0c0767b3f1
This patch begins the teardown of the RHEL 6 STIG content from the ansible-hardening repository. It will still be maintained in Pike and earlier branches. This patch also updates the ansible-hardening documentation for the Queens release and notes that Pike is the latest stable version. Closes-Bug: 1715745 Change-Id: Iaae52c97a35d82dd807ef78a1a6593ce3aa33540
64 lines
2.4 KiB
YAML
64 lines
2.4 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Playbook for role testing
|
|
hosts: localhost
|
|
pre_tasks:
|
|
- name: Ensure apt cache is updated before testing
|
|
apt:
|
|
update_cache: yes
|
|
cache_valid_time: "{{ cache_timeout }}"
|
|
when: ansible_pkg_mgr == 'apt'
|
|
changed_when: False
|
|
- name: Ensure OpenStack CI image has a logrotate cron job
|
|
file:
|
|
path: /etc/cron.daily/logrotate
|
|
state: touch
|
|
when: ansible_os_family == 'RedHat'
|
|
changed_when: False
|
|
- name: Install dconf package to test graphical session locks
|
|
package:
|
|
name: dconf
|
|
state: installed
|
|
when: ansible_os_family == 'RedHat'
|
|
changed_when: False
|
|
roles:
|
|
- role: "ansible-hardening"
|
|
vars:
|
|
security_disable_account_if_password_expires: yes
|
|
security_enable_firewalld: yes
|
|
security_pwquality_apply_rules: yes
|
|
security_enable_pwquality_password_set: yes
|
|
security_lock_session: yes
|
|
security_pwquality_require_minimum_password_length: yes
|
|
security_package_clean_on_remove: yes
|
|
security_pam_faillock_enable: yes
|
|
security_password_remember_password: 5
|
|
security_reset_perm_ownership: yes
|
|
security_require_grub_authentication: yes
|
|
security_rhel7_automatic_package_updates: yes
|
|
security_rhel7_initialize_aide: yes
|
|
security_rhel7_remove_shosts_files: yes
|
|
security_search_for_invalid_owner: yes
|
|
security_search_for_invalid_group_owner: yes
|
|
security_set_minimum_password_lifetime: yes
|
|
security_unattended_upgrades_enabled: yes
|
|
security_unattended_upgrades_notifications: yes
|
|
# NOTE(mhayden): clamav is only available if EPEL is installed. There needs
|
|
# to be some work done to figure out how to install EPEL for use with
|
|
# this role without causing disruptions on the system.
|
|
security_enable_virus_scanner: no
|
|
security_run_virus_scanner_update: no
|