4e9a8a1d6a
This patch sets up the security role so that it applies cleanly to systems running Debian 8. Change-Id: I15f003b8f57922b354143a86ccb34df77759e723
100 lines
2.8 KiB
YAML
100 lines
2.8 KiB
YAML
---
|
|
# Copyright 2016, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Add or remove packages based on STIG requirements
|
|
package:
|
|
name: "{{ stig_packages_rhel7 | selectattr('enabled') | selectattr('state', 'equalto', item) | sum(attribute='packages', start=[]) }}"
|
|
state: "{{ item }}"
|
|
with_items:
|
|
- "{{ stig_packages_rhel7 | selectattr('enabled') | map(attribute='state') | unique | list }}"
|
|
tags:
|
|
- cat1
|
|
- auth
|
|
- packages
|
|
- services
|
|
- V-71897
|
|
- V-71967
|
|
- V-71969
|
|
- V-72067
|
|
- V-72077
|
|
- V-72213
|
|
- V-72233
|
|
- V-72301
|
|
- V-72307
|
|
|
|
- name: V-71987 - Clean requirements/dependencies when removing packages (rpm)
|
|
lineinfile:
|
|
dest: /etc/yum.conf
|
|
regexp: "^(#)?clean_requirements_on_remove"
|
|
line: "clean_requirements_on_remove=1"
|
|
state: present
|
|
when:
|
|
- security_package_clean_on_remove | bool
|
|
- ansible_os_family | lower == 'redhat'
|
|
tags:
|
|
- low
|
|
- packages
|
|
- V-71987
|
|
|
|
- name: V-71987 - Clean requirements/dependencies when removing packages (dpkg)
|
|
lineinfile:
|
|
dest: /etc/apt/apt.conf.d/security-autoremove
|
|
regexp: "^(#)?APT::Get::AutomaticRemove"
|
|
line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";"
|
|
state: present
|
|
create: yes
|
|
when:
|
|
- security_package_clean_on_remove | bool
|
|
- ansible_os_family | lower == 'debian'
|
|
tags:
|
|
- low
|
|
- packages
|
|
- V-71987
|
|
|
|
- name: Check if /etc/yum/yum-cron.conf exists
|
|
stat:
|
|
path: /etc/yum/yum-cron.conf
|
|
check_mode: no
|
|
register: yum_cron_config_check
|
|
tags:
|
|
- always
|
|
|
|
- name: V-71999 - System security patches and updates must be installed and up to date. (yum)
|
|
lineinfile:
|
|
dest: /etc/yum/yum-cron.conf
|
|
regexp: "^apply_updates"
|
|
line: "apply_updates = yes"
|
|
state: present
|
|
when:
|
|
- ansible_os_family | lower == 'redhat'
|
|
- yum_cron_config_check.stat.exists | bool
|
|
- security_rhel7_automatic_package_updates | bool
|
|
tags:
|
|
- packages
|
|
- medium
|
|
- V-71999
|
|
|
|
- name: V-71999 - System security patches and updates must be installed and up to date. (apt)
|
|
copy:
|
|
src: 20auto-upgrades
|
|
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
|
when:
|
|
- ansible_os_family | lower == 'debian'
|
|
- security_rhel7_automatic_package_updates | bool
|
|
tags:
|
|
- packages
|
|
- cat2
|
|
- V-71999
|