + state: present + when: + - security_package_clean_on_remove | bool + - ansible_os_family | lower == 'redhat' + tags: + - low + - packages + - V-71987 diff --git a/tasks/rhel7stig/yum.yml b/tasks/rhel7stig/yum.yml index ce1c845c..33bdb722 100644 --- a/tasks/rhel7stig/yum.yml +++ b/tasks/rhel7stig/yum.yml @@ -1,5 +1,5 @@ --- -# Copyright 2016, Rackspace US, Inc. +# Copyright 2017, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,59 +13,29 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Ensure RPM verification task has finished - async_status: - jid: "{{ rpmverify_task.ansible_job_id }}" - failed_when: False - changed_when: False - register: job_result - until: job_result.finished - retries: 30 - when: - - not rpmverify_task | skipped +- include: rpm.yml -- name: V-71855 - Get files with invalid checksums (rpm) - shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" - register: invalid_checksum_files - changed_when: False +- name: Check if /etc/yum/yum-cron.conf exists + stat: + path: /etc/yum/yum-cron.conf + check_mode: no + register: yum_cron_config_check when: - - not check_mode | bool - ansible_os_family | lower == 'redhat' tags: - - rpm - - high - - V-71855 + - always -- name: V-71855 - The cryptographic hash of system files and commands must match vendor values (rpm) - debug: - msg: | - The following files have checksums that differ from the checksum provided - with their package. Each of these should be verified manually to ensure - they have not been modified by an unauthorized user. - - {% for filename in invalid_checksum_files.stdout_lines %} - {{ filename }} - {% endfor %} - when: - - not check_mode | bool - - ansible_os_family | lower == 'redhat' - - invalid_checksum_files is defined - - invalid_checksum_files.stdout is defined - tags: - - rpm - - high - - V-71855 - -- name: V-71977 - Require digital signatures for all packages +- name: Enable automatic package updates (yum) lineinfile: - dest: "{{ pkg_mgr_config }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" + dest: /etc/yum/yum-cron.conf + regexp: "^apply_updates" + line: "apply_updates = yes" state: present - with_items: "{{ rpm_gpgchecks | default([]) }}" + when: + - ansible_os_family | lower == 'redhat' + - yum_cron_config_check.stat.exists | bool + - security_rhel7_automatic_package_updates | bool tags: - - rpm - - high - - V-71977 - - V-71979 - - V-71981 + - packages + - medium + - V-71999 diff --git a/tasks/rhel7stig/zypper.yml b/tasks/rhel7stig/zypper.yml index 43b8f482..c71e1ce4 100644 --- a/tasks/rhel7stig/zypper.yml +++ b/tasks/rhel7stig/zypper.yml @@ -31,7 +31,6 @@ changed_when: False when: - not check_mode | bool - - ansible_pkg_mgr == 'zypper' tags: - rpm - high @@ -49,7 +48,6 @@ {% endfor %} when: - not check_mode | bool - - ansible_pkg_mgr == 'zypper' - invalid_checksum_files is defined - invalid_checksum_files.stdout is defined tags: @@ -77,3 +75,27 @@ - V-71977 - V-71979 - V-71981 + +- name: V-71987 - Clean requirements/dependencies when removing packages (SUSE) + lineinfile: + dest: "{{ pkg_mgr_config }}" + regexp: '^(#)?\s*solver\.cleandepsOnRemove' + line: 'solver.cleandepsOnRemove = true' + state: present + when: + - security_package_clean_on_remove | bool + tags: + - low + - packages + - V-71987 + +- name: Enable automatic package updates (SUSE) + copy: + src: zypper-autoupdates + dest: /etc/cron.daily/zypper-autoupdates + when: + - security_rhel7_automatic_package_updates | bool + tags: + - packages + - cat2 + - V-71999