openstack/ansible-hardening
Code Issues Proposed changes
964b1a5bd7
ansible-hardening/tasks/apt.yml
Major Hayden 1775dab3c9 Replace debug with fail 
Closes-bug: 1506185

Change-Id: I7d7c18d00eae1dac1a88e17c719d8603564bcc9a
2015-10-14 14:29:07 -05:00

60 lines
2.1 KiB
YAML
Raw Blame History

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Notes for V-38476 ###########################################################
#
# These GPG keys are valid as of Ubuntu 14.04 in late 2015, but they could
# change or additional keys may be added in the future.
#
- name: Gather current GPG keys for apt (for V-38476)
command: apt-key list
register: v38476_result
changed_when: "v38476_result.rc != 0"
- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
fail:
msg: "FAILED: Missing Ubuntu 14.04 Archive signing keys"
when: "'437D05B5' not in v38476_result.stdout or 'C0B21F32' not in v38476_result.stdout"
tags:
- apt
- cat1
- V-38476
# Notes for V-38462 ###########################################################
#
# Ubuntu checks packages against GPG signatures by default. It can be turned
# off for all package installations by a setting in /etc/apt/apt.conf.d and we
# search for that here. Users can pass an argument on the apt command line
# to bypass the checks as well, but that's outside the scope of this check
# and remediation.
#
- name: Search for AllowUnauthenticated in /etc/apt/apt.conf.d/ (for V-38462)
command: grep -r AllowUnauthenticated /etc/apt/apt.conf.d/
register: v38462_result
changed_when: False
tags:
- auth
- cat1
- V-38462
- name: V-38462 - Package management tool must verify authenticity of packages
fail:
msg: "FAILED: Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified."
when: "v38462_result.rc == 0"
tags:
- auth
- cat1
- V-38462
View Git Blame Copy Permalink