From c774a1fb24210eb4943515cd701b79bc490935e1 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Thu, 13 Feb 2025 07:46:41 +0100 Subject: [PATCH] Auto-fix yaml rules In order to reduce divergance with ansible-lint rules, we apply auto-fixing of violations. In current patch we replace all kind of truthy variables with `true` or `false` values to align with recommendations along with alignment of used quotes. Change-Id: I10eaed0d5f7b2a02379d9708da04ef26c31fba5e --- .ansible-lint | 2 +- .gitignore | 1 + defaults/main.yml | 327 ++++++++++++++++---------------- examples/playbook.yml | 2 +- tasks/main.yml | 2 +- tasks/rhel7stig/accounts.yml | 24 +-- tasks/rhel7stig/aide.yml | 10 +- tasks/rhel7stig/apt.yml | 14 +- tasks/rhel7stig/async_tasks.yml | 13 +- tasks/rhel7stig/auditd.yml | 10 +- tasks/rhel7stig/auth.yml | 48 ++--- tasks/rhel7stig/dnf.yml | 8 +- tasks/rhel7stig/file_perms.yml | 10 +- tasks/rhel7stig/graphical.yml | 2 +- tasks/rhel7stig/kernel.yml | 16 +- tasks/rhel7stig/lsm.yml | 10 +- tasks/rhel7stig/main.yml | 8 +- tasks/rhel7stig/misc.yml | 72 +++---- tasks/rhel7stig/rpm.yml | 6 +- tasks/rhel7stig/sshd.yml | 14 +- tasks/rhel7stig/yum.yml | 2 +- tasks/rhel7stig/zypper.yml | 12 +- vars/debian.yml | 2 +- vars/main.yml | 108 +++++------ vars/redhat-7.yml | 4 +- vars/redhat-8.yml | 4 +- vars/redhat-9.yml | 4 +- vars/suse.yml | 4 +- zuul.d/project.yaml | 1 + 29 files changed, 371 insertions(+), 369 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index b0c6b0ae..98e59fb4 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,4 +1,4 @@ --- skip_list: - - '106' + - "106" diff --git a/.gitignore b/.gitignore index 3a772066..c46a9ec6 100644 --- a/.gitignore +++ b/.gitignore @@ -45,6 +45,7 @@ logs/* # OS generated files # ###################### ._* +.ansible .tox *.egg-info .eggs diff --git a/defaults/main.yml b/defaults/main.yml index 8c2ed9ee..82e26743 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -39,7 +39,7 @@ security_package_state: present # Set the following variable to `no` to prevent the EPEL repository from being # installed by the role. This may prevent certain packages from installing, # such as ClamAV. -security_epel_install_repository: yes +security_epel_install_repository: true # # Some deployers install a customized EPEL package that redirects servers to # their internal EPEL mirrors. Provide the name of the EPEL repository package @@ -62,13 +62,13 @@ security_epel_release_package: epel-release ## Accounts (accounts) # Set minimum password lifetime to 1 day for interactive accounts. -security_set_minimum_password_lifetime: no # V-71927 -security_set_maximum_password_lifetime: no # V-71931 +security_set_minimum_password_lifetime: false # V-71927 +security_set_maximum_password_lifetime: false # V-71931 ## AIDE (aide) # Initialize the AIDE database immediately (may take time). -security_rhel7_initialize_aide: no # V-71973 -security_rhel7_enable_aide: yes +security_rhel7_initialize_aide: false # V-71973 +security_rhel7_enable_aide: true # The default Ubuntu configuration for AIDE will cause it to wander into some # terrible places on the system, such as /var/lib/lxc and images in /opt. @@ -86,189 +86,190 @@ security_aide_exclude_dirs: # Encrypt audit records when they are transmitted over the network. # security_audisp_enable_krb5: yes # V-72085 # Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING! -security_rhel7_audit_failure_flag: 1 # V-72081 +security_rhel7_audit_failure_flag: 1 # V-72081 # Set the action to take when the disk is full or network events cannot be sent. -security_rhel7_auditd_disk_full_action: syslog # V-72087 -security_rhel7_auditd_network_failure_action: syslog # V-72087 +security_rhel7_auditd_disk_full_action: syslog # V-72087 +security_rhel7_auditd_network_failure_action: syslog # V-72087 # Size of remaining disk space (in MB) that triggers alerts. security_rhel7_auditd_space_left: >- # V-72089 {{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }} # Action to take when the space_left threshold is reached. -security_rhel7_auditd_space_left_action: email # V-72091 +security_rhel7_auditd_space_left_action: email # V-72091 # Send auditd email alerts to this user. -security_rhel7_auditd_action_mail_acct: root # V-72093 +security_rhel7_auditd_action_mail_acct: root # V-72093 # Add audit rules for commands/syscalls. -security_rhel7_audit_chsh: yes # V-72167 -security_rhel7_audit_chage: yes # V-72155 -security_rhel7_audit_chcon: yes # V-72139 -security_rhel7_audit_chmod: no # V-72105 -security_rhel7_audit_chown: no # V-72097 -security_rhel7_audit_creat: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72123 -security_rhel7_audit_crontab: yes # V-72183 -security_rhel7_audit_delete_module: yes # V-72189 -security_rhel7_audit_fchmod: no # V-72107 -security_rhel7_audit_fchmodat: no # V-72109 -security_rhel7_audit_fchown: no # V-72099 -security_rhel7_audit_fchownat: no # V-72103 -security_rhel7_audit_fremovexattr: no # V-72119 -security_rhel7_audit_fsetxattr: no # V-72113 -security_rhel7_audit_ftruncate: yes # V-72133 -security_rhel7_audit_init_module: yes # V-72187 -security_rhel7_audit_gpasswd: yes # V-72153 -security_rhel7_audit_lchown: no # V-72101 -security_rhel7_audit_lremovexattr: no # V-72121 -security_rhel7_audit_lsetxattr: no # V-72115 -security_rhel7_audit_mount: yes # V-72171 -security_rhel7_audit_newgrp: yes # V-72165 -security_rhel7_audit_open: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72125 -security_rhel7_audit_openat: yes # V-72127 -security_rhel7_audit_open_by_handle_at: yes # V-72129 -security_rhel7_audit_pam_timestamp_check: yes # V-72185 -security_rhel7_audit_passwd: yes # V-72149 -security_rhel7_audit_postdrop: yes # V-72175 -security_rhel7_audit_postqueue: yes # V-72177 -security_rhel7_audit_removexattr: no # V-72117 -security_rhel7_audit_rename: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72199 -security_rhel7_audit_renameat: yes # V-72201 -security_rhel7_audit_restorecon: yes # V-72141 -security_rhel7_audit_rmdir: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72203 -security_rhel7_audit_semanage: yes # V-72135 -security_rhel7_audit_setsebool: yes # V-72137 -security_rhel7_audit_setxattr: no # V-72111 -security_rhel7_audit_ssh_keysign: yes # V-72179 -security_rhel7_audit_su: yes # V-72159 -security_rhel7_audit_sudo: yes # V-72161 -security_rhel7_audit_sudoedit: yes # V-72169 -security_rhel7_audit_truncate: yes # V-72131 -security_rhel7_audit_umount: yes # V-72173 -security_rhel7_audit_unix_chkpwd: yes # V-72151 -security_rhel7_audit_unlink: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72205 -security_rhel7_audit_unlinkat: yes # V-72207 -security_rhel7_audit_userhelper: yes # V-72157 +security_rhel7_audit_chsh: true # V-72167 +security_rhel7_audit_chage: true # V-72155 +security_rhel7_audit_chcon: true # V-72139 +security_rhel7_audit_chmod: false # V-72105 +security_rhel7_audit_chown: false # V-72097 +security_rhel7_audit_creat: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72123 +security_rhel7_audit_crontab: true # V-72183 +security_rhel7_audit_delete_module: true # V-72189 +security_rhel7_audit_fchmod: false # V-72107 +security_rhel7_audit_fchmodat: false # V-72109 +security_rhel7_audit_fchown: false # V-72099 +security_rhel7_audit_fchownat: false # V-72103 +security_rhel7_audit_fremovexattr: false # V-72119 +security_rhel7_audit_fsetxattr: false # V-72113 +security_rhel7_audit_ftruncate: true # V-72133 +security_rhel7_audit_init_module: true # V-72187 +security_rhel7_audit_gpasswd: true # V-72153 +security_rhel7_audit_lchown: false # V-72101 +security_rhel7_audit_lremovexattr: false # V-72121 +security_rhel7_audit_lsetxattr: false # V-72115 +security_rhel7_audit_mount: true # V-72171 +security_rhel7_audit_newgrp: true # V-72165 +security_rhel7_audit_open: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72125 +security_rhel7_audit_openat: true # V-72127 +security_rhel7_audit_open_by_handle_at: true # V-72129 +security_rhel7_audit_pam_timestamp_check: true # V-72185 +security_rhel7_audit_passwd: true # V-72149 +security_rhel7_audit_postdrop: true # V-72175 +security_rhel7_audit_postqueue: true # V-72177 +security_rhel7_audit_removexattr: false # V-72117 +security_rhel7_audit_rename: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72199 +security_rhel7_audit_renameat: true # V-72201 +security_rhel7_audit_restorecon: true # V-72141 +security_rhel7_audit_rmdir: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72203 +security_rhel7_audit_semanage: true # V-72135 +security_rhel7_audit_setsebool: true # V-72137 +security_rhel7_audit_setxattr: false # V-72111 +security_rhel7_audit_ssh_keysign: true # V-72179 +security_rhel7_audit_su: true # V-72159 +security_rhel7_audit_sudo: true # V-72161 +security_rhel7_audit_sudoedit: true # V-72169 +security_rhel7_audit_truncate: true # V-72131 +security_rhel7_audit_umount: true # V-72173 +security_rhel7_audit_unix_chkpwd: true # V-72151 +security_rhel7_audit_unlink: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72205 +security_rhel7_audit_unlinkat: true # V-72207 +security_rhel7_audit_userhelper: true # V-72157 # Add audit rules for other events. -security_rhel7_audit_account_access: yes # V-72143 -security_rhel7_audit_sudo_config_changes: yes # V-72163 -security_rhel7_audit_insmod: yes # V-72191 -security_rhel7_audit_rmmod: yes # V-72193 -security_rhel7_audit_modprobe: yes # V-72195 -security_rhel7_audit_account_actions: yes # V-72197 +security_rhel7_audit_account_access: true # V-72143 +security_rhel7_audit_sudo_config_changes: true # V-72163 +security_rhel7_audit_insmod: true # V-72191 +security_rhel7_audit_rmmod: true # V-72193 +security_rhel7_audit_modprobe: true # V-72195 +security_rhel7_audit_account_actions: true # V-72197 ## Authentication (auth) # Check if sudoers has the NOPASSWD rule enabled -security_sudoers_nopasswd_check_enable: yes +security_sudoers_nopasswd_check_enable: true # Disallow logins from accounts with blank/null passwords via PAM. -security_disallow_blank_password_login: yes # V-71937 +security_disallow_blank_password_login: true # V-71937 # Apply password quality rules. # NOTE: The security_pwquality_apply_rules variable is a "master switch". # Set the 'security_pwquality_apply_rules' variable to 'yes' to apply all of # the password quality rules. Each rule can be disabled with a value of 'no'. -security_pwquality_apply_rules: no -security_pwquality_require_uppercase: yes # V-71903 -security_pwquality_require_lowercase: yes # V-71905 -security_pwquality_require_numeric: yes # V-71907 -security_pwquality_require_special: yes # V-71909 -security_pwquality_require_characters_changed: yes # V-71911 -security_pwquality_require_character_classes_changed: yes # V-71913 -security_pwquality_limit_repeated_characters: yes # V-71915 -security_pwquality_limit_repeated_character_classes: yes # V-71917 -security_pwquality_require_minimum_password_length: no # V-71935 +security_pwquality_apply_rules: false +security_pwquality_require_uppercase: true # V-71903 +security_pwquality_require_lowercase: true # V-71905 +security_pwquality_require_numeric: true # V-71907 +security_pwquality_require_special: true # V-71909 +security_pwquality_require_characters_changed: true # V-71911 +security_pwquality_require_character_classes_changed: true # V-71913 +security_pwquality_limit_repeated_characters: true # V-71915 +security_pwquality_limit_repeated_character_classes: true # V-71917 +security_pwquality_require_minimum_password_length: false # V-71935 # Use pwquality when passwords are changed or established. -security_enable_pwquality_password_set: no # V-73159 +security_enable_pwquality_password_set: false # V-73159 # Ensure passwords are stored using SHA512. -security_password_encrypt_method: SHA512 # V-71921 +security_password_encrypt_method: SHA512 # V-71921 # Ensure user/group admin utilities only store encrypted passwords. -security_libuser_crypt_style_sha512: yes # V-71923 +security_libuser_crypt_style_sha512: true # V-71923 # Set a minimum/maximum lifetime limit for user passwords. # security_password_min_lifetime_days: 1 # V-71925 # security_password_max_lifetime_days: 60 # V-71929 # Set a delay (in seconds) between failed login attempts. -security_shadow_utils_fail_delay: 4 # V-71951 +security_shadow_utils_fail_delay: 4 # V-71951 # Set a umask for all authenticated users. # security_shadow_utils_umask: '077' # V-71995 # Create home directories for new users by default. -security_shadow_utils_create_home: yes # V-72013 +security_shadow_utils_create_home: true # V-72013 # How many old user password to remember to prevent password re-use. # security_password_remember_password: 5 # V-71933 # Disable user accounts if the password expires. -security_disable_account_if_password_expires: no # V-71941 +security_disable_account_if_password_expires: false # V-71941 # Lock user accounts with excessive login failures. See documentation. -security_pam_faillock_enable: no # V-71945 / V-71943 / RHEL-07-010373 +security_pam_faillock_enable: false # V-71945 / V-71943 / RHEL-07-010373 security_pam_faillock_interval: 900 security_pam_faillock_attempts: 3 -security_pam_faillock_deny_root: yes # RHEL-07-010373 -security_pam_faillock_unlock_time: 604800 # V-71943 +security_pam_faillock_deny_root: true # RHEL-07-010373 +security_pam_faillock_unlock_time: 604800 # V-71943 # Limit the number of concurrent connections per account. # security_rhel7_concurrent_session_limit: 10 # V-72217 # Remove .shosts and shosts.equiv files. -security_rhel7_remove_shosts_files: no # V-72277 +security_rhel7_remove_shosts_files: false # V-72277 # Exclude these directories from the shosts files find security_rhel7_remove_shosts_exclude_dirs: - - '/sys' - - '/proc' - - '/dev' + - "/sys" + - "/proc" + - "/dev" ## File permissions (file_perms) # Reset file permissions and ownership for files installed via RPM packages. -security_reset_perm_ownership: no # V-71849 +security_reset_perm_ownership: false # V-71849 # Search for files/directories owned by invalid users or groups. -security_search_for_invalid_owner: no # V-72007 -security_search_for_invalid_group_owner: no # V-72009 +security_search_for_invalid_owner: false # V-72007 +security_search_for_invalid_group_owner: false # V-72009 # Set user/group owners on each home directory and set mode to 0750. -security_set_home_directory_permissions_and_owners: no # V-72017 / V-72019 / V-72021 +security_set_home_directory_permissions_and_owners: false # V-72017 / V-72019 / V-72021 # Find all world-writable directories and display them. -security_find_world_writable_dirs: no # V-72047 +security_find_world_writable_dirs: false # V-72047 ## Graphical interfaces (graphical) # Disable automatic gdm logins -security_disable_gdm_automatic_login: yes # V-71953 +security_disable_gdm_automatic_login: true # V-71953 # Disable timed gdm logins for guests -security_disable_gdm_timed_login: yes # V-71955 +security_disable_gdm_timed_login: true # V-71955 # Enable session locking for graphical logins. -security_lock_session: no # V-71891 +security_lock_session: false # V-71891 # Set a timer (in seconds) when an inactive session is locked. -security_lock_session_inactive_delay: 900 # V-71893 +security_lock_session_inactive_delay: 900 # V-71893 # Prevent users from modifying session lock settings. -security_lock_session_override_user: yes # RHEL-07-010071 +security_lock_session_override_user: true # RHEL-07-010071 # Lock a session (start screensaver) when a session is inactive. -security_lock_session_when_inactive: yes # V-71893 +security_lock_session_when_inactive: true # V-71893 # Time after screensaver starts when user login is required. -security_lock_session_screensaver_lock_delay: 5 # V-71901 +security_lock_session_screensaver_lock_delay: 5 # V-71901 # Enable a login banner and set the text for the banner. -security_enable_graphical_login_message: yes # V-71859 +security_enable_graphical_login_message: true # V-71859 security_enable_graphical_login_message_text: > - You are accessing a secured system and your actions will be logged along - with identifying information. Disconnect immediately if you are not an - authorized user of this system. + You are accessing a secured system and your actions will be logged along + with identifying information. Disconnect immediately if you are not an + authorized user of this system. ## Linux Security Module (lsm) # Enable SELinux on Red Hat/CentOS and AppArmor on Ubuntu. -security_rhel7_enable_linux_security_module: yes # V-71989 / V-71991 +security_rhel7_enable_linux_security_module: true # V-71989 / V-71991 ## Miscellaneous (misc) # Disable the autofs service. -security_rhel7_disable_autofs: yes # V-71985 +security_rhel7_disable_autofs: true # V-71985 # Enable virus scanning with clamav -security_enable_virus_scanner: no # V-72213 +security_enable_virus_scanner: false # V-72213 # Run the virus scanner update during the deployment (if scanner is deployed) -security_run_virus_scanner_update: yes +security_run_virus_scanner_update: true # Disable ctrl-alt-delete key sequence on the console. -security_rhel7_disable_ctrl_alt_delete: yes # V-71993 +security_rhel7_disable_ctrl_alt_delete: true # V-71993 # Install and enable firewalld for iptables management. -security_enable_firewalld: no # V-72273 +security_enable_firewalld: false # V-72273 # Rate limit TCP connections to 25/min and burstable to 100. -security_enable_firewalld_rate_limit: no # V-72271 +security_enable_firewalld_rate_limit: false # V-72271 security_enable_firewalld_rate_limit_per_minute: 25 security_enable_firewalld_rate_limit_burst: 100 # Update the grub configuration. -security_enable_grub_update: yes +security_enable_grub_update: true # Require authentication in GRUB to boot into single-user or maintenance modes. -security_require_grub_authentication: no # V-71961 / V-71963 +security_require_grub_authentication: false # V-71961 / V-71963 # The default password for grub authentication is 'secrete'. -security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B # noqa: yaml[line-length] +security_grub_password_hash: + grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B # noqa: yaml[line-length] # Set session timeout. -security_rhel7_session_timeout: 600 # V-72223 +security_rhel7_session_timeout: 600 # V-72223 # Enable chrony for NTP time synchronization. -security_rhel7_enable_chrony: yes # V-72269 +security_rhel7_enable_chrony: true # V-72269 # Use the following NTP servers. security_ntp_servers: - 0.pool.ntp.org @@ -286,9 +287,9 @@ security_allowed_ntp_subnets: - 192.168/16 - 172.16/12 # Listen for NTP requests only on local interfaces. -security_ntp_bind_local_interfaces_only: yes +security_ntp_bind_local_interfaces_only: true # Restrict mail relaying. -security_rhel7_restrict_mail_relaying: yes # V-72297 +security_rhel7_restrict_mail_relaying: true # V-72297 # Deploy a login banner. # V-72225 / V-71863 security_login_banner_text: | ------------------------------------------------------------------------------ @@ -302,90 +303,90 @@ security_login_banner_text: | ## Packages (packages) # Remove packages from the system as required by the STIG. Set any of these # to 'no' to skip their removal. -security_rhel7_remove_rsh_server: yes # V-71967 -security_rhel7_remove_telnet_server: yes # V-72077 -security_rhel7_remove_tftp_server: yes # V-72301 -security_rhel7_remove_xorg: yes # V-72307 -security_rhel7_remove_ypserv: yes # V-71969 +security_rhel7_remove_rsh_server: true # V-71967 +security_rhel7_remove_telnet_server: true # V-72077 +security_rhel7_remove_tftp_server: true # V-72301 +security_rhel7_remove_xorg: true # V-72307 +security_rhel7_remove_ypserv: true # V-71969 # Automatically remove dependencies when removing packages. -security_package_clean_on_remove: no # V-71987 +security_package_clean_on_remove: false # V-71987 # Automatically update packages. -security_rhel7_automatic_package_updates: no # V-71999 +security_rhel7_automatic_package_updates: false # V-71999 # Install packages for multi-factor authentication. -security_install_multifactor_auth_packages: yes # V-72417 -security_check_package_checksums: no # V-71855 +security_install_multifactor_auth_packages: true # V-72417 +security_check_package_checksums: false # V-71855 ## RPM (rpm) # Enable GPG checks for packages and repository data. -security_enable_gpgcheck_packages: yes # V-71977 -security_enable_gpgcheck_packages_local: yes # V-71979 -security_enable_gpgcheck_repo: no # V-71981 +security_enable_gpgcheck_packages: true # V-71977 +security_enable_gpgcheck_packages_local: true # V-71979 +security_enable_gpgcheck_repo: false # V-71981 ## ssh server (sshd) # Ensure sshd is running and enabled at boot time. -security_enable_sshd: yes # V-72235 +security_enable_sshd: true # V-72235 # Disallow logins from users with empty/null passwords. -security_sshd_disallow_empty_password: yes # V-71939 / RHEL-07-010440 +security_sshd_disallow_empty_password: true # V-71939 / RHEL-07-010440 # Disallow users from overriding the ssh environment variables. -security_sshd_disallow_environment_override: yes # V-71957 +security_sshd_disallow_environment_override: true # V-71957 # Disallow host based authentication. -security_sshd_disallow_host_based_auth: yes # V-71959 +security_sshd_disallow_host_based_auth: true # V-71959 # Set a list of allowed ssh ciphers. -security_sshd_cipher_list: 'aes128-ctr,aes192-ctr,aes256-ctr' # V-72221 +security_sshd_cipher_list: "aes128-ctr,aes192-ctr,aes256-ctr" # V-72221 # Specify a text file to be displayed as the banner/MOTD for all sessions. -security_sshd_banner_file: /etc/motd # V-71861 / V-72225 +security_sshd_banner_file: /etc/motd # V-71861 / V-72225 # Disable dynamic MOTD banner that is provided by /run/motd.dynamic -security_sshd_dynamic_banner_disable: True +security_sshd_dynamic_banner_disable: true # Set the interval for max session length and the number of intervals to allow. -security_sshd_client_alive_interval: 600 # V-72237 -security_sshd_client_alive_count_max: 0 # V-72241 +security_sshd_client_alive_interval: 600 # V-72237 +security_sshd_client_alive_count_max: 0 # V-72241 # Print the last login for a user when they log in over ssh. -security_sshd_print_last_log: yes # V-72245 +security_sshd_print_last_log: true # V-72245 # Permit direct root logins ('yes', 'no', 'without-password', 'prohibit-password', 'forced-commands-only') -security_sshd_permit_root_login: no # V-72247 +security_sshd_permit_root_login: false # V-72247 # Disallow authentication using known hosts authentication. -security_sshd_disallow_known_hosts_auth: yes # V-72249 / V-72239 +security_sshd_disallow_known_hosts_auth: true # V-72249 / V-72239 # Disallow rhosts authentication. -security_sshd_disallow_rhosts_auth: yes # V-72243 +security_sshd_disallow_rhosts_auth: true # V-72243 # Enable X11 forwarding. -security_sshd_enable_x11_forwarding: yes # V-72303 +security_sshd_enable_x11_forwarding: true # V-72303 # Set the allowed ssh protocols. -security_sshd_protocol: 2 # V-72251 +security_sshd_protocol: 2 # V-72251 # Set the list of allowed Message Authentication Codes (MACs) for ssh. -security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512' # V-72253 +security_sshd_allowed_macs: "hmac-sha2-256,hmac-sha2-512" # V-72253 # Disallow Generic Security Service Application Program Interface (GSSAPI) auth. -security_sshd_disallow_gssapi: yes # V-72259 +security_sshd_disallow_gssapi: true # V-72259 # Disallow compression or delay after login. -security_sshd_compression: 'delayed' # V-72267 +security_sshd_compression: "delayed" # V-72267 # Require privilege separation at every opportunity. -security_sshd_enable_privilege_separation: no # V-72265 +security_sshd_enable_privilege_separation: false # V-72265 # Require strict mode checking of home directory configuration files. -security_sshd_enable_strict_modes: yes # V-72263 +security_sshd_enable_strict_modes: true # V-72263 # Disallow Kerberos authentication. -security_sshd_disable_kerberos_auth: yes # V-72261 +security_sshd_disable_kerberos_auth: true # V-72261 # Disallow GSSAPI authentication. -security_sshd_disable_gssapi_auth: yes # V-204598 +security_sshd_disable_gssapi_auth: true # V-204598 ## Kernel settings (kernel) # Disallow forwarding IPv4/IPv6 source routed packets on all interfaces # immediately and by default on new interfaces. -security_disallow_source_routed_packet_forward_ipv4: yes # V-72283 / V-72285 -security_disallow_source_routed_packet_forward_ipv6: yes # V-72319 +security_disallow_source_routed_packet_forward_ipv4: true # V-72283 / V-72285 +security_disallow_source_routed_packet_forward_ipv6: true # V-72319 # Disallow responses to IPv4 ICMP echoes sent to broadcast address. -security_disallow_echoes_broadcast_address: yes # V-72287 +security_disallow_echoes_broadcast_address: true # V-72287 # Disallow IPV4 ICMP redirects on all interfaces immediately and by default on # new interfaces. -security_disallow_icmp_redirects: yes # V-73175 / V-72289 / V-72291 / V-72293 +security_disallow_icmp_redirects: true # V-73175 / V-72289 / V-72291 / V-72293 # Disallow IP forwarding. -security_disallow_ip_forwarding: no # V-72309 +security_disallow_ip_forwarding: false # V-72309 # Disable USB storage support. -security_rhel7_disable_usb_storage: yes # V-71983 +security_rhel7_disable_usb_storage: true # V-71983 # Disable kdump. -security_disable_kdump: yes # V-72057 +security_disable_kdump: true # V-72057 # Disable Datagram Congestion Control Protocol (DCCP). -security_rhel7_disable_dccp: yes # V-77821 +security_rhel7_disable_dccp: true # V-77821 # Enable Address Space Layout Randomization (ASLR). -security_enable_aslr: yes # V-77825 +security_enable_aslr: true # V-77825 ############################################################################### # ____ _ _ _ @@ -405,12 +406,12 @@ security_enable_aslr: yes # V-77825 ############################################################################### # To enable the contrib tasks, set this variable to 'yes'. -security_contrib_enabled: no +security_contrib_enabled: false # Disable IPv6. # DANGER: This option causes IPv6 networking to be disabled for the ENTIRE # DANGER: SYSTEM. This will cause downtime for any services that depend on # DANGER: IPv6 network connectivity. -security_contrib_disable_ipv6: no # C-00001 +security_contrib_disable_ipv6: false # C-00001 security_sysctl_file: "{{ openstack_sysctl_file | default('/etc/sysctl.conf') }}" diff --git a/examples/playbook.yml b/examples/playbook.yml index 0a8c6d0d..41ce6fe2 100644 --- a/examples/playbook.yml +++ b/examples/playbook.yml @@ -1,7 +1,7 @@ --- - name: Gather security hardening facts hosts: "{{ security_host_group|default('hosts') }}" - gather_facts: True + gather_facts: true tags: - always diff --git a/tasks/main.yml b/tasks/main.yml index db8b5083..49087464 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -32,7 +32,7 @@ - name: Check for check/audit mode command: /bin/true register: noop_result - changed_when: False + changed_when: false tags: - always diff --git a/tasks/rhel7stig/accounts.yml b/tasks/rhel7stig/accounts.yml index c08430e3..b145d65a 100644 --- a/tasks/rhel7stig/accounts.yml +++ b/tasks/rhel7stig/accounts.yml @@ -16,7 +16,7 @@ - name: Check if /etc/security/pwquality.conf exists stat: path: /etc/security/pwquality.conf - check_mode: no + check_mode: false register: pwquality_config_check tags: - always @@ -24,7 +24,7 @@ - name: Set password quality requirements blockinfile: dest: /etc/security/pwquality.conf - backup: yes + backup: true insertbefore: EOF marker: "# {mark} Added by ansible-hardening role" state: present @@ -47,8 +47,8 @@ - name: Check for SHA512 password storage in PAM command: "grep pam_unix.so {{ pam_password_file }}" register: password_sha512_check - changed_when: False - check_mode: no + changed_when: false + check_mode: false tags: - always @@ -70,7 +70,7 @@ section: defaults option: crypt_style value: sha512 - backup: yes + backup: true mode: "0644" when: - security_libuser_crypt_style_sha512 | bool @@ -117,9 +117,9 @@ - name: Ensure that users cannot reuse one of their last 5 passwords lineinfile: dest: "{{ pam_password_file }}" - regexp: '^(password\s+[a-z0-9\=\[\] ]+\s+pam_unix\.so.+?)\s+(?:remember=\d+)?$' - line: '\1 remember={{ security_password_remember_password }}' - backrefs: yes + regexp: "^(password\\s+[a-z0-9\\=\\[\\] ]+\\s+pam_unix\\.so.+?)\\s+(?:remember=\\d+)?$" + line: "\\1 remember={{ security_password_remember_password }}" + backrefs: true state: present when: - security_password_remember_password is defined @@ -131,8 +131,8 @@ - name: Ensure accounts are disabled if the password expires lineinfile: dest: /etc/default/useradd - regexp: '^[#\s]*INACTIVE' - line: 'INACTIVE=0' + regexp: "^[#\\s]*INACTIVE" + line: "INACTIVE=0" when: - security_disable_account_if_password_expires | bool tags: @@ -175,8 +175,8 @@ - name: Get all accounts with UID 0 shell: "awk -F: '$3 == 0 {print $1}' /etc/passwd" - changed_when: False - check_mode: no + changed_when: false + check_mode: false register: root_user_check tags: - accounts diff --git a/tasks/rhel7stig/aide.yml b/tasks/rhel7stig/aide.yml index 8801f97d..4cf03833 100644 --- a/tasks/rhel7stig/aide.yml +++ b/tasks/rhel7stig/aide.yml @@ -17,7 +17,7 @@ stat: path: "{{ item }}" register: aide_conf - check_mode: no + check_mode: false with_items: - /etc/aide/aide.conf.d - /etc/aide.conf @@ -71,10 +71,10 @@ - name: Configure AIDE to verify additional properties (SUSE) lineinfile: dest: "/etc/aide.conf" - regexp: '(^Binlib.*= )' - line: '\1p+i+n+u+g+s+b+m+c+sha256+sha512+acl+xattrs' + regexp: "(^Binlib.*= )" + line: "\\1p+i+n+u+g+s+b+m+c+sha256+sha512+acl+xattrs" state: present - backrefs: yes + backrefs: true when: - aide_conf.results[1].stat.exists | bool - ansible_facts['pkg_mgr'] == 'zypper' @@ -89,7 +89,7 @@ stat: path: "{{ aide_database_file }}" register: aide_database - check_mode: no + check_mode: false tags: - always diff --git a/tasks/rhel7stig/apt.yml b/tasks/rhel7stig/apt.yml index 35c3c372..16d36898 100644 --- a/tasks/rhel7stig/apt.yml +++ b/tasks/rhel7stig/apt.yml @@ -21,8 +21,8 @@ - name: Gather debsums report shell: "debsums > {{ temp_dir }}/debsums.txt" - changed_when: False - failed_when: False + changed_when: false + failed_when: false when: - security_check_package_checksums | bool - not check_mode | bool @@ -30,7 +30,7 @@ - name: V-71855 - Get files with invalid checksums (apt) shell: "grep -v OK$ {{ temp_dir }}/debsums.txt | awk '{ print $1 }'" # noqa risky-shell-pipe register: invalid_checksum_files - changed_when: False + changed_when: false when: - security_check_package_checksums | bool - not check_mode | bool @@ -70,9 +70,9 @@ - name: Search for AllowUnauthenticated in /etc/apt/apt.conf.d/ command: grep -r '^[^#].*AllowUnauthenticated \"true\"' /etc/apt/apt.conf.d/ register: gpgcheck_result - changed_when: False - failed_when: False - check_mode: no + changed_when: false + failed_when: false + check_mode: false - name: V-71977 - Package management tool must verify authenticity of packages debug: @@ -102,7 +102,7 @@ regexp: "^(#)?APT::Get::AutomaticRemove" line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";" state: present - create: yes + create: true mode: "0644" when: - security_package_clean_on_remove | bool diff --git a/tasks/rhel7stig/async_tasks.yml b/tasks/rhel7stig/async_tasks.yml index 8930bc16..e161d249 100644 --- a/tasks/rhel7stig/async_tasks.yml +++ b/tasks/rhel7stig/async_tasks.yml @@ -17,8 +17,8 @@ # lookup one time and then grep over the output in subsequent tasks. - name: Verify all installed RPM packages shell: "rpm -Va > {{ temp_dir }}/rpmverify.txt" # noqa: command-instead-of-module - failed_when: False - changed_when: False + failed_when: false + changed_when: false register: rpmverify_task async: 3600 poll: 0 @@ -31,7 +31,6 @@ - V-71855 - skip_ansible_lint - - name: Locate top level directories to check for .shosts find: paths: / @@ -49,10 +48,10 @@ - name: Check for .shosts or shosts.equiv files find: paths: "{{ shosts_dirs.files | map(attribute='path') | difference(security_rhel7_remove_shosts_exclude_dirs) }}" - recurse: yes - hidden: yes - patterns: '.shosts,shosts.equiv' - changed_when: False + recurse: true + hidden: true + patterns: ".shosts,shosts.equiv" + changed_when: false register: shosts_find async: 300 poll: 0 diff --git a/tasks/rhel7stig/auditd.yml b/tasks/rhel7stig/auditd.yml index fbe94995..b46dadb5 100644 --- a/tasks/rhel7stig/auditd.yml +++ b/tasks/rhel7stig/auditd.yml @@ -17,7 +17,7 @@ stat: path: /etc/audit/auditd.conf register: auditd_conf - check_mode: no + check_mode: false tags: - always @@ -25,7 +25,7 @@ stat: path: /etc/audisp/audisp-remote.conf register: audisp_remote_conf - check_mode: no + check_mode: false tags: - always @@ -62,7 +62,7 @@ - name: Get valid system architectures for audit rules set_fact: auditd_architectures: "{{ (ansible_facts['architecture'] == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}" - check_mode: no + check_mode: false tags: - always @@ -157,7 +157,7 @@ - name: Adjust auditd/audispd configurations lineinfile: dest: "{{ item.config }}" - regexp: '^#?{{ item.parameter }}\s*=' + regexp: "^#?{{ item.parameter }}\\s*=" line: "{{ item.parameter }} = {{ item.value }}" with_items: "{{ auditd_config }}" when: @@ -177,7 +177,7 @@ service: name: auditd state: started - enabled: yes + enabled: true when: - auditd_conf.stat.exists tags: diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml index ded697e2..b08967ac 100644 --- a/tasks/rhel7stig/auth.yml +++ b/tasks/rhel7stig/auth.yml @@ -18,10 +18,10 @@ - name: Set pam_faildelay configuration on Ubuntu lineinfile: dest: /etc/pam.d/login - regexp: '^(auth[\s]+optional[\s]+pam_faildelay.so).*$' - line: '\1 delay={{ (security_shadow_utils_fail_delay | int) * 10**6 }}' + regexp: "^(auth[\\s]+optional[\\s]+pam_faildelay.so).*$" + line: "\\1 delay={{ (security_shadow_utils_fail_delay | int) * 10**6 }}" state: present - backrefs: yes + backrefs: true when: - security_shadow_utils_fail_delay is defined - ansible_facts['os_family'] | lower == 'debian' @@ -35,9 +35,9 @@ dest: "{{ pam_auth_file }}" state: present regexp: "^(.*)nullok_secure(.*)$" - line: '\1\2' - backup: yes - backrefs: yes + line: "\\1\\2" + backup: true + backrefs: true when: - ansible_facts['os_family'] == 'Debian' - security_disallow_blank_password_login | bool @@ -51,9 +51,9 @@ dest: "{{ item[1] }}" state: present regexp: "^({{ item[0] }}.*sufficient.*)nullok(.*)$" - line: '\1\2' - backup: yes - backrefs: yes + line: "\\1\\2" + backup: true + backrefs: true loop: "{{ ['auth', 'password'] | product(['{{ pam_auth_file }}', '{{ pam_password_file }}']) | list }}" when: - ansible_facts['os_family'] == 'RedHat' @@ -68,9 +68,9 @@ dest: "{{ item }}" state: present regexp: "^(.*required.*)nullok(.*)$" - line: '\1\2' - backup: yes - backrefs: yes + line: "\\1\\2" + backup: true + backrefs: true with_items: - "{{ pam_auth_file }}" - "{{ pam_password_file }}" @@ -108,7 +108,7 @@ - name: Check for 'nopasswd' in sudoers files shell: 'grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ | egrep -v "^([[:space:]]*)?(#|$)" || echo "not found"' # noqa risky-shell-pipe register: sudoers_nopasswd_check - changed_when: False + changed_when: false when: - security_sudoers_nopasswd_check_enable | bool tags: @@ -134,7 +134,7 @@ - name: Check for '!authenticate' in sudoers files shell: grep -ir '\!authenticate' /etc/sudoers /etc/sudoers.d/ || echo 'not found' register: sudoers_authenticate_check - changed_when: False + changed_when: false tags: - auth - medium @@ -159,7 +159,7 @@ stat: path: /etc/sssd/sssd.conf register: sssd_conf_check - check_mode: no + check_mode: false tags: - always @@ -169,7 +169,7 @@ stat: path: "{{ grub_custom_file }}" register: grub_custom_file_check - check_mode: no + check_mode: false tags: - always @@ -189,10 +189,10 @@ - name: Set CLASS for grub file lineinfile: path: "{{ grub_linux_file }}" - regexp: '^CLASS=.*' + regexp: "^CLASS=.*" line: 'CLASS="--class gnu-linux --class gnu --class os --unrestricted"' state: present - backrefs: yes + backrefs: true notify: - Update grub config when: @@ -207,7 +207,7 @@ - name: V-72217 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types. blockinfile: dest: /etc/security/limits.d/ansible-hardening-maxlogins.conf - create: yes + create: true mode: "0644" block: | # Deployed by the ansible-hardening role @@ -223,9 +223,9 @@ - name: Check for pam_lastlog in PAM configuration command: "grep pam_lastlog {{ pam_postlogin_file }}" register: pam_lastlog_check - changed_when: False - failed_when: False - check_mode: no + changed_when: false + failed_when: false + check_mode: false tags: - always @@ -244,8 +244,8 @@ - name: Ensure .shosts find has finished async_status: jid: "{{ shosts_find.ansible_job_id }}" - failed_when: False - changed_when: False + failed_when: false + changed_when: false register: job_result until: job_result.finished retries: 60 diff --git a/tasks/rhel7stig/dnf.yml b/tasks/rhel7stig/dnf.yml index abe1ef7a..072b1026 100644 --- a/tasks/rhel7stig/dnf.yml +++ b/tasks/rhel7stig/dnf.yml @@ -19,7 +19,7 @@ - name: Check if /etc/dnf/automatic.conf exists stat: path: /etc/dnf/automatic.conf - check_mode: no + check_mode: false register: dnf_automatic_config_check when: - ansible_facts['os_family'] | lower == 'redhat' @@ -49,8 +49,8 @@ - name: Check to see which dnf automatic timers are available shell: "rpm -ql dnf-automatic | grep timer || true" # noqa: command-instead-of-module register: dnf_automatic_timers - check_mode: no - changed_when: False + check_mode: false + changed_when: false when: - ansible_facts['os_family'] | lower == 'redhat' - ansible_facts['pkg_mgr'] == 'dnf' @@ -79,7 +79,7 @@ - name: Enable dnf automatic timer for automatic package updates systemd: name: "{{ dnf_automatic_timer }}" - enabled: yes + enabled: true state: started when: - ansible_facts['os_family'] | lower == 'redhat' diff --git a/tasks/rhel7stig/file_perms.yml b/tasks/rhel7stig/file_perms.yml index 8c7b6081..826a3417 100644 --- a/tasks/rhel7stig/file_perms.yml +++ b/tasks/rhel7stig/file_perms.yml @@ -16,7 +16,7 @@ - name: V-71849 - Get packages with incorrect file permissions or ownership shell: "grep '^.M' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe register: rpmverify_package_list - changed_when: False + changed_when: false when: - not check_mode | bool - ansible_facts['pkg_mgr'] == 'dnf' @@ -30,7 +30,7 @@ shell: "rpm {{ item[0] }} `rpm -qf {{ item[1] }}`" # noqa: command-instead-of-shell command-instead-of-module risky-shell-pipe changed_when: false with_nested: - - ['--setperms', '--setugids'] + - ["--setperms", "--setugids"] - "{{ rpmverify_package_list.stdout_lines | default([]) }}" when: - not check_mode | bool @@ -113,9 +113,9 @@ - name: Find all world-writable directories shell: "find / -perm -002 -type d -exec ls -lLd {} \\; | tr -s ' ' | cut -d' ' -f 4,9 | grep -v ^root" # noqa risky-shell-pipe register: world_writable_dirs - changed_when: False - failed_when: False - check_mode: no + changed_when: false + failed_when: false + check_mode: false when: - security_find_world_writable_dirs | bool tags: diff --git a/tasks/rhel7stig/graphical.yml b/tasks/rhel7stig/graphical.yml index 48b6f6cf..1c8a2392 100644 --- a/tasks/rhel7stig/graphical.yml +++ b/tasks/rhel7stig/graphical.yml @@ -17,7 +17,7 @@ stat: path: /etc/gdm/custom.conf register: gdm_conf_check - check_mode: no + check_mode: false - name: V-71953 - The operating system must not allow an unattended or automatic logon to the system via a graphical user interface lineinfile: diff --git a/tasks/rhel7stig/kernel.yml b/tasks/rhel7stig/kernel.yml index 5378bec1..f463d28b 100644 --- a/tasks/rhel7stig/kernel.yml +++ b/tasks/rhel7stig/kernel.yml @@ -17,7 +17,7 @@ lineinfile: dest: /etc/modprobe.d/ansible-hardening-disable-usb-storage.conf line: install usb-storage /bin/true - create: yes + create: true mode: "0644" when: - security_rhel7_disable_usb_storage | bool @@ -32,7 +32,7 @@ value: "{{ item.value }}" state: "{{ item.enabled | ternary('present', 'absent') }}" sysctl_file: "{{ security_sysctl_file }}" - reload: yes + reload: true when: - item.enabled | bool with_items: "{{ sysctl_settings_rhel7 }}" @@ -54,8 +54,8 @@ command: systemctl status kdump # noqa: command-instead-of-module register: kdump_service_check failed_when: kdump_service_check.rc not in [0,3,4] - changed_when: False - check_mode: no + changed_when: false + check_mode: false tags: - kernel - medium @@ -65,7 +65,7 @@ service: name: kdump state: stopped - enabled: no + enabled: false when: - kdump_service_check.rc not in [3,4] - security_disable_kdump @@ -77,9 +77,9 @@ - name: Check if FIPS is enabled command: cat /proc/sys/crypto/fips_enabled register: fips_check - changed_when: False - failed_when: False - check_mode: no + changed_when: false + failed_when: false + check_mode: false when: - ansible_facts['pkg_mgr'] == 'dnf' tags: diff --git a/tasks/rhel7stig/lsm.yml b/tasks/rhel7stig/lsm.yml index b52892fa..c48011ba 100644 --- a/tasks/rhel7stig/lsm.yml +++ b/tasks/rhel7stig/lsm.yml @@ -16,7 +16,7 @@ - name: Check apparmor_status output command: apparmor_status register: apparmor_status_output - check_mode: no + check_mode: false changed_when: false failed_when: false when: @@ -34,7 +34,7 @@ - name: Check if apparmor is running command: "systemctl status apparmor" # noqa: command-instead-of-module register: systemctl_apparmor_status - check_mode: no + check_mode: false changed_when: false failed_when: false when: @@ -47,7 +47,7 @@ - name: Ensure AppArmor is enabled at boot time service: name: apparmor - enabled: yes + enabled: true when: - ansible_facts['pkg_mgr'] in ['apt', 'zypper'] - security_rhel7_enable_linux_security_module | bool @@ -111,8 +111,8 @@ - name: Check for unlabeled device files command: "find /dev -context '*unlabeled_t*'" register: unlabeled_devices - changed_when: False - check_mode: no + changed_when: false + check_mode: false when: - ansible_facts['os_family'] == 'RedHat' - ansible_facts['selinux']['status'] == 'enabled' diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml index e919e48f..d9e29113 100644 --- a/tasks/rhel7stig/main.yml +++ b/tasks/rhel7stig/main.yml @@ -26,7 +26,7 @@ - name: Set a fact for the temporary directory set_fact: temp_dir: "{{ mktemp_result.path }}" - changed_when: False + changed_when: false when: - not check_mode | bool tags: @@ -41,7 +41,7 @@ get_users: min_uid: 0 register: hardening_user_list - check_mode: no + check_mode: false tags: - always @@ -49,7 +49,7 @@ get_users: min_uid: "{{ security_interactive_user_minimum_uid }}" register: interactive_user_list - check_mode: no + check_mode: false tags: - always @@ -108,7 +108,7 @@ file: path: "{{ temp_dir }}" state: absent - changed_when: False + changed_when: false when: - not check_mode | bool tags: diff --git a/tasks/rhel7stig/misc.yml b/tasks/rhel7stig/misc.yml index 82deccd3..e7b53d89 100644 --- a/tasks/rhel7stig/misc.yml +++ b/tasks/rhel7stig/misc.yml @@ -17,8 +17,8 @@ command: systemctl status autofs # noqa: command-instead-of-module register: autofs_check failed_when: autofs_check.rc not in [0,3,4] - changed_when: False - check_mode: no + changed_when: false + check_mode: false tags: - always @@ -26,7 +26,7 @@ service: name: autofs state: stopped - enabled: no + enabled: false when: - autofs_check.rc not in [3,4] - security_rhel7_disable_autofs | bool @@ -41,7 +41,7 @@ - name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled systemd: name: ctrl-alt-del.target - enabled: no + enabled: false when: - security_rhel7_disable_ctrl_alt_delete | bool tags: @@ -52,8 +52,8 @@ - name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled systemd: name: ctrl-alt-del.target - masked: yes - daemon_reload: yes + masked: true + daemon_reload: true when: - security_rhel7_disable_ctrl_alt_delete | bool tags: @@ -112,9 +112,9 @@ - name: Check if syslog output is being sent to another server command: 'grep "^[^#].*@" /etc/rsyslog.conf' register: rsyslog_transmit_check - changed_when: False - failed_when: False - check_mode: no + changed_when: false + failed_when: false + check_mode: false tags: - always @@ -133,7 +133,7 @@ stat: path: /usr/bin/clamdscan register: clamav_install_check - changed_when: False + changed_when: false tags: - always @@ -160,7 +160,7 @@ dest: /etc/clamd.d/scan.conf regexp: "^(#)?LocalSocket (.*)$" line: "LocalSocket {{ clamav_service_details['socket_path'] }}" - backrefs: yes + backrefs: true when: - clamav_install_check.stat.exists - security_enable_virus_scanner | bool @@ -205,15 +205,15 @@ - name: Check if ClamAV update process is already running shell: "set -o pipefail; ps -ef | egrep [f]reshclam -q" register: freshclam_proc - changed_when: False - failed_when: False - check_mode: no + changed_when: false + failed_when: false + check_mode: false tags: - always - name: Update ClamAV database command: freshclam - changed_when: False + changed_when: false when: - freshclam_proc.rc != 0 - clamav_install_check.stat.exists @@ -229,7 +229,7 @@ service: name: "{{ clamav_service }}" state: started - enabled: yes + enabled: true when: - clamav_install_check.stat.exists - security_enable_virus_scanner | bool @@ -273,7 +273,7 @@ service: name: "{{ chrony_service }}" state: started - enabled: yes + enabled: true when: - not check_mode - security_rhel7_enable_chrony | bool @@ -309,8 +309,8 @@ command: systemctl status firewalld # noqa: command-instead-of-module register: firewalld_status_check failed_when: firewalld_status_check.rc not in [0,3,4] - changed_when: False - check_mode: no + changed_when: false + check_mode: false tags: - always @@ -318,7 +318,7 @@ service: name: firewalld state: started - enabled: yes + enabled: true when: - firewalld_status_check.rc not in [3,4] - security_enable_firewalld | bool @@ -346,9 +346,9 @@ - name: Count nameserver entries in /etc/resolv.conf command: grep ^nameserver /etc/resolv.conf register: nameserver_check - check_mode: no - changed_when: False - failed_when: False + check_mode: false + changed_when: false + failed_when: false tags: - always - skip_ansible_lint @@ -369,9 +369,9 @@ - name: Check for interfaces in promiscuous mode shell: "set -o pipefail; ip link | grep -i promisc" register: promiscuous_interface_check - changed_when: False - failed_when: False - check_mode: no + changed_when: false + failed_when: false + check_mode: false tags: - always @@ -397,8 +397,8 @@ - name: V-72297 - Prevent unrestricted mail relaying lineinfile: dest: /etc/postfix/main.cf - regexp: '^smtpd_client_restrictions' - line: 'smtpd_client_restrictions = permit_mynetworks, reject' + regexp: "^smtpd_client_restrictions" + line: "smtpd_client_restrictions = permit_mynetworks, reject" when: - postfix_conf_check.stat.exists - security_rhel7_restrict_mail_relaying | bool @@ -411,16 +411,16 @@ stat: path: /etc/xinetd.d/tftp register: tftp_config_check - check_mode: no + check_mode: false tags: - always - name: Check TFTP configuration mode - command: 'grep server_args /etc/xinetd.d/tftp' + command: "grep server_args /etc/xinetd.d/tftp" register: tftp_secure_check - changed_when: False - failed_when: False - check_mode: no + changed_when: false + failed_when: false + check_mode: false when: - tftp_config_check.stat.exists tags: @@ -440,9 +440,9 @@ - name: Check to see if snmpd config contains public/private command: 'egrep "^[^#].*(public|private)" /etc/snmp/snmpd.conf' register: snmp_public_private_check - changed_when: False - failed_when: False - check_mode: no + changed_when: false + failed_when: false + check_mode: false tags: - always diff --git a/tasks/rhel7stig/rpm.yml b/tasks/rhel7stig/rpm.yml index d5b3322b..0d8059b0 100644 --- a/tasks/rhel7stig/rpm.yml +++ b/tasks/rhel7stig/rpm.yml @@ -16,8 +16,8 @@ - name: Ensure RPM verification task has finished async_status: jid: "{{ rpmverify_task.ansible_job_id }}" - failed_when: False - changed_when: False + failed_when: false + changed_when: false register: job_result until: job_result.finished retries: 360 @@ -32,7 +32,7 @@ - name: V-71855 - Get files with invalid checksums (rpm) shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe register: invalid_checksum_files - changed_when: False + changed_when: false when: - security_check_package_checksums | bool - not check_mode | bool diff --git a/tasks/rhel7stig/sshd.yml b/tasks/rhel7stig/sshd.yml index 49d3282b..dcadace8 100644 --- a/tasks/rhel7stig/sshd.yml +++ b/tasks/rhel7stig/sshd.yml @@ -30,8 +30,8 @@ lineinfile: path: /etc/ssh/sshd_config state: absent - regexp: '^{{ item.name }}\s+(?!{{ item.value }})' - validate: '/usr/sbin/sshd -T -f %s' + regexp: "^{{ item.name }}\\s+(?!{{ item.value }})" + validate: "/usr/sbin/sshd -T -f %s" with_items: "{{ sshd_settings_rhel7 | selectattr('enabled') }}" notify: - Restart ssh @@ -64,7 +64,7 @@ state: present marker: "# {mark} MANAGED BY ANSIBLE-HARDENING" insertbefore: "BOF" - validate: '/usr/sbin/sshd -T -f %s' + validate: "/usr/sbin/sshd -T -f %s" block: |- {% set options = sshd_settings_rhel7 | selectattr('enabled') %} {% for option in options %} @@ -99,7 +99,7 @@ - name: Ensure sshd is enabled at boot time service: name: "{{ ssh_service }}" - enabled: yes + enabled: true when: - security_enable_sshd | bool tags: @@ -113,7 +113,7 @@ # The shell command will always report 'changed' so we need to # ignore that since this role is supposed to be idempotent. changed_when: false - check_mode: no + check_mode: false tags: - always @@ -134,7 +134,7 @@ # The shell command will always report 'changed' so we need to # ignore that since this role is supposed to be idempotent changed_when: false - check_mode: no + check_mode: false tags: - always @@ -152,6 +152,6 @@ - name: Manage motd in pam.d replace: path: /etc/pam.d/sshd - regexp: '^(#\s)?(session\s*optional\s*pam_motd.so.*)$' + regexp: "^(#\\s)?(session\\s*optional\\s*pam_motd.so.*)$" replace: '{{ (security_sshd_dynamic_banner_disable | bool) | ternary("# \2", "\2") }}' when: security_sshd_dynamic_banner_disable | bool diff --git a/tasks/rhel7stig/yum.yml b/tasks/rhel7stig/yum.yml index 025406ab..0fc39c92 100644 --- a/tasks/rhel7stig/yum.yml +++ b/tasks/rhel7stig/yum.yml @@ -19,7 +19,7 @@ - name: Check if /etc/yum/yum-cron.conf exists stat: path: /etc/yum/yum-cron.conf - check_mode: no + check_mode: false register: yum_cron_config_check when: - ansible_facts['os_family'] | lower == 'redhat' diff --git a/tasks/rhel7stig/zypper.yml b/tasks/rhel7stig/zypper.yml index 88428fe8..487645ea 100644 --- a/tasks/rhel7stig/zypper.yml +++ b/tasks/rhel7stig/zypper.yml @@ -17,8 +17,8 @@ - name: Ensure RPM verification task has finished async_status: jid: "{{ rpmverify_task.ansible_job_id }}" - failed_when: False - changed_when: False + failed_when: false + changed_when: false register: job_result until: job_result.finished retries: 360 @@ -33,7 +33,7 @@ - name: V-71855 - Get files with invalid checksums (rpm) shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe register: invalid_checksum_files - changed_when: False + changed_when: false when: - security_check_package_checksums | bool - not check_mode | bool @@ -70,7 +70,7 @@ - name: V-71977 - Require digital signatures for all packages and repositories lineinfile: dest: "{{ item }}" - regexp: '^(#)?\s*gpgcheck' + regexp: "^(#)?\\s*gpgcheck" line: "gpgcheck=1" state: present with_items: @@ -86,8 +86,8 @@ - name: V-71987 - Clean requirements/dependencies when removing packages (SUSE) lineinfile: dest: "{{ pkg_mgr_config }}" - regexp: '^(#)?\s*solver\.cleandepsOnRemove' - line: 'solver.cleandepsOnRemove = true' + regexp: "^(#)?\\s*solver\\.cleandepsOnRemove" + line: "solver.cleandepsOnRemove = true" state: present when: - security_package_clean_on_remove | bool diff --git a/vars/debian.yml b/vars/debian.yml index 4d4fbe5e..43ab1dca 100644 --- a/vars/debian.yml +++ b/vars/debian.yml @@ -60,7 +60,7 @@ stig_packages_rhel7: - openssh-server - screen state: "{{ security_package_state }}" - enabled: True + enabled: true - packages: - aide - aide-common diff --git a/vars/main.yml b/vars/main.yml index 38eddc1a..8e394fb6 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -61,158 +61,158 @@ auditd_config: audited_commands: - command: chsh stig_id: V-72167 - arch_specific: no + arch_specific: false - command: chage stig_id: V-72155 - arch_specific: no + arch_specific: false - command: chcon stig_id: V-72139 - arch_specific: no + arch_specific: false - command: chmod stig_id: V-72105 - arch_specific: yes + arch_specific: true - command: chown stig_id: V-72097 - arch_specific: yes + arch_specific: true - command: creat stig_id: V-72123 - arch_specific: yes + arch_specific: true - command: crontab stig_id: V-72183 - arch_specific: no + arch_specific: false - command: delete_module stig_id: V-72189 - arch_specific: yes + arch_specific: true - command: fchmod stig_id: V-72107 - arch_specific: yes + arch_specific: true - command: fchmodat stig_id: V-72109 - arch_specific: yes + arch_specific: true - command: fchown stig_id: V-72099 - arch_specific: yes + arch_specific: true - command: fchownat stig_id: V-72103 - arch_specific: yes + arch_specific: true - command: fremovexattr stig_id: V-72119 - arch_specific: yes + arch_specific: true - command: fsetxattr stig_id: V-72113 - arch_specific: yes + arch_specific: true - command: ftruncate stig_id: V-72133 - arch_specific: yes + arch_specific: true - command: init_module stig_id: V-72187 - arch_specific: yes + arch_specific: true - command: gpasswd stig_id: V-72153 - arch_specific: no + arch_specific: false - command: lchown stig_id: V-72101 - arch_specific: yes + arch_specific: true - command: lremovexattr stig_id: V-72121 - arch_specific: yes + arch_specific: true - command: lsetxattr stig_id: V-72115 - arch_specific: yes + arch_specific: true - command: mount path: /bin stig_id: V-72171 - arch_specific: no + arch_specific: false - command: newgrp stig_id: V-72165 - arch_specific: no + arch_specific: false - command: open stig_id: V-72125 - arch_specific: yes + arch_specific: true - command: openat stig_id: V-72127 - arch_specific: yes + arch_specific: true - command: open_by_handle_at stig_id: V-72129 - arch_specific: yes + arch_specific: true - command: pam_timestamp_check path: /sbin stig_id: V-72185 - arch_specific: no + arch_specific: false - command: passwd stig_id: V-72149 - arch_specific: no + arch_specific: false - command: postdrop path: /usr/sbin stig_id: V-72175 - arch_specific: no + arch_specific: false - command: postqueue path: /usr/sbin stig_id: V-72177 - arch_specific: no + arch_specific: false - command: removexattr stig_id: V-72117 - arch_specific: yes + arch_specific: true - command: rename stig_id: V-72199 - arch_specific: yes + arch_specific: true - command: renameat stig_id: V-72201 - arch_specific: yes + arch_specific: true - command: restorecon path: /usr/sbin stig_id: V-72141 - arch_specific: no + arch_specific: false - command: rmdir stig_id: V-72203 - arch_specific: yes + arch_specific: true - command: semanage path: /usr/sbin stig_id: V-72135 - arch_specific: no + arch_specific: false - command: setsebool path: /usr/sbin stig_id: V-72137 - arch_specific: no + arch_specific: false - command: setxattr stig_id: V-72111 - arch_specific: yes + arch_specific: true - command: ssh-keysign path: "{{ ssh_keysign_path }}" stig_id: V-72179 - arch_specific: no + arch_specific: false - command: su path: /bin stig_id: V-72159 - arch_specific: no + arch_specific: false - command: sudo stig_id: V-72161 - arch_specific: no + arch_specific: false - command: sudoedit path: /bin stig_id: V-72169 - arch_specific: no + arch_specific: false - command: truncate stig_id: V-72131 - arch_specific: yes + arch_specific: true - command: umount path: /bin stig_id: V-72173 - arch_specific: no + arch_specific: false - command: unix_chkpwd path: /sbin stig_id: V-72151 - arch_specific: no + arch_specific: false - command: unlink stig_id: V-72205 - arch_specific: yes + arch_specific: true - command: unlinkat stig_id: V-72207 - arch_specific: yes + arch_specific: true - command: userhelper path: /usr/sbin stig_id: V-72157 - arch_specific: no + arch_specific: false ## Password quality settings # This variable is used in main/rhel7stig/auth.yml to set password quality @@ -368,15 +368,15 @@ sshd_settings_rhel7: stig_id: V-71959 - name: Ciphers value: "{{ security_sshd_cipher_list }}" - enabled: True + enabled: true stig_id: V-72221 - name: ClientAliveInterval value: "{{ security_sshd_client_alive_interval }}" - enabled: True + enabled: true stig_id: V-72237 - name: ClientAliveCountMax value: "{{ security_sshd_client_alive_count_max }}" - enabled: True + enabled: true stig_id: V-72241 - name: PrintLastLog value: "yes" @@ -388,7 +388,7 @@ sshd_settings_rhel7: {% if security_sshd_permit_root_login | string in ['False', 'True'] %} {{ (security_sshd_permit_root_login | bool) | ternary('yes', 'no') }}{% else %} {{ security_sshd_permit_root_login }}{% endif %} - enabled: True + enabled: true stig_id: V-72247 - name: IgnoreUserKnownHosts value: "yes" @@ -404,11 +404,11 @@ sshd_settings_rhel7: stig_id: V-72303 - name: Protocol value: "{{ security_sshd_protocol }}" - enabled: yes + enabled: true stig_id: V-72251 - name: MACs value: "{{ security_sshd_allowed_macs }}" - enabled: yes + enabled: true stig_id: V-72253 - name: UsePrivilegeSeparation value: sandbox @@ -416,7 +416,7 @@ sshd_settings_rhel7: stig_id: V-72265 - name: Compression value: "{{ security_sshd_compression }}" - enabled: yes + enabled: true stig_id: V-72267 - name: KerberosAuthentication value: "no" diff --git a/vars/redhat-7.yml b/vars/redhat-7.yml index eb183c59..feb1ac38 100644 --- a/vars/redhat-7.yml +++ b/vars/redhat-7.yml @@ -38,7 +38,7 @@ pkg_mgr_config: "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('/etc/yum.conf cron_service: crond ssh_service: sshd chrony_service: chronyd -clamav_service: 'clamd@scan' +clamav_service: "clamd@scan" # Clamav paparms clamav_service_details: @@ -65,7 +65,7 @@ stig_packages_rhel7: - openssh-server - screen state: "{{ security_package_state }}" - enabled: True + enabled: true - packages: - aide state: "{{ security_package_state }}" diff --git a/vars/redhat-8.yml b/vars/redhat-8.yml index 8c53c17d..c41a6154 100644 --- a/vars/redhat-8.yml +++ b/vars/redhat-8.yml @@ -38,7 +38,7 @@ pkg_mgr_config: /etc/dnf/dnf.conf cron_service: crond ssh_service: sshd chrony_service: chronyd -clamav_service: 'clamd@scan' +clamav_service: "clamd@scan" # Clamav paparms clamav_service_details: @@ -64,7 +64,7 @@ stig_packages_rhel7: - openssh-clients - openssh-server state: "{{ security_package_state }}" - enabled: True + enabled: true - packages: - aide state: "{{ security_package_state }}" diff --git a/vars/redhat-9.yml b/vars/redhat-9.yml index 8c53c17d..c41a6154 100644 --- a/vars/redhat-9.yml +++ b/vars/redhat-9.yml @@ -38,7 +38,7 @@ pkg_mgr_config: /etc/dnf/dnf.conf cron_service: crond ssh_service: sshd chrony_service: chronyd -clamav_service: 'clamd@scan' +clamav_service: "clamd@scan" # Clamav paparms clamav_service_details: @@ -64,7 +64,7 @@ stig_packages_rhel7: - openssh-clients - openssh-server state: "{{ security_package_state }}" - enabled: True + enabled: true - packages: - aide state: "{{ security_package_state }}" diff --git a/vars/suse.yml b/vars/suse.yml index cb1b24b5..2f6ebb79 100644 --- a/vars/suse.yml +++ b/vars/suse.yml @@ -41,7 +41,7 @@ pkg_mgr_config: /etc/zypp/zypp.conf cron_service: crond ssh_service: sshd chrony_service: chronyd -clamav_service: 'clamd' +clamav_service: "clamd" # Commands grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}" @@ -59,7 +59,7 @@ stig_packages_rhel7: - openssh - screen state: "{{ security_package_state }}" - enabled: True + enabled: true - packages: - aide state: "{{ security_package_state }}" diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index d5164665..552c3da5 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -1,3 +1,4 @@ +--- # Copyright 2017, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License");