openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/tasks/rhel7stig/misc.yml
Major Hayden 005fa52c66
Make login banner customizable 
This patch makes it easier for deployers to customize their login
banner and it also fixes some documentation bugs around how to
configure the graphical login banner.

Closes-bug: 1679749
Change-Id: I755de63cc3965f065077c983dbf1015ad93dfa6c
2017-04-05 08:32:39 -05:00

409 lines
10 KiB
YAML
Raw Blame History

---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Check autofs service
command: systemctl status autofs
register: autofs_check
failed_when: autofs_check.rc not in [0,3,4]
changed_when: False
check_mode: no
tags:
- always
- name: V-71985 - File system automounter must be disabled unless required.
service:
name: autofs
state: stopped
enabled: no
when:
- autofs_check.rc not in [3,4]
- security_rhel7_disable_autofs | bool
tags:
- medium
- misc
- V-71985
# This returns an exit code of 0 if it's running, 3 if it's masked.
- name: Check if ctrl-alt-del.target is already masked
command: systemctl status ctrl-alt-del.target
register: cad_mask_check
check_mode: no
changed_when: False
failed_when: cad_mask_check.rc not in [0,3]
tags:
- always
- name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled
command: systemctl mask ctrl-alt-del.target
when:
- security_rhel7_disable_ctrl_alt_delete | bool
- cad_mask_check.rc != 3
notify:
- reload systemd
tags:
- high
- misc
- V-71993
- name: Check for /home on mounted filesystem
debug:
msg: |
The STIG requires that /home is on its own filesystem, but this system
does not appear to be following the requirement.
when:
- "{{ ansible_mounts | selectattr('mount', 'equalto', '/home') | list | length == 0 }}"
tags:
- low
- misc
- V-72059
- name: Check for /var on mounted filesystem
debug:
msg: |
The STIG requires that /var is on its own filesystem, but this system
does not appear to be following the requirement.
when:
- "{{ ansible_mounts | selectattr('mount', 'equalto', '/var') | list | length == 0 }}"
tags:
- low
- misc
- V-72067
- name: Check for /var/log/audit on mounted filesystem
debug:
msg: |
The STIG requires that /var/log/audit is on its own filesystem, but this system
does not appear to be following the requirement.
when:
- "{{ ansible_mounts | selectattr('mount', 'equalto', '/var/log/audit') | list | length == 0 }}"
tags:
- low
- misc
- V-72063
- name: Check for /tmp on mounted filesystem
debug:
msg: |
The STIG requires that /tmp is on its own filesystem, but this system
does not appear to be following the requirement.
when:
- "{{ ansible_mounts | selectattr('mount', 'equalto', '/tmp') | list | length == 0 }}"
tags:
- low
- misc
- V-72065
- name: Check if syslog output is being sent to another server
command: 'grep "^[^#].*@" /etc/rsyslog.conf'
register: rsyslog_transmit_check
changed_when: False
failed_when: False
check_mode: no
tags:
- always
- name: V-72209 - The system must send rsyslog output to a log aggregation server.
debug:
msg: Output from syslog must be sent to another server.
when:
- rsyslog_transmit_check is defined
- rsyslog_transmit_check.rc != 0
tags:
- medium
- misc
- V-72209
- name: Check if ClamAV is installed
stat:
path: /usr/bin/clamdscan
register: clamav_install_check
changed_when: False
tags:
- always
- name: Remove 'Example' line from ClamAV configuration files
lineinfile:
dest: "{{ item }}"
regexp: "^Example"
state: absent
with_items:
- /etc/freshclam.conf
- /etc/clamd.d/scan.conf
when:
- clamav_install_check.stat.exists
- security_enable_virus_scanner | bool
- ansible_os_family | lower == 'redhat'
notify:
- restart clamav
tags:
- misc
- V-72213
- name: Set ClamAV server type as socket
lineinfile:
dest: /etc/clamd.d/scan.conf
regexp: "^(#)?LocalSocket (.*)$"
line: 'LocalSocket \2'
backrefs: yes
when:
- clamav_install_check.stat.exists
- security_enable_virus_scanner | bool
- ansible_os_family | lower == 'redhat'
notify:
- restart clamav
tags:
- misc
- V-72213
- name: Allow automatic freshclam updates
lineinfile:
dest: /etc/sysconfig/freshclam
regexp: "^FRESHCLAM_DELAY"
state: absent
when:
- clamav_install_check.stat.exists
- security_enable_virus_scanner | bool
- ansible_os_family | lower == 'redhat'
notify:
- restart clamav
tags:
- misc
- V-72213
- name: Update ClamAV database
command: freshclam
changed_when: False
when:
- clamav_install_check.stat.exists
- security_enable_virus_scanner | bool
async: 300
poll: 5
tags:
- misc
- V-72213
- name: Ensure ClamAV is running
service:
name: "{{ clamav_service }}"
state: started
enabled: yes
when:
- clamav_install_check.stat.exists
- security_enable_virus_scanner | bool
tags:
- misc
- V-72213
- name: V-72223 - Set 10 minute timeout on communication sessions
blockinfile:
dest: /etc/profile
insertbefore: EOF
marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
block: |
# Set a {{ security_rhel7_session_timeout }} second timeout for sessions
TMOUT={{ security_rhel7_session_timeout }}
readonly TMOUT
export TMOUT
tags:
- medium
- misc
- V-72223
- name: Start and enable chrony
service:
name: "{{ chrony_service }}"
state: started
enabled: yes
when:
- not check_mode
- security_rhel7_enable_chrony | bool
tags:
- medium
- misc
- V-72269
- name: Check if chrony configuration file exists
stat:
path: "{{ chrony_conf_file }}"
register: chrony_conf_check
tags:
- always
- name: V-72269 - Synchronize system clock (configuration file)
template:
src: chrony.conf.j2
dest: "{{ chrony_conf_file }}"
when:
- chrony_conf_check.stat.exists
- security_rhel7_enable_chrony | bool
notify:
- restart chrony
tags:
- medium
- misc
- V-72269
# Returns 0 if installed, 3 if not installed
- name: Check firewalld status
command: systemctl status firewalld
register: firewalld_status_check
failed_when: firewalld_status_check.rc not in [0,3,4]
changed_when: False
check_mode: no
tags:
- always
- name: Ensure firewalld is running and enabled
service:
name: firewalld
state: started
enabled: yes
when:
- firewalld_status_check.rc not in [3,4]
- security_enable_firewalld | bool
tags:
- medium
- misc
- V-72273
- name: Limit new TCP connections to 25/minute and allow bursting to 100
command: "firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{ security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT"
register: add_rate_limit_firewalld_rule
changed_when: "'ALREADY_ENABLED' not in add_rate_limit_firewalld_rule.stdout"
when:
- firewalld_status_check.rc != 3
- security_enable_firewalld_rate_limit | bool
tags:
- medium
- misc
- V-72271
# Linting checks need to be skipped because this command doesn't create any
# files.
- name: Count nameserver entries in /etc/resolv.conf
command: grep nameserver /etc/resolv.conf
register: nameserver_check
check_mode: no
changed_when: False
failed_when: False
tags:
- always
- skip_ansible_lint
- name: V-72281 - For systems using DNS resolution, at least two name servers must be configured.
debug:
msg: |
Two or more nameservers must be configured in /etc/resolv.conf.
Nameservers found: {{ nameserver_check.stdout_lines | length }}
when:
- nameserver_check is defined
- nameserver_check.stdout_lines | length < 2
tags:
- low
- misc
- V-72281
- name: Check for interfaces in promiscuous mode
shell: "ip link | grep -i promisc"
register: promiscuous_interface_check
changed_when: False
failed_when: False
check_mode: no
tags:
- always
- name: V-72295 - Network interfaces must not be in promiscuous mode.
debug:
msg: >
One or more network interfaces were found to be in promiscuous mode.
Review all interfaces and disable promiscuous mode.
when:
- promiscuous_interface_check.rc == 0
tags:
- medium
- misc
- V-72295
- name: Check for postfix configuration file
stat:
path: /etc/postfix/main.cf
register: postfix_conf_check
tags:
- always
- name: V-72297 - Prevent unrestricted mail relaying
lineinfile:
dest: /etc/postfix/main.cf
regexp: '^smtpd_client_restrictions'
line: 'smtpd_client_restrictions = permit_mynetworks, reject'
when:
- postfix_conf_check.stat.exists
- security_rhel7_restrict_mail_relaying | bool
tags:
- medium
- misc
- V-72297
- name: Check for TFTP server configuration file
stat:
path: /etc/xinetd.d/tftp
register: tftp_config_check
check_mode: no
tags:
- always
- name: Check TFTP configuration mode
command: 'grep server_args /etc/xinetd.d/tftp'
register: tftp_secure_check
changed_when: False
failed_when: False
check_mode: no
when:
- tftp_config_check.stat.exists
tags:
- always
- name: V-72305 - TFTP must be configured to operate in secure mode
debug:
msg: TFTP must be configured to run in secure mode with the '-s' flag.
when:
- tftp_config_check.stat.exists
- "'-s' not in tftp_secure_check.stdout"
tags:
- medium
- misc
- V-72305
- name: Check to see if snmpd config contains public/private
shell: 'egrep "^[^#].*(public|private)" /etc/snmp/snmpd.conf'
register: snmp_public_private_check
changed_when: False
failed_when: False
check_mode: no
tags:
- always
- name: V-72313 - Change SNMP community strings from default.
debug:
msg: >
Change the SNMP community strings from the defaults of 'public' and
'private' to meet the requirements of V-72313.
when:
- snmp_public_private_check.rc == 0
tags:
- high
- misc
- V-72313
View Git Blame Copy Permalink