openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/tasks/rhel6stig/misc.yml
Jimmy McCrory 209ce55e56 Add missing STIG ID tags 
The 'Set fact for SNMP being installed' and 'Set fact for vsftpd being
installed' tasks rely on variables being registered by other tasks. If
those other tasks are skipped by tag, Ansible can fail with an undefined
variable error. Add the appropriate STIG ID tags to these set_fact tasks
to include them when skipping by tags.

Change-Id: If6345d7095676cc703140ab95d60a5383a5ebef0
2017-03-04 23:49:23 -08:00

340 lines
8.1 KiB
YAML
Raw Blame History

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: V-38670 - System must detect unauthorized changes to software and information
fail:
msg: "AIDE cron job is missing"
when:
- not check_mode
- v38670_result.stat.exists == False
tags:
- cat2
- V-38670
- name: Search for .netrc files (for V-38619)
shell: find /root /home -xdev -name .netrc | wc -l
register: v38619_result
changed_when: False
check_mode: no
tags:
- cat2
- V-38619
- name: V-38619 - There must be no .netrc files on the system
fail:
msg: ".netrc files found -- they must be removed"
when: v38619_result.stdout != '0'
tags:
- cat2
- V-38619
- name: V-38620 - Synchronize system clock (enable chrony)
service:
name: "{{ chrony_service }}"
state: started
enabled: yes
when:
- not check_mode
- security_enable_chrony | bool
tags:
- cat2
- V-38620
- name: V-38620 - Synchronize system clock (configuration file)
template:
src: chrony.conf.j2
dest: "{{ chrony_conf_file }}"
when:
- not check_mode
- security_enable_chrony | bool
notify:
- restart chrony
tags:
- cat2
- V-38620
- name: Check for logrotate cron job (for V-38624)
stat:
path: /etc/cron.daily/logrotate
register: v38624_result
tags:
- cat3
- V-38624
- name: V-38624 - System logs must be rotated daily (verify cron job)
fail:
msg: "Cron job for logrotate is missing"
when:
- not check_mode
- not v38624_result.stat.exists | bool
tags:
- cat3
- V-38624
- name: Check if samba is installed (for V-38656)
stat:
path: /etc/samba/smb.conf
register: v38656_result
changed_when: false
tags:
- cat3
- V-38656
- name: V-38656 - System must use SMB client signing
lineinfile:
dest: /etc/samba/smb.conf
regexp: "^(;)?client signing"
line: "client signing = mandatory"
insertafter: "############ Misc ############"
when: v38656_result.stat.exists | bool
notify:
- restart samba
tags:
- cat3
- V-38656
- name: Check if SNMP daemon is installed using dpkg (for V-38660)
shell: "dpkg --status snmpd | grep \"^Status:.*ok installed\""
register: v38660_snmpd_apt
changed_when: False
failed_when: False
check_mode: no
when: ansible_pkg_mgr == 'apt'
tags:
- cat2
- V-38660
- name: Check if SNMP daemon is installed using rpm (for V-38660)
shell: "rpm -qi net-snmp"
register: v38660_snmpd_rpm
changed_when: False
failed_when: False
check_mode: no
when: ansible_pkg_mgr == 'yum'
tags:
- cat2
- V-38660
- skip_ansible_lint
- name: Set fact for SNMP being installed
set_fact:
snmpd_installed: True
when: |
(v38660_snmpd_apt.rc is defined and v38660_snmpd_apt.rc == 0) or
(v38660_snmpd_rpm.rc is defined and v38660_snmpd_rpm.rc == 0)
tags:
- cat2
- V-38660
# We shouldn't get any output from this grep since it looks for configuration
# lines for the SNMP v1 and v2c protocols.
- name: Check for insecure SNMP protocols (for V-38660)
shell: "egrep 'v1|v2c|com2sec|community' /etc/snmp/snmpd.conf | grep -v '^\\s*#'"
register: v38660_result
changed_when: False
failed_when: False
check_mode: no
when:
- snmpd_installed is defined
- snmpd_installed | bool
tags:
- cat2
- V-38660
- name: V-38660 - The snmpd service must only use SNMPv3 or newer
fail:
msg: "Insecure SNMP configuration found -- use SNMPv3 only"
when:
- not check_mode
- snmpd_installed is defined
- snmpd_installed | bool
- v38660_result.rc == 0
tags:
- cat2
- V-38660
- name: V-38675 - Process core dump must be disabled
lineinfile:
dest: /etc/security/limits.d/V-38675-coredump.conf
line: "* hard core 0"
create: yes
when: security_disable_core_dumps is defined
tags:
- cat3
- V-38675
- name: V-38684 - Maximum simultaneous logins per user
lineinfile:
dest: /etc/security/limits.d/V-38684-maxlogins.conf
line: "* hard maxlogins {{ security_max_simultaneous_logins }}"
create: yes
when: security_max_simultaneous_logins is defined
tags:
- cat3
- V-38684
- name: Check if vsftpd installed using dpkg (for V-38599 and V-38702)
shell: "dpkg --status vsftpd | grep \"^Status:.*ok installed\""
register: v38599_vsftpd_apt
changed_when: False
failed_when: False
check_mode: no
when: ansible_pkg_mgr == 'apt'
tags:
- cat2
- cat3
- V-38599
- V-38702
- name: Check if vsftpd installed using rpm (for V-38599 and V-38702)
shell: "rpm -qi vsftpd"
register: v38599_vsftpd_rpm
changed_when: False
failed_when: False
check_mode: no
when: ansible_pkg_mgr == 'yum'
tags:
- cat2
- cat3
- V-38599
- V-38702
- skip_ansible_lint
- name: Set fact for vsftpd being installed
set_fact:
vsftpd_installed: True
when: |
(v38599_vsftpd_apt.rc is defined and v38599_vsftpd_apt.rc == 0) or
(v38599_vsftpd_rpm.rc is defined and v38599_vsftpd_rpm.rc == 0)
tags:
- cat2
- cat3
- V-38599
- V-38702
- name: Copy login banner (for V-38599)
copy:
src: login_banner.txt
dest: /etc/issue.net
when:
- vsftpd_installed is defined
- vsftpd_installed | bool
notify:
- restart vsftpd
tags:
- cat2
- V-38599
- name: V-38599 - Set warning banner for FTPS/FTP logins
lineinfile:
dest: "{{ vsftpd_conf_file }}"
regexp: "^(#)?banner_file"
line: "banner_file=/etc/issue.net"
when:
- vsftpd_installed is defined
- vsftpd_installed | bool
notify:
- restart vsftpd
tags:
- cat2
- V-38599
- name: V-38702 - Enable xferlog
lineinfile:
dest: "{{ vsftpd_conf_file }}"
regexp: "^(#)?xferlog_enable"
line: "xferlog_enable=YES"
when:
- vsftpd_installed is defined
- vsftpd_installed | bool
notify:
- restart vsftpd
tags:
- cat3
- V-38702
- name: V-38702 - Disable xferlog_std_format
lineinfile:
dest: "{{ vsftpd_conf_file }}"
regexp: "^(#)?xferlog_std_format"
line: "xferlog_std_format=NO"
when:
- vsftpd_installed is defined
- vsftpd_installed | bool
notify:
- restart vsftpd
tags:
- cat3
- V-38702
- name: V-38702 - Enable log_ftp_protocol
lineinfile:
dest: "{{ vsftpd_conf_file }}"
regexp: "^(#)?log_ftp_protocol"
line: "log_ftp_protocol=YES"
when:
- vsftpd_installed is defined
- vsftpd_installed | bool
notify:
- restart vsftpd
tags:
- cat3
- V-38702
- name: V-38674 - X Windows must not be enabled (upstart)
lineinfile:
dest: /etc/init/rc-sysinit.conf
regexp: "^env DEFAULT_RUNLEVEL"
line: "env DEFAULT_RUNLEVEL=2"
when:
- security_disable_x_windows | bool
- ansible_service_mgr != 'systemd'
tags:
- cat2
- V-38674
- name: V-38674 - X Windows must not be enabled (systemd)
command: "systemctl set-default multi-user.target"
register: systemctl_default_target
changed_when: "'Created symlink' in systemctl_default_target.stdout"
when:
- security_disable_x_windows | bool
- ansible_service_mgr == 'systemd'
tags:
- cat2
- V-38674
- name: Check for unlabeled device files (for V-51379)
command: "find /dev -context '*unlabeled_t*'"
register: v51379_unlabeled_devices
changed_when: False
check_mode: no
when:
- ansible_os_family == 'RedHat'
tags:
- cat1
- V-51379
- name: V-51379 - All device files must be monitored by the Linux Security Module
fail:
msg: "Devices were found without SELinux labels: {{ v51379_unlabeled_devices.stdout_lines | join(', ') }}"
when:
- ansible_os_family == 'RedHat'
- v51379_unlabeled_devices.stdout is defined
- v51379_unlabeled_devices.stdout | length > 0
tags:
- cat1
- V-51379
View Git Blame Copy Permalink