--- # Copyright 2015, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - name: V-38443 - The /etc/gshadow file must be owned by root file: dest: /etc/gshadow owner: root tags: - file_perms - cat2 - V-38443 - name: V-38448 - The /etc/gshadow file must be group-owned by root file: dest: /etc/gshadow group: root tags: - file_perms - cat2 - V-38448 - name: V-38449 - The /etc/gshadow file must have mode 0000 file: dest: /etc/gshadow mode: 0000 tags: - file_perms - cat2 - V-38449 - name: V-38458 - The /etc/group file must be owned by root file: dest: /etc/group owner: root tags: - file_perms - cat2 - V-38458 - name: V-38459 - The /etc/group file must be group-owned by root file: dest: /etc/group group: root tags: - file_perms - cat2 - V-38459 - name: V-38461 - The /etc/group file must have mode 0644 or less file: dest: /etc/group mode: 0644 tags: - file_perms - cat2 - V-38461 # NOTE(mhayden): The log directory permissions change each time auditd is # restarted. This causes the idempotent checks to fail and that's why there is # a 'changed_when: False' on this task. - name: V-38493 - Audit log directories must have mode 0755 or less file: dest: /var/log/audit/ state: directory mode: 0750 changed_when: False tags: - file_perms - cat2 - V-38493 - name: V-38502 - The /etc/shadow file must be owned by root file: dest: /etc/shadow owner: root tags: - file_perms - cat2 - V-38502 - name: V-38503 - The /etc/shadow file must be group-owned by root file: dest: /etc/shadow group: root tags: - file_perms - cat2 - V-38503 - name: V-38504 - The /etc/shadow file must have mode 0000 file: dest: /etc/shadow mode: 0000 tags: - file_perms - cat2 - V-38504 # This change will go into effect on the next log rotation. - name: V-38623 - All rsyslog-generated files must have mode 0600 or less lineinfile: dest: /etc/rsyslog.conf regexp: "^(#)?\\$FileCreateMode" line: "$FileCreateMode 0600" notify: - restart rsyslog tags: - file_perms - cat2 - V-38623 # BEGIN: UMASK ADJUSTMENTS #################################################### # Please read the documentation and the comments in defaults/main.yml prior # to making any umask-related changes. # Ubuntu 14.04 and CentOS 7 both have a default umask set to 022 already. - name: V-38642 - System default umask for daemons must be 027 or 022 lineinfile: dest: "{{ daemon_init_params_file }}" regexp: "^umask " line: "umask {{ security_umask_daemons_init }}" when: security_umask_daemons_init is defined tags: - file_perms - cat3 - V-38642 # Ubuntu 14.04's default umask in /etc/login.defs is 022 - name: V-38645 - System default umask in /etc/login.defs must be 077 lineinfile: dest: /etc/login.defs regexp: "^UMASK" line: "UMASK {{ security_umask_login_defs }}" when: security_umask_login_defs is defined tags: - file_perms - cat3 - V-38645 # Ubuntu 14.04 and openstack-ansible don't install csh by default. We will # check if csh is installed and then apply the umask setting if needed. - name: Check if csh is installed (for V-38649) shell: dpkg --status csh | grep ^Status | grep "ok installed" register: v38649_result changed_when: False failed_when: False when: security_umask_csh is defined tags: - file_perms - cat3 - V-38649 - name: V-38649 - System default umask for csh must be 077 lineinfile: dest: /etc/csh.cshrc regexp: "^(#)?umask" line: "umask {{ security_umask_csh }}" create: yes when: security_umask_csh is defined and v38649_result.rc == 0 tags: - file_perms - cat3 - V-38649 - name: V-38651 - System default umask for bash must be 077 lineinfile: dest: /etc/bash.bashrc regexp: "^(#)?umask" line: "umask {{ security_umask_bash }}" when: security_umask_bash is defined tags: - file_perms - cat3 - V-38651 # END: UMASK ADJUSTMENTS ######################################################