openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/tasks/rhel6stig/rpm.yml
Major Hayden ea8a0f04b1 Remove groupby filter to avoid bug 
This patch adjusts the package installation/removal tasks to get around
a bug. Jinja2 now returns namedtuples with the groupby filter and
Ansible is unable to convert that to a usable variable data type with
AST.

Jinja2 bug: pallets/jinja#654
Ansible bug: ansible/ansible#20098
Related-Bug: 1655397
Change-Id: I3ce764bfb643bda58c4b6ad282e71c312f41465e
2017-01-11 08:51:15 -06:00

126 lines
3.6 KiB
YAML
Raw Blame History

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Check if CentOS 7 GPG keys are installed (for V-38476)
command: rpm -qi gpg-pubkey-f4a80eb5-53a7ff4b
register: v38476_result
changed_when: v38476_result | failed
failed_when: False
check_mode: no
when:
- ansible_distribution == 'CentOS'
tags:
- package
- cat1
- V-38476
- skip_ansible_lint
- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. (CentOS)
fail:
msg: "Missing CentOS 7 GPG keys"
when:
- ansible_distribution == 'CentOS'
- v38476_result | failed
tags:
- package
- cat1
- V-38476
- name: Check if Red Hat Enterprise Linux 7 GPG keys are installed (for V-38476)
command: "rpm -qi {{ item }}"
register: v38476_result
changed_when: v38476_result | failed
failed_when: False
check_mode: no
with_items:
- gpg-pubkey-fd431d51-4ae0493b
- gpg-pubkey-2fa658e0-45700c69
when:
- ansible_distribution == 'RedHat'
tags:
- package
- cat1
- V-38476
- skip_ansible_lint
- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. (Red Hat Enterprise Linux)
fail:
msg: "Missing Red Hat Enterprise Linux 7 GPG keys"
when:
- ansible_distribution == 'RedHat'
- v38476_result | failed
tags:
- package
- cat1
- V-38476
- name: Search for yum repositories with GPG checks disabled
command: grep -r "gpgcheck=0" /etc/yum.repos.d/
register: v38462_result
changed_when: False
failed_when: False
check_mode: no
tags:
- package
- cat1
- V-38462
- name: V-38462 - Package management tool must verify authenticity of packages
fail:
msg: "Ensure all repo files in /etc/yum.repos.d/ have 'gpgcheck=1' set."
when: "v38462_result.rc == 0"
tags:
- package
- cat1
- V-38462
- name: V-38481 - System security patches and updates must be installed and up-to-date
lineinfile:
dest: /etc/yum/yum-cron.conf
regexp: "^apply_updates"
line: "apply_updates = yes"
state: present
when: security_unattended_upgrades_enabled | bool
tags:
- package
- cat2
- V-38481
- name: Add or remove packages based on STIG requirements
yum:
name: "{{ stig_packages | selectattr('enabled') | selectattr('state', 'equalto', item) | sum(attribute='packages', start=[]) }}"
state: "{{ item }}"
with_items:
- "{{ stig_packages | selectattr('enabled') | map(attribute='state') | unique | list }}"
tags:
- cat1
- auth
- services
- V-38439 # install: aide, aide-common
- V-38481 # install: yum-cron
- V-38620 # install: chrony
- V-38624 # install: logrotate
- V-38631 # install: auditd_pkg
- V-38632 # install: auditd_pkg
- V-38669 # install: postfix
- V-51337 # install: SELinux
- V-38583 # remove: xinetd
- V-38587 # remove: telnet-server
- V-38591 # remove: rsh-server
- V-38603 # remove: ypserv
- V-38606 # remove: tftp-server
- V-38627 # remove: openldap-servers
- V-38671 # remove: sendmail
View Git Blame Copy Permalink