71a3847862
The `systemctl status` commands now return a code of `4` instead of `3` when the systemd unit isn't found. This patch adds checks for those. A packaging bug[0] causes `yum-cron` installations to fail. The unattended upgrade tasks are now skipped for CentOS 7 until a better workaround can be found. The auditd daemon now resets file permissions on its log directory each time it restarts and that breaks the idempotence tests. That task now has "changed_when: False". These patches should unblock the security role gate. [0] https://bugzilla.redhat.com/show_bug.cgi?id=1293713 Change-Id: I80b66a6d9e7c8ad97761a1f890ec6a3d2db88659
189 lines
4.6 KiB
YAML
189 lines
4.6 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: V-38443 - The /etc/gshadow file must be owned by root
|
|
file:
|
|
dest: /etc/gshadow
|
|
owner: root
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38443
|
|
|
|
- name: V-38448 - The /etc/gshadow file must be group-owned by root
|
|
file:
|
|
dest: /etc/gshadow
|
|
group: root
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38448
|
|
|
|
- name: V-38449 - The /etc/gshadow file must have mode 0000
|
|
file:
|
|
dest: /etc/gshadow
|
|
mode: 0000
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38449
|
|
|
|
- name: V-38458 - The /etc/group file must be owned by root
|
|
file:
|
|
dest: /etc/group
|
|
owner: root
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38458
|
|
|
|
- name: V-38459 - The /etc/group file must be group-owned by root
|
|
file:
|
|
dest: /etc/group
|
|
group: root
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38459
|
|
|
|
- name: V-38461 - The /etc/group file must have mode 0644 or less
|
|
file:
|
|
dest: /etc/group
|
|
mode: 0644
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38461
|
|
|
|
# NOTE(mhayden): The log directory permissions change each time auditd is
|
|
# restarted. This causes the idempotent checks to fail and that's why there is
|
|
# a 'changed_when: False' on this task.
|
|
- name: V-38493 - Audit log directories must have mode 0755 or less
|
|
file:
|
|
dest: /var/log/audit/
|
|
state: directory
|
|
mode: 0750
|
|
changed_when: False
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38493
|
|
|
|
- name: V-38502 - The /etc/shadow file must be owned by root
|
|
file:
|
|
dest: /etc/shadow
|
|
owner: root
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38502
|
|
|
|
- name: V-38503 - The /etc/shadow file must be group-owned by root
|
|
file:
|
|
dest: /etc/shadow
|
|
group: root
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38503
|
|
|
|
- name: V-38504 - The /etc/shadow file must have mode 0000
|
|
file:
|
|
dest: /etc/shadow
|
|
mode: 0000
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38504
|
|
|
|
# This change will go into effect on the next log rotation.
|
|
- name: V-38623 - All rsyslog-generated files must have mode 0600 or less
|
|
lineinfile:
|
|
dest: /etc/rsyslog.conf
|
|
regexp: "^(#)?\\$FileCreateMode"
|
|
line: "$FileCreateMode 0600"
|
|
notify:
|
|
- restart rsyslog
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38623
|
|
|
|
# BEGIN: UMASK ADJUSTMENTS ####################################################
|
|
# Please read the documentation and the comments in defaults/main.yml prior
|
|
# to making any umask-related changes.
|
|
|
|
# Ubuntu 14.04's default umask in /etc/init.d/rc is 022 already.
|
|
- name: V-38642 - System default umask for daemons must be 027 or 022
|
|
lineinfile:
|
|
dest: /etc/init.d/rc
|
|
regexp: "^umask "
|
|
line: "umask {{ security_umask_daemons_init }}"
|
|
when: security_umask_daemons_init is defined
|
|
tags:
|
|
- file_perms
|
|
- cat3
|
|
- V-38642
|
|
|
|
# Ubuntu 14.04's default umask in /etc/login.defs is 022
|
|
- name: V-38645 - System default umask in /etc/login.defs must be 077
|
|
lineinfile:
|
|
dest: /etc/login.defs
|
|
regexp: "^UMASK"
|
|
line: "UMASK {{ security_umask_login_defs }}"
|
|
when: security_umask_login_defs is defined
|
|
tags:
|
|
- file_perms
|
|
- cat3
|
|
- V-38645
|
|
|
|
# Ubuntu 14.04 and openstack-ansible don't install csh by default. We will
|
|
# check if csh is installed and then apply the umask setting if needed.
|
|
- name: Check if csh is installed (for V-38649)
|
|
shell: dpkg --status csh | grep ^Status | grep "ok installed"
|
|
register: v38649_result
|
|
changed_when: False
|
|
failed_when: False
|
|
when: security_umask_csh is defined
|
|
tags:
|
|
- file_perms
|
|
- cat3
|
|
- V-38649
|
|
|
|
- name: V-38649 - System default umask for csh must be 077
|
|
lineinfile:
|
|
dest: /etc/csh.cshrc
|
|
regexp: "^(#)?umask"
|
|
line: "umask {{ security_umask_csh }}"
|
|
create: yes
|
|
when: security_umask_csh is defined and v38649_result.rc == 0
|
|
tags:
|
|
- file_perms
|
|
- cat3
|
|
- V-38649
|
|
|
|
- name: V-38651 - System default umask for bash must be 077
|
|
lineinfile:
|
|
dest: /etc/bash.bashrc
|
|
regexp: "^(#)?umask"
|
|
line: "umask {{ security_umask_bash }}"
|
|
when: security_umask_bash is defined
|
|
tags:
|
|
- file_perms
|
|
- cat3
|
|
- V-38651
|
|
|
|
# END: UMASK ADJUSTMENTS ######################################################
|