22c4c21583
This patch adds initial support for CentOS 7 and Ubuntu 16.04 to the security role. Documentation and tests still need updates in subsequent patches. Release notes are included. Change-Id: Iae936bb307a5938651c55e703d68d39a7716d178
456 lines
11 KiB
YAML
456 lines
11 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: V-38489 - Install AIDE (with apt)
|
|
apt:
|
|
name: aide
|
|
state: present
|
|
when: ansible_pkg_mgr == 'apt'
|
|
tags:
|
|
- cat2
|
|
- V-38489
|
|
|
|
- name: V-38489 - Install AIDE (with yum)
|
|
yum:
|
|
name: aide
|
|
state: present
|
|
when: ansible_pkg_mgr == 'yum'
|
|
tags:
|
|
- cat2
|
|
- V-38489
|
|
|
|
- name: Verify that AIDE configuration directory exists
|
|
stat:
|
|
path: /etc/aide/aide.conf.d
|
|
register: aide_conf
|
|
always_run: true
|
|
tags:
|
|
- always
|
|
|
|
- name: V-38489 - Exclude certain directories from AIDE and initialize DB
|
|
template:
|
|
src: ZZ_aide_exclusions.j2
|
|
dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions
|
|
when: aide_conf.stat.exists | bool
|
|
notify:
|
|
- initialize AIDE
|
|
tags:
|
|
- cat2
|
|
- V-38489
|
|
|
|
- name: Check for AIDE cron job (for V-38670)
|
|
stat:
|
|
path: /etc/cron.daily/aide
|
|
register: v38670_result
|
|
changed_when: False
|
|
tags:
|
|
- cat2
|
|
- V-38670
|
|
|
|
- name: V-38670 - System must detect unauthorized changes to software and information
|
|
fail:
|
|
msg: "FAILED: AIDE cron job is missing"
|
|
when:
|
|
- not check_mode
|
|
- v38670_result.stat.exists == False
|
|
tags:
|
|
- cat2
|
|
- V-38670
|
|
|
|
- name: Search for .netrc files (for V-38619)
|
|
shell: find /root /home -xdev -name .netrc | wc -l
|
|
register: v38619_result
|
|
changed_when: False
|
|
always_run: True
|
|
tags:
|
|
- cat2
|
|
- V-38619
|
|
|
|
- name: V-38619 - There must be no .netrc files on the system
|
|
fail:
|
|
msg: "FAILED: .netrc files found -- they must be removed"
|
|
when: v38619_result.stdout != '0'
|
|
tags:
|
|
- cat2
|
|
- V-38619
|
|
|
|
- name: V-38620 - Synchronize system clock (installing chrony with apt)
|
|
apt:
|
|
name: chrony
|
|
state: present
|
|
when: ansible_pkg_mgr == 'apt'
|
|
tags:
|
|
- cat2
|
|
- V-38620
|
|
|
|
- name: V-38620 - Synchronize system clock (installing chrony with yum)
|
|
yum:
|
|
name: chrony
|
|
state: present
|
|
when: ansible_pkg_mgr == 'yum'
|
|
tags:
|
|
- cat2
|
|
- V-38620
|
|
|
|
- name: V-38620 - Synchronize system clock (enable chrony)
|
|
service:
|
|
name: chrony
|
|
state: started
|
|
enabled: yes
|
|
when: not check_mode
|
|
tags:
|
|
- cat2
|
|
- V-38620
|
|
|
|
- name: Check for chrony.conf
|
|
stat:
|
|
path: /etc/chrony/chrony.conf
|
|
register: chrony_conf
|
|
tags:
|
|
- always
|
|
- V-38620
|
|
|
|
- name: V-38620 - Synchronize system clock (configuration file)
|
|
template:
|
|
src: chrony.conf.j2
|
|
dest: /etc/chrony/chrony.conf
|
|
when: chrony_conf.stat.exists | bool
|
|
notify:
|
|
- restart chrony
|
|
tags:
|
|
- cat2
|
|
- V-38620
|
|
|
|
# The STIG only requires that logrotate is installed and configured in cron.
|
|
# The openstack-ansible project will configure logs to be rotated weekly and
|
|
# compressed with each run. We won't change the interval here, but we will
|
|
# ensure that logrotate is installed (to meet the STIG requirement).
|
|
- name: V-38624 - System logs must be rotated daily (install logrotate with apt)
|
|
apt:
|
|
name: logrotate
|
|
state: present
|
|
when: ansible_pkg_mgr == 'apt'
|
|
tags:
|
|
- cat3
|
|
- V-38624
|
|
|
|
- name: V-38624 - System logs must be rotated daily (install logrotate with yum)
|
|
yum:
|
|
name: logrotate
|
|
state: present
|
|
when: ansible_pkg_mgr == 'yum'
|
|
tags:
|
|
- cat3
|
|
- V-38624
|
|
|
|
- name: Check for logrotate cron job (for V-38624)
|
|
stat:
|
|
path: /etc/cron.daily/logrotate
|
|
register: v38624_result
|
|
tags:
|
|
- cat3
|
|
- V-38624
|
|
|
|
- name: V-38624 - System logs must be rotated daily (verify cron job)
|
|
fail:
|
|
msg: "FAILED: Cron job for logrotate is missing"
|
|
when:
|
|
- not check_mode
|
|
- not v38624_result.stat.exists | bool
|
|
tags:
|
|
- cat3
|
|
- V-38624
|
|
|
|
- name: Check if samba is installed (for V-38656)
|
|
stat:
|
|
path: /etc/samba/smb.conf
|
|
register: v38656_result
|
|
changed_when: false
|
|
tags:
|
|
- cat3
|
|
- V-38656
|
|
|
|
- name: V-38656 - System must use SMB client signing
|
|
lineinfile:
|
|
dest: /etc/samba/smb.conf
|
|
regexp: "^(;)?client signing"
|
|
line: "client signing = mandatory"
|
|
insertafter: "############ Misc ############"
|
|
when: v38656_result.stat.exists | bool
|
|
notify:
|
|
- restart samba
|
|
tags:
|
|
- cat3
|
|
- V-38656
|
|
|
|
- name: Check if SNMP daemon is installed using dpkg (for V-38660)
|
|
shell: "dpkg --status snmpd | grep \"^Status:.*ok installed\""
|
|
register: v38660_snmpd_apt
|
|
changed_when: False
|
|
failed_when: False
|
|
always_run: True
|
|
when: ansible_pkg_mgr == 'apt'
|
|
tags:
|
|
- cat2
|
|
- V-38660
|
|
|
|
- name: Check if SNMP daemon is installed using rpm (for V-38660)
|
|
shell: "rpm -qi net-snmp"
|
|
register: v38660_snmpd_rpm
|
|
changed_when: False
|
|
failed_when: False
|
|
always_run: True
|
|
when: ansible_pkg_mgr == 'yum'
|
|
tags:
|
|
- cat2
|
|
- V-38660
|
|
|
|
- name: Set fact for SNMP being installed
|
|
set_fact:
|
|
snmpd_installed: True
|
|
when: |
|
|
(v38660_snmpd_apt.rc is defined and v38660_snmpd_apt.rc == 0) or
|
|
(v38660_snmpd_rpm.rc is defined and v38660_snmpd_rpm.rc == 0)
|
|
|
|
# We shouldn't get any output from this grep since it looks for configuration
|
|
# lines for the SNMP v1 and v2c protocols.
|
|
- name: Check for insecure SNMP protocols (for V-38660)
|
|
shell: "egrep 'v1|v2c|com2sec|community' /etc/snmp/snmpd.conf | grep -v '^\\s*#'"
|
|
register: v38660_result
|
|
changed_when: False
|
|
failed_when: False
|
|
always_run: True
|
|
when:
|
|
- snmpd_installed is defined
|
|
- snmpd_installed | bool
|
|
tags:
|
|
- cat2
|
|
- V-38660
|
|
|
|
- name: V-38660 - The snmpd service must only use SNMPv3 or newer
|
|
fail:
|
|
msg: "FAILED: Insecure SNMP configuration found -- use SNMPv3 only"
|
|
when:
|
|
- not check_mode
|
|
- snmpd_installed is defined
|
|
- snmpd_installed | bool
|
|
- v38660_result.rc == 0
|
|
tags:
|
|
- cat2
|
|
- V-38660
|
|
|
|
- name: V-38675 - Process core dump must be disabled
|
|
lineinfile:
|
|
dest: /etc/security/limits.d/V-38675-coredump.conf
|
|
line: "* hard core 0"
|
|
create: yes
|
|
when: security_disable_core_dumps is defined
|
|
tags:
|
|
- cat3
|
|
- V-38675
|
|
|
|
- name: V-38684 - Maximum simultaneous logins per user
|
|
lineinfile:
|
|
dest: /etc/security/limits.d/V-38684-maxlogins.conf
|
|
line: "* hard maxlogins {{ security_max_simultaneous_logins }}"
|
|
create: yes
|
|
when: security_max_simultaneous_logins is defined
|
|
tags:
|
|
- cat3
|
|
- V-38684
|
|
|
|
- name: Check if vsftpd installed using dpkg (for V-38599 and V-38702)
|
|
shell: "dpkg --status vsftpd | grep \"^Status:.*ok installed\""
|
|
register: v38599_vsftpd_apt
|
|
changed_when: False
|
|
failed_when: False
|
|
always_run: True
|
|
when: ansible_pkg_mgr == 'apt'
|
|
tags:
|
|
- cat2
|
|
- cat3
|
|
- V-38599
|
|
- V-38702
|
|
|
|
- name: Check if vsftpd installed using rpm (for V-38599 and V-38702)
|
|
shell: "rpm -qi vsftpd"
|
|
register: v38599_vsftpd_rpm
|
|
changed_when: False
|
|
failed_when: False
|
|
always_run: True
|
|
when: ansible_pkg_mgr == 'yum'
|
|
tags:
|
|
- cat2
|
|
- cat3
|
|
- V-38599
|
|
- V-38702
|
|
|
|
- name: Set fact for vsftpd being installed
|
|
set_fact:
|
|
vsftpd_installed: True
|
|
when: |
|
|
(v38599_vsftpd_apt.rc is defined and v38599_vsftpd_apt.rc == 0) or
|
|
(v38599_vsftpd_rpm.rc is defined and v38599_vsftpd_rpm.rc == 0)
|
|
|
|
- name: Copy login banner (for V-38599)
|
|
copy:
|
|
src: login_banner.txt
|
|
dest: /etc/issue.net
|
|
when:
|
|
- vsftpd_installed is defined
|
|
- vsftpd_installed | bool
|
|
notify:
|
|
- restart vsftpd
|
|
tags:
|
|
- cat2
|
|
- V-38599
|
|
|
|
- name: V-38599 - Set warning banner for FTPS/FTP logins
|
|
lineinfile:
|
|
dest: "{{ vsftpd_conf_file }}"
|
|
regexp: "^(#)?banner_file"
|
|
line: "banner_file=/etc/issue.net"
|
|
when:
|
|
- vsftpd_installed is defined
|
|
- vsftpd_installed | bool
|
|
notify:
|
|
- restart vsftpd
|
|
tags:
|
|
- cat2
|
|
- V-38599
|
|
|
|
- name: V-38702 - Enable xferlog
|
|
lineinfile:
|
|
dest: "{{ vsftpd_conf_file }}"
|
|
regexp: "^(#)?xferlog_enable"
|
|
line: "xferlog_enable=YES"
|
|
when:
|
|
- vsftpd_installed is defined
|
|
- vsftpd_installed | bool
|
|
notify:
|
|
- restart vsftpd
|
|
tags:
|
|
- cat3
|
|
- V-38702
|
|
|
|
- name: V-38702 - Disable xferlog_std_format
|
|
lineinfile:
|
|
dest: "{{ vsftpd_conf_file }}"
|
|
regexp: "^(#)?xferlog_std_format"
|
|
line: "xferlog_std_format=NO"
|
|
when:
|
|
- vsftpd_installed is defined
|
|
- vsftpd_installed | bool
|
|
notify:
|
|
- restart vsftpd
|
|
tags:
|
|
- cat3
|
|
- V-38702
|
|
|
|
- name: V-38702 - Enable log_ftp_protocol
|
|
lineinfile:
|
|
dest: "{{ vsftpd_conf_file }}"
|
|
regexp: "^(#)?log_ftp_protocol"
|
|
line: "log_ftp_protocol=YES"
|
|
when:
|
|
- vsftpd_installed is defined
|
|
- vsftpd_installed | bool
|
|
notify:
|
|
- restart vsftpd
|
|
tags:
|
|
- cat3
|
|
- V-38702
|
|
|
|
- name: Check for default runlevel (for V-38674)
|
|
shell: "grep 'DEFAULT_RUNLEVEL=2' /etc/init/rc-sysinit.conf"
|
|
register: v38674_result
|
|
changed_when: False
|
|
always_run: True
|
|
when: not systemd_running | bool
|
|
tags:
|
|
- cat2
|
|
- V-38674
|
|
|
|
- name: V-38674 - X Windows must not be enabled
|
|
fail:
|
|
msg: "FAILED: Default runlevel should be 2 (no X windows)"
|
|
when:
|
|
- not systemd_running | bool
|
|
- v38674_result.rc != 0
|
|
tags:
|
|
- cat2
|
|
- V-38674
|
|
|
|
- name: Check if systemd is configured to load the graphical target
|
|
shell: "systemctl list-units --type=target | grep '^graphical.target.*loaded active active'"
|
|
register: v38674_result
|
|
always_run: True
|
|
failed_when: v38674_result.rc > 1
|
|
when: systemd_running | bool
|
|
tags:
|
|
- cat2
|
|
- V-38674
|
|
|
|
- name: V-38674 - X Windows must not be enabled
|
|
fail:
|
|
msg: "FAILED: Graphical target must not be enabled in systemd."
|
|
when:
|
|
- systemd_running | bool
|
|
- v38674_result.rc == 0
|
|
tags:
|
|
- cat2
|
|
- V-38674
|
|
|
|
- name: Check if AppArmor is running (for V-51337)
|
|
shell: "apparmor_status 2>&1 | head -n 1"
|
|
register: v51337_result
|
|
changed_when: False
|
|
always_run: True
|
|
when: ansible_pkg_mgr == 'apt'
|
|
tags:
|
|
- cat2
|
|
- V-51337
|
|
|
|
- name: V-51337 - The system must use a Linux Security Module at boot time
|
|
fail:
|
|
msg: "FAILED: AppArmor isn't enabled"
|
|
when:
|
|
- ansible_pkg_mgr == 'apt'
|
|
- "'apparmor module is loaded' not in v51337_result.stdout"
|
|
tags:
|
|
- cat2
|
|
- V-51337
|
|
|
|
|
|
- name: Check if SELinux is enforcing (for V-51337)
|
|
command: getenforce
|
|
register: v51337_result
|
|
changed_when: False
|
|
always_run: True
|
|
when: ansible_pkg_mgr == 'yum'
|
|
tags:
|
|
- cat2
|
|
- V-51337
|
|
|
|
- name: V-51337 - The system must use a Linux Security Module at boot time
|
|
fail:
|
|
msg: "FAILED: SELinux is not in enforcing mode."
|
|
when:
|
|
- ansible_pkg_mgr == 'yum'
|
|
- "'Enforcing' not in v51337_result.stdout"
|
|
tags:
|
|
- cat2
|
|
- V-51337
|