openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/tasks/rhel6stig/apt.yml
Ravi Kumar Boyapati b840612551 Fix the regex 
Fixed the regex checking for config files containing AllowUnauthenticated
in apt config directory

Change-Id: I5422e1cfd0c532cd16d060c3ac384a2ca7ffbef3
2017-02-10 16:49:58 -05:00

130 lines
4.1 KiB
YAML
Raw Blame History

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Update apt if needed
apt:
update_cache: yes
cache_valid_time: "{{ cache_timeout }}"
tags:
- auditd-apt-packages
# Notes for V-38476 ###########################################################
#
# These GPG keys are valid as of Ubuntu 14.04 in late 2015, but they could
# change or additional keys may be added in the future.
#
- name: Gather current GPG keys for apt (for V-38476)
command: apt-key list
register: v38476_result
changed_when: "v38476_result.rc != 0"
check_mode: no
- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
fail:
msg: "Missing Ubuntu Archive signing keys"
when: "'437D05B5' not in v38476_result.stdout or 'C0B21F32' not in v38476_result.stdout"
tags:
- package
- cat1
- V-38476
# Notes for V-38462 ###########################################################
#
# Ubuntu checks packages against GPG signatures by default. It can be turned
# off for all package installations by a setting in /etc/apt/apt.conf.d and we
# search for that here. Users can pass an argument on the apt command line
# to bypass the checks as well, but that's outside the scope of this check
# and remediation.
#
- name: Search for AllowUnauthenticated in /etc/apt/apt.conf.d/ (for V-38462)
command: grep -r '^[^#].*AllowUnauthenticated \"true\"' /etc/apt/apt.conf.d/
register: v38462_result
changed_when: False
failed_when: False
check_mode: no
tags:
- package
- cat1
- V-38462
- name: V-38462 - Package management tool must verify authenticity of packages
fail:
msg: "Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified."
when: "v38462_result.rc == 0"
tags:
- package
- cat1
- V-38462
- name: Install unattended-upgrades package (for V-38481)
apt:
name: unattended-upgrades
state: "{{ security_package_state }}"
when: security_unattended_upgrades_enabled | bool
tags:
- package
- cat2
- V-38481
- name: V-38481 - System security patches and updates must be installed and up-to-date
copy:
src: 20auto-upgrades
dest: /etc/apt/apt.conf.d/20auto-upgrades
when: security_unattended_upgrades_enabled | bool
tags:
- package
- cat2
- V-38481
- name: Enable unattended upgrades notifications (for V-38481)
lineinfile:
dest: /etc/apt/apt.conf.d/50unattended-upgrades
regexp: '^(\/\/)?Unattended-Upgrade::Mail "root";'
line: 'Unattended-Upgrade::Mail "root";'
create: yes
when:
- security_unattended_upgrades_enabled | bool
- security_unattended_upgrades_notifications | bool
tags:
- package
- cat2
- V-38481
- name: Add or remove packages based on STIG requirements
apt:
name: "{{ stig_packages | selectattr('enabled') | selectattr('state', 'equalto', item) | sum(attribute='packages', start=[]) }}"
state: "{{ item }}"
with_items:
- "{{ stig_packages | selectattr('enabled') | map(attribute='state') | unique | list }}"
tags:
- cat1
- auth
- services
- V-38439 # install: aide, aide-common
- V-38620 # install: chrony
- V-38624 # install: logrotate
- V-38631 # install: auditd_pkg
- V-38632 # install: auditd_pkg
- V-38637 # install: debsums
- V-38669 # install: postfix
- V-51337 # install: apparmor
- V-38583 # remove: xinetd
- V-38587 # remove: telnet-server
- V-38591 # remove: rsh-server
- V-38603 # remove: ypserv
- V-38606 # remove: tftp-server
- V-38627 # remove: openldap-servers
- V-38671 # remove: sendmail
View Git Blame Copy Permalink