openstack/ansible-hardening
Code Issues Proposed changes

Auto-fix yaml rules

Browse Source 
In order to reduce divergance with ansible-lint rules, we apply
auto-fixing of violations.

In current patch we replace all kind of truthy variables with
`true` or `false` values to align with recommendations along with
alignment of used quotes.

Change-Id: I10eaed0d5f7b2a02379d9708da04ef26c31fba5e
This commit is contained in:
Dmitriy Rabotyagov 2025-02-13 07:46:41 +01:00
parent b46f4809c8
commit c774a1fb24
29 changed files with 371 additions and 369 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.ansible-lint
View File

@ -1,4 +1,4 @@
---
skip_list:
- '106'
- "106"

1
.gitignore vendored
View File

@ -45,6 +45,7 @@ logs/*
# OS generated files #
######################
._*
.ansible
.tox
*.egg-info
.eggs

327
defaults/main.yml
View File

@ -39,7 +39,7 @@ security_package_state: present
# Set the following variable to `no` to prevent the EPEL repository from being
# installed by the role. This may prevent certain packages from installing,
# such as ClamAV.
security_epel_install_repository: yes
security_epel_install_repository: true
#
# Some deployers install a customized EPEL package that redirects servers to
# their internal EPEL mirrors. Provide the name of the EPEL repository package
@ -62,13 +62,13 @@ security_epel_release_package: epel-release
## Accounts (accounts)
# Set minimum password lifetime to 1 day for interactive accounts.
security_set_minimum_password_lifetime: no # V-71927
security_set_maximum_password_lifetime: no # V-71931
security_set_minimum_password_lifetime: false # V-71927
security_set_maximum_password_lifetime: false # V-71931
## AIDE (aide)
# Initialize the AIDE database immediately (may take time).
security_rhel7_initialize_aide: no # V-71973
security_rhel7_enable_aide: yes
security_rhel7_initialize_aide: false # V-71973
security_rhel7_enable_aide: true
# The default Ubuntu configuration for AIDE will cause it to wander into some
# terrible places on the system, such as /var/lib/lxc and images in /opt.
@ -86,189 +86,190 @@ security_aide_exclude_dirs:
# Encrypt audit records when they are transmitted over the network.
# security_audisp_enable_krb5: yes # V-72085
# Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING!
security_rhel7_audit_failure_flag: 1 # V-72081
security_rhel7_audit_failure_flag: 1 # V-72081
# Set the action to take when the disk is full or network events cannot be sent.
security_rhel7_auditd_disk_full_action: syslog # V-72087
security_rhel7_auditd_network_failure_action: syslog # V-72087
security_rhel7_auditd_disk_full_action: syslog # V-72087
security_rhel7_auditd_network_failure_action: syslog # V-72087
# Size of remaining disk space (in MB) that triggers alerts.
security_rhel7_auditd_space_left: >- # V-72089
{{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}
# Action to take when the space_left threshold is reached.
security_rhel7_auditd_space_left_action: email # V-72091
security_rhel7_auditd_space_left_action: email # V-72091
# Send auditd email alerts to this user.
security_rhel7_auditd_action_mail_acct: root # V-72093
security_rhel7_auditd_action_mail_acct: root # V-72093
# Add audit rules for commands/syscalls.
security_rhel7_audit_chsh: yes # V-72167
security_rhel7_audit_chage: yes # V-72155
security_rhel7_audit_chcon: yes # V-72139
security_rhel7_audit_chmod: no # V-72105
security_rhel7_audit_chown: no # V-72097
security_rhel7_audit_creat: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72123
security_rhel7_audit_crontab: yes # V-72183
security_rhel7_audit_delete_module: yes # V-72189
security_rhel7_audit_fchmod: no # V-72107
security_rhel7_audit_fchmodat: no # V-72109
security_rhel7_audit_fchown: no # V-72099
security_rhel7_audit_fchownat: no # V-72103
security_rhel7_audit_fremovexattr: no # V-72119
security_rhel7_audit_fsetxattr: no # V-72113
security_rhel7_audit_ftruncate: yes # V-72133
security_rhel7_audit_init_module: yes # V-72187
security_rhel7_audit_gpasswd: yes # V-72153
security_rhel7_audit_lchown: no # V-72101
security_rhel7_audit_lremovexattr: no # V-72121
security_rhel7_audit_lsetxattr: no # V-72115
security_rhel7_audit_mount: yes # V-72171
security_rhel7_audit_newgrp: yes # V-72165
security_rhel7_audit_open: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72125
security_rhel7_audit_openat: yes # V-72127
security_rhel7_audit_open_by_handle_at: yes # V-72129
security_rhel7_audit_pam_timestamp_check: yes # V-72185
security_rhel7_audit_passwd: yes # V-72149
security_rhel7_audit_postdrop: yes # V-72175
security_rhel7_audit_postqueue: yes # V-72177
security_rhel7_audit_removexattr: no # V-72117
security_rhel7_audit_rename: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72199
security_rhel7_audit_renameat: yes # V-72201
security_rhel7_audit_restorecon: yes # V-72141
security_rhel7_audit_rmdir: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72203
security_rhel7_audit_semanage: yes # V-72135
security_rhel7_audit_setsebool: yes # V-72137
security_rhel7_audit_setxattr: no # V-72111
security_rhel7_audit_ssh_keysign: yes # V-72179
security_rhel7_audit_su: yes # V-72159
security_rhel7_audit_sudo: yes # V-72161
security_rhel7_audit_sudoedit: yes # V-72169
security_rhel7_audit_truncate: yes # V-72131
security_rhel7_audit_umount: yes # V-72173
security_rhel7_audit_unix_chkpwd: yes # V-72151
security_rhel7_audit_unlink: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72205
security_rhel7_audit_unlinkat: yes # V-72207
security_rhel7_audit_userhelper: yes # V-72157
security_rhel7_audit_chsh: true # V-72167
security_rhel7_audit_chage: true # V-72155
security_rhel7_audit_chcon: true # V-72139
security_rhel7_audit_chmod: false # V-72105
security_rhel7_audit_chown: false # V-72097
security_rhel7_audit_creat: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72123
security_rhel7_audit_crontab: true # V-72183
security_rhel7_audit_delete_module: true # V-72189
security_rhel7_audit_fchmod: false # V-72107
security_rhel7_audit_fchmodat: false # V-72109
security_rhel7_audit_fchown: false # V-72099
security_rhel7_audit_fchownat: false # V-72103
security_rhel7_audit_fremovexattr: false # V-72119
security_rhel7_audit_fsetxattr: false # V-72113
security_rhel7_audit_ftruncate: true # V-72133
security_rhel7_audit_init_module: true # V-72187
security_rhel7_audit_gpasswd: true # V-72153
security_rhel7_audit_lchown: false # V-72101
security_rhel7_audit_lremovexattr: false # V-72121
security_rhel7_audit_lsetxattr: false # V-72115
security_rhel7_audit_mount: true # V-72171
security_rhel7_audit_newgrp: true # V-72165
security_rhel7_audit_open: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72125
security_rhel7_audit_openat: true # V-72127
security_rhel7_audit_open_by_handle_at: true # V-72129
security_rhel7_audit_pam_timestamp_check: true # V-72185
security_rhel7_audit_passwd: true # V-72149
security_rhel7_audit_postdrop: true # V-72175
security_rhel7_audit_postqueue: true # V-72177
security_rhel7_audit_removexattr: false # V-72117
security_rhel7_audit_rename: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72199
security_rhel7_audit_renameat: true # V-72201
security_rhel7_audit_restorecon: true # V-72141
security_rhel7_audit_rmdir: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72203
security_rhel7_audit_semanage: true # V-72135
security_rhel7_audit_setsebool: true # V-72137
security_rhel7_audit_setxattr: false # V-72111
security_rhel7_audit_ssh_keysign: true # V-72179
security_rhel7_audit_su: true # V-72159
security_rhel7_audit_sudo: true # V-72161
security_rhel7_audit_sudoedit: true # V-72169
security_rhel7_audit_truncate: true # V-72131
security_rhel7_audit_umount: true # V-72173
security_rhel7_audit_unix_chkpwd: true # V-72151
security_rhel7_audit_unlink: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72205
security_rhel7_audit_unlinkat: true # V-72207
security_rhel7_audit_userhelper: true # V-72157
# Add audit rules for other events.
security_rhel7_audit_account_access: yes # V-72143
security_rhel7_audit_sudo_config_changes: yes # V-72163
security_rhel7_audit_insmod: yes # V-72191
security_rhel7_audit_rmmod: yes # V-72193
security_rhel7_audit_modprobe: yes # V-72195
security_rhel7_audit_account_actions: yes # V-72197
security_rhel7_audit_account_access: true # V-72143
security_rhel7_audit_sudo_config_changes: true # V-72163
security_rhel7_audit_insmod: true # V-72191
security_rhel7_audit_rmmod: true # V-72193
security_rhel7_audit_modprobe: true # V-72195
security_rhel7_audit_account_actions: true # V-72197
## Authentication (auth)
# Check if sudoers has the NOPASSWD rule enabled
security_sudoers_nopasswd_check_enable: yes
security_sudoers_nopasswd_check_enable: true
# Disallow logins from accounts with blank/null passwords via PAM.
security_disallow_blank_password_login: yes # V-71937
security_disallow_blank_password_login: true # V-71937
# Apply password quality rules.
# NOTE: The security_pwquality_apply_rules variable is a "master switch".
# Set the 'security_pwquality_apply_rules' variable to 'yes' to apply all of
# the password quality rules. Each rule can be disabled with a value of 'no'.
security_pwquality_apply_rules: no
security_pwquality_require_uppercase: yes # V-71903
security_pwquality_require_lowercase: yes # V-71905
security_pwquality_require_numeric: yes # V-71907
security_pwquality_require_special: yes # V-71909
security_pwquality_require_characters_changed: yes # V-71911
security_pwquality_require_character_classes_changed: yes # V-71913
security_pwquality_limit_repeated_characters: yes # V-71915
security_pwquality_limit_repeated_character_classes: yes # V-71917
security_pwquality_require_minimum_password_length: no # V-71935
security_pwquality_apply_rules: false
security_pwquality_require_uppercase: true # V-71903
security_pwquality_require_lowercase: true # V-71905
security_pwquality_require_numeric: true # V-71907
security_pwquality_require_special: true # V-71909
security_pwquality_require_characters_changed: true # V-71911
security_pwquality_require_character_classes_changed: true # V-71913
security_pwquality_limit_repeated_characters: true # V-71915
security_pwquality_limit_repeated_character_classes: true # V-71917
security_pwquality_require_minimum_password_length: false # V-71935
# Use pwquality when passwords are changed or established.
security_enable_pwquality_password_set: no # V-73159
security_enable_pwquality_password_set: false # V-73159
# Ensure passwords are stored using SHA512.
security_password_encrypt_method: SHA512 # V-71921
security_password_encrypt_method: SHA512 # V-71921
# Ensure user/group admin utilities only store encrypted passwords.
security_libuser_crypt_style_sha512: yes # V-71923
security_libuser_crypt_style_sha512: true # V-71923
# Set a minimum/maximum lifetime limit for user passwords.
# security_password_min_lifetime_days: 1 # V-71925
# security_password_max_lifetime_days: 60 # V-71929
# Set a delay (in seconds) between failed login attempts.
security_shadow_utils_fail_delay: 4 # V-71951
security_shadow_utils_fail_delay: 4 # V-71951
# Set a umask for all authenticated users.
# security_shadow_utils_umask: '077' # V-71995
# Create home directories for new users by default.
security_shadow_utils_create_home: yes # V-72013
security_shadow_utils_create_home: true # V-72013
# How many old user password to remember to prevent password re-use.
# security_password_remember_password: 5 # V-71933
# Disable user accounts if the password expires.
security_disable_account_if_password_expires: no # V-71941
security_disable_account_if_password_expires: false # V-71941
# Lock user accounts with excessive login failures. See documentation.
security_pam_faillock_enable: no # V-71945 / V-71943 / RHEL-07-010373
security_pam_faillock_enable: false # V-71945 / V-71943 / RHEL-07-010373
security_pam_faillock_interval: 900
security_pam_faillock_attempts: 3
security_pam_faillock_deny_root: yes # RHEL-07-010373
security_pam_faillock_unlock_time: 604800 # V-71943
security_pam_faillock_deny_root: true # RHEL-07-010373
security_pam_faillock_unlock_time: 604800 # V-71943
# Limit the number of concurrent connections per account.
# security_rhel7_concurrent_session_limit: 10 # V-72217
# Remove .shosts and shosts.equiv files.
security_rhel7_remove_shosts_files: no # V-72277
security_rhel7_remove_shosts_files: false # V-72277
# Exclude these directories from the shosts files find
security_rhel7_remove_shosts_exclude_dirs:
- '/sys'
- '/proc'
- '/dev'
- "/sys"
- "/proc"
- "/dev"
## File permissions (file_perms)
# Reset file permissions and ownership for files installed via RPM packages.
security_reset_perm_ownership: no # V-71849
security_reset_perm_ownership: false # V-71849
# Search for files/directories owned by invalid users or groups.
security_search_for_invalid_owner: no # V-72007
security_search_for_invalid_group_owner: no # V-72009
security_search_for_invalid_owner: false # V-72007
security_search_for_invalid_group_owner: false # V-72009
# Set user/group owners on each home directory and set mode to 0750.
security_set_home_directory_permissions_and_owners: no # V-72017 / V-72019 / V-72021
security_set_home_directory_permissions_and_owners: false # V-72017 / V-72019 / V-72021
# Find all world-writable directories and display them.
security_find_world_writable_dirs: no # V-72047
security_find_world_writable_dirs: false # V-72047
## Graphical interfaces (graphical)
# Disable automatic gdm logins
security_disable_gdm_automatic_login: yes # V-71953
security_disable_gdm_automatic_login: true # V-71953
# Disable timed gdm logins for guests
security_disable_gdm_timed_login: yes # V-71955
security_disable_gdm_timed_login: true # V-71955
# Enable session locking for graphical logins.
security_lock_session: no # V-71891
security_lock_session: false # V-71891
# Set a timer (in seconds) when an inactive session is locked.
security_lock_session_inactive_delay: 900 # V-71893
security_lock_session_inactive_delay: 900 # V-71893
# Prevent users from modifying session lock settings.
security_lock_session_override_user: yes # RHEL-07-010071
security_lock_session_override_user: true # RHEL-07-010071
# Lock a session (start screensaver) when a session is inactive.
security_lock_session_when_inactive: yes # V-71893
security_lock_session_when_inactive: true # V-71893
# Time after screensaver starts when user login is required.
security_lock_session_screensaver_lock_delay: 5 # V-71901
security_lock_session_screensaver_lock_delay: 5 # V-71901
# Enable a login banner and set the text for the banner.
security_enable_graphical_login_message: yes # V-71859
security_enable_graphical_login_message: true # V-71859
security_enable_graphical_login_message_text: >
You are accessing a secured system and your actions will be logged along
with identifying information. Disconnect immediately if you are not an
authorized user of this system.
You are accessing a secured system and your actions will be logged along
with identifying information. Disconnect immediately if you are not an
authorized user of this system.
## Linux Security Module (lsm)
# Enable SELinux on Red Hat/CentOS and AppArmor on Ubuntu.
security_rhel7_enable_linux_security_module: yes # V-71989 / V-71991
security_rhel7_enable_linux_security_module: true # V-71989 / V-71991
## Miscellaneous (misc)
# Disable the autofs service.
security_rhel7_disable_autofs: yes # V-71985
security_rhel7_disable_autofs: true # V-71985
# Enable virus scanning with clamav
security_enable_virus_scanner: no # V-72213
security_enable_virus_scanner: false # V-72213
# Run the virus scanner update during the deployment (if scanner is deployed)
security_run_virus_scanner_update: yes
security_run_virus_scanner_update: true
# Disable ctrl-alt-delete key sequence on the console.
security_rhel7_disable_ctrl_alt_delete: yes # V-71993
security_rhel7_disable_ctrl_alt_delete: true # V-71993
# Install and enable firewalld for iptables management.
security_enable_firewalld: no # V-72273
security_enable_firewalld: false # V-72273
# Rate limit TCP connections to 25/min and burstable to 100.
security_enable_firewalld_rate_limit: no # V-72271
security_enable_firewalld_rate_limit: false # V-72271
security_enable_firewalld_rate_limit_per_minute: 25
security_enable_firewalld_rate_limit_burst: 100
# Update the grub configuration.
security_enable_grub_update: yes
security_enable_grub_update: true
# Require authentication in GRUB to boot into single-user or maintenance modes.
security_require_grub_authentication: no # V-71961 / V-71963
security_require_grub_authentication: false # V-71961 / V-71963
# The default password for grub authentication is 'secrete'.
security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B # noqa: yaml[line-length]
security_grub_password_hash:
grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B # noqa: yaml[line-length]
# Set session timeout.
security_rhel7_session_timeout: 600 # V-72223
security_rhel7_session_timeout: 600 # V-72223
# Enable chrony for NTP time synchronization.
security_rhel7_enable_chrony: yes # V-72269
security_rhel7_enable_chrony: true # V-72269
# Use the following NTP servers.
security_ntp_servers:
- 0.pool.ntp.org
@ -286,9 +287,9 @@ security_allowed_ntp_subnets:
- 192.168/16
- 172.16/12
# Listen for NTP requests only on local interfaces.
security_ntp_bind_local_interfaces_only: yes
security_ntp_bind_local_interfaces_only: true
# Restrict mail relaying.
security_rhel7_restrict_mail_relaying: yes # V-72297
security_rhel7_restrict_mail_relaying: true # V-72297
# Deploy a login banner. # V-72225 / V-71863
security_login_banner_text: |
------------------------------------------------------------------------------
@ -302,90 +303,90 @@ security_login_banner_text: |
## Packages (packages)
# Remove packages from the system as required by the STIG. Set any of these
# to 'no' to skip their removal.
security_rhel7_remove_rsh_server: yes # V-71967
security_rhel7_remove_telnet_server: yes # V-72077
security_rhel7_remove_tftp_server: yes # V-72301
security_rhel7_remove_xorg: yes # V-72307
security_rhel7_remove_ypserv: yes # V-71969
security_rhel7_remove_rsh_server: true # V-71967
security_rhel7_remove_telnet_server: true # V-72077
security_rhel7_remove_tftp_server: true # V-72301
security_rhel7_remove_xorg: true # V-72307
security_rhel7_remove_ypserv: true # V-71969
# Automatically remove dependencies when removing packages.
security_package_clean_on_remove: no # V-71987
security_package_clean_on_remove: false # V-71987
# Automatically update packages.
security_rhel7_automatic_package_updates: no # V-71999
security_rhel7_automatic_package_updates: false # V-71999
# Install packages for multi-factor authentication.
security_install_multifactor_auth_packages: yes # V-72417
security_check_package_checksums: no # V-71855
security_install_multifactor_auth_packages: true # V-72417
security_check_package_checksums: false # V-71855
## RPM (rpm)
# Enable GPG checks for packages and repository data.
security_enable_gpgcheck_packages: yes # V-71977
security_enable_gpgcheck_packages_local: yes # V-71979
security_enable_gpgcheck_repo: no # V-71981
security_enable_gpgcheck_packages: true # V-71977
security_enable_gpgcheck_packages_local: true # V-71979
security_enable_gpgcheck_repo: false # V-71981
## ssh server (sshd)
# Ensure sshd is running and enabled at boot time.
security_enable_sshd: yes # V-72235
security_enable_sshd: true # V-72235
# Disallow logins from users with empty/null passwords.
security_sshd_disallow_empty_password: yes # V-71939 / RHEL-07-010440
security_sshd_disallow_empty_password: true # V-71939 / RHEL-07-010440
# Disallow users from overriding the ssh environment variables.
security_sshd_disallow_environment_override: yes # V-71957
security_sshd_disallow_environment_override: true # V-71957
# Disallow host based authentication.
security_sshd_disallow_host_based_auth: yes # V-71959
security_sshd_disallow_host_based_auth: true # V-71959
# Set a list of allowed ssh ciphers.
security_sshd_cipher_list: 'aes128-ctr,aes192-ctr,aes256-ctr' # V-72221
security_sshd_cipher_list: "aes128-ctr,aes192-ctr,aes256-ctr" # V-72221
# Specify a text file to be displayed as the banner/MOTD for all sessions.
security_sshd_banner_file: /etc/motd # V-71861 / V-72225
security_sshd_banner_file: /etc/motd # V-71861 / V-72225
# Disable dynamic MOTD banner that is provided by /run/motd.dynamic
security_sshd_dynamic_banner_disable: True
security_sshd_dynamic_banner_disable: true
# Set the interval for max session length and the number of intervals to allow.
security_sshd_client_alive_interval: 600 # V-72237
security_sshd_client_alive_count_max: 0 # V-72241
security_sshd_client_alive_interval: 600 # V-72237
security_sshd_client_alive_count_max: 0 # V-72241
# Print the last login for a user when they log in over ssh.
security_sshd_print_last_log: yes # V-72245
security_sshd_print_last_log: true # V-72245
# Permit direct root logins ('yes', 'no', 'without-password', 'prohibit-password', 'forced-commands-only')
security_sshd_permit_root_login: no # V-72247
security_sshd_permit_root_login: false # V-72247
# Disallow authentication using known hosts authentication.
security_sshd_disallow_known_hosts_auth: yes # V-72249 / V-72239
security_sshd_disallow_known_hosts_auth: true # V-72249 / V-72239
# Disallow rhosts authentication.
security_sshd_disallow_rhosts_auth: yes # V-72243
security_sshd_disallow_rhosts_auth: true # V-72243
# Enable X11 forwarding.
security_sshd_enable_x11_forwarding: yes # V-72303
security_sshd_enable_x11_forwarding: true # V-72303
# Set the allowed ssh protocols.
security_sshd_protocol: 2 # V-72251
security_sshd_protocol: 2 # V-72251
# Set the list of allowed Message Authentication Codes (MACs) for ssh.
security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512' # V-72253
security_sshd_allowed_macs: "hmac-sha2-256,hmac-sha2-512" # V-72253
# Disallow Generic Security Service Application Program Interface (GSSAPI) auth.
security_sshd_disallow_gssapi: yes # V-72259
security_sshd_disallow_gssapi: true # V-72259
# Disallow compression or delay after login.
security_sshd_compression: 'delayed' # V-72267
security_sshd_compression: "delayed" # V-72267
# Require privilege separation at every opportunity.
security_sshd_enable_privilege_separation: no # V-72265
security_sshd_enable_privilege_separation: false # V-72265
# Require strict mode checking of home directory configuration files.
security_sshd_enable_strict_modes: yes # V-72263
security_sshd_enable_strict_modes: true # V-72263
# Disallow Kerberos authentication.
security_sshd_disable_kerberos_auth: yes # V-72261
security_sshd_disable_kerberos_auth: true # V-72261
# Disallow GSSAPI authentication.
security_sshd_disable_gssapi_auth: yes # V-204598
security_sshd_disable_gssapi_auth: true # V-204598
## Kernel settings (kernel)
# Disallow forwarding IPv4/IPv6 source routed packets on all interfaces
# immediately and by default on new interfaces.
security_disallow_source_routed_packet_forward_ipv4: yes # V-72283 / V-72285
security_disallow_source_routed_packet_forward_ipv6: yes # V-72319
security_disallow_source_routed_packet_forward_ipv4: true # V-72283 / V-72285
security_disallow_source_routed_packet_forward_ipv6: true # V-72319
# Disallow responses to IPv4 ICMP echoes sent to broadcast address.
security_disallow_echoes_broadcast_address: yes # V-72287
security_disallow_echoes_broadcast_address: true # V-72287
# Disallow IPV4 ICMP redirects on all interfaces immediately and by default on
# new interfaces.
security_disallow_icmp_redirects: yes # V-73175 / V-72289 / V-72291 / V-72293
security_disallow_icmp_redirects: true # V-73175 / V-72289 / V-72291 / V-72293
# Disallow IP forwarding.
security_disallow_ip_forwarding: no # V-72309
security_disallow_ip_forwarding: false # V-72309
# Disable USB storage support.
security_rhel7_disable_usb_storage: yes # V-71983
security_rhel7_disable_usb_storage: true # V-71983
# Disable kdump.
security_disable_kdump: yes # V-72057
security_disable_kdump: true # V-72057
# Disable Datagram Congestion Control Protocol (DCCP).
security_rhel7_disable_dccp: yes # V-77821
security_rhel7_disable_dccp: true # V-77821
# Enable Address Space Layout Randomization (ASLR).
security_enable_aslr: yes # V-77825
security_enable_aslr: true # V-77825
###############################################################################
# ____ _ _ _
@ -405,12 +406,12 @@ security_enable_aslr: yes # V-77825
###############################################################################
# To enable the contrib tasks, set this variable to 'yes'.
security_contrib_enabled: no
security_contrib_enabled: false
# Disable IPv6.
# DANGER: This option causes IPv6 networking to be disabled for the ENTIRE
# DANGER: SYSTEM. This will cause downtime for any services that depend on
# DANGER: IPv6 network connectivity.
security_contrib_disable_ipv6: no # C-00001
security_contrib_disable_ipv6: false # C-00001
security_sysctl_file: "{{ openstack_sysctl_file | default('/etc/sysctl.conf') }}"

2
examples/playbook.yml
View File

@ -1,7 +1,7 @@
---
- name: Gather security hardening facts
hosts: "{{ security_host_group|default('hosts') }}"
gather_facts: True
gather_facts: true
tags:
- always

2
tasks/main.yml
View File

@ -32,7 +32,7 @@
- name: Check for check/audit mode
command: /bin/true
register: noop_result
changed_when: False
changed_when: false
tags:
- always

24
tasks/rhel7stig/accounts.yml
View File

@ -16,7 +16,7 @@
- name: Check if /etc/security/pwquality.conf exists
stat:
path: /etc/security/pwquality.conf
check_mode: no
check_mode: false
register: pwquality_config_check
tags:
- always
@ -24,7 +24,7 @@
- name: Set password quality requirements
blockinfile:
dest: /etc/security/pwquality.conf
backup: yes
backup: true
insertbefore: EOF
marker: "# {mark} Added by ansible-hardening role"
state: present
@ -47,8 +47,8 @@
- name: Check for SHA512 password storage in PAM
command: "grep pam_unix.so {{ pam_password_file }}"
register: password_sha512_check
changed_when: False
check_mode: no
changed_when: false
check_mode: false
tags:
- always
@ -70,7 +70,7 @@
section: defaults
option: crypt_style
value: sha512
backup: yes
backup: true
mode: "0644"
when:
- security_libuser_crypt_style_sha512 | bool
@ -117,9 +117,9 @@
- name: Ensure that users cannot reuse one of their last 5 passwords
lineinfile:
dest: "{{ pam_password_file }}"
regexp: '^(password\s+[a-z0-9\=\[\] ]+\s+pam_unix\.so.+?)\s+(?:remember=\d+)?$'
line: '\1 remember={{ security_password_remember_password }}'
backrefs: yes
regexp: "^(password\\s+[a-z0-9\\=\\[\\] ]+\\s+pam_unix\\.so.+?)\\s+(?:remember=\\d+)?$"
line: "\\1 remember={{ security_password_remember_password }}"
backrefs: true
state: present
when:
- security_password_remember_password is defined
@ -131,8 +131,8 @@
- name: Ensure accounts are disabled if the password expires
lineinfile:
dest: /etc/default/useradd
regexp: '^[#\s]*INACTIVE'
line: 'INACTIVE=0'
regexp: "^[#\\s]*INACTIVE"
line: "INACTIVE=0"
when:
- security_disable_account_if_password_expires | bool
tags:
@ -175,8 +175,8 @@
- name: Get all accounts with UID 0
shell: "awk -F: '$3 == 0 {print $1}' /etc/passwd"
changed_when: False
check_mode: no
changed_when: false
check_mode: false
register: root_user_check
tags:
- accounts

10
tasks/rhel7stig/aide.yml
View File

@ -17,7 +17,7 @@
stat:
path: "{{ item }}"
register: aide_conf
check_mode: no
check_mode: false
with_items:
- /etc/aide/aide.conf.d
- /etc/aide.conf
@ -71,10 +71,10 @@
- name: Configure AIDE to verify additional properties (SUSE)
lineinfile:
dest: "/etc/aide.conf"
regexp: '(^Binlib.*= )'
line: '\1p+i+n+u+g+s+b+m+c+sha256+sha512+acl+xattrs'
regexp: "(^Binlib.*= )"
line: "\\1p+i+n+u+g+s+b+m+c+sha256+sha512+acl+xattrs"
state: present
backrefs: yes
backrefs: true
when:
- aide_conf.results[1].stat.exists | bool
- ansible_facts['pkg_mgr'] == 'zypper'
@ -89,7 +89,7 @@
stat:
path: "{{ aide_database_file }}"
register: aide_database
check_mode: no
check_mode: false
tags:
- always

14
tasks/rhel7stig/apt.yml
View File

@ -21,8 +21,8 @@
- name: Gather debsums report
shell: "debsums > {{ temp_dir }}/debsums.txt"
changed_when: False
failed_when: False
changed_when: false
failed_when: false
when:
- security_check_package_checksums | bool
- not check_mode | bool
@ -30,7 +30,7 @@
- name: V-71855 - Get files with invalid checksums (apt)
shell: "grep -v OK$ {{ temp_dir }}/debsums.txt | awk '{ print $1 }'" # noqa risky-shell-pipe
register: invalid_checksum_files
changed_when: False
changed_when: false
when:
- security_check_package_checksums | bool
- not check_mode | bool
@ -70,9 +70,9 @@
- name: Search for AllowUnauthenticated in /etc/apt/apt.conf.d/
command: grep -r '^[^#].*AllowUnauthenticated \"true\"' /etc/apt/apt.conf.d/
register: gpgcheck_result
changed_when: False
failed_when: False
check_mode: no
changed_when: false
failed_when: false
check_mode: false
- name: V-71977 - Package management tool must verify authenticity of packages
debug:
@ -102,7 +102,7 @@
regexp: "^(#)?APT::Get::AutomaticRemove"
line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";"
state: present
create: yes
create: true
mode: "0644"
when:
- security_package_clean_on_remove | bool

13
tasks/rhel7stig/async_tasks.yml
View File

@ -17,8 +17,8 @@
# lookup one time and then grep over the output in subsequent tasks.
- name: Verify all installed RPM packages
shell: "rpm -Va > {{ temp_dir }}/rpmverify.txt" # noqa: command-instead-of-module
failed_when: False
changed_when: False
failed_when: false
changed_when: false
register: rpmverify_task
async: 3600
poll: 0
@ -31,7 +31,6 @@
- V-71855
- skip_ansible_lint
- name: Locate top level directories to check for .shosts
find:
paths: /
@ -49,10 +48,10 @@
- name: Check for .shosts or shosts.equiv files
find:
paths: "{{ shosts_dirs.files | map(attribute='path') | difference(security_rhel7_remove_shosts_exclude_dirs) }}"
recurse: yes
hidden: yes
patterns: '.shosts,shosts.equiv'
changed_when: False
recurse: true
hidden: true
patterns: ".shosts,shosts.equiv"
changed_when: false
register: shosts_find
async: 300
poll: 0

10
tasks/rhel7stig/auditd.yml
View File

@ -17,7 +17,7 @@
stat:
path: /etc/audit/auditd.conf
register: auditd_conf
check_mode: no
check_mode: false
tags:
- always
@ -25,7 +25,7 @@
stat:
path: /etc/audisp/audisp-remote.conf
register: audisp_remote_conf
check_mode: no
check_mode: false
tags:
- always
@ -62,7 +62,7 @@
- name: Get valid system architectures for audit rules
set_fact:
auditd_architectures: "{{ (ansible_facts['architecture'] == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}"
check_mode: no
check_mode: false
tags:
- always
@ -157,7 +157,7 @@
- name: Adjust auditd/audispd configurations
lineinfile:
dest: "{{ item.config }}"
regexp: '^#?{{ item.parameter }}\s*='
regexp: "^#?{{ item.parameter }}\\s*="
line: "{{ item.parameter }} = {{ item.value }}"
with_items: "{{ auditd_config }}"
when:
@ -177,7 +177,7 @@
service:
name: auditd
state: started
enabled: yes
enabled: true
when:
- auditd_conf.stat.exists
tags:

48
tasks/rhel7stig/auth.yml
View File

@ -18,10 +18,10 @@
- name: Set pam_faildelay configuration on Ubuntu
lineinfile:
dest: /etc/pam.d/login
regexp: '^(auth[\s]+optional[\s]+pam_faildelay.so).*$'
line: '\1 delay={{ (security_shadow_utils_fail_delay | int) * 10**6 }}'
regexp: "^(auth[\\s]+optional[\\s]+pam_faildelay.so).*$"
line: "\\1 delay={{ (security_shadow_utils_fail_delay | int) * 10**6 }}"
state: present
backrefs: yes
backrefs: true
when:
- security_shadow_utils_fail_delay is defined
- ansible_facts['os_family'] | lower == 'debian'
@ -35,9 +35,9 @@
dest: "{{ pam_auth_file }}"
state: present
regexp: "^(.*)nullok_secure(.*)$"
line: '\1\2'
backup: yes
backrefs: yes
line: "\\1\\2"
backup: true
backrefs: true
when:
- ansible_facts['os_family'] == 'Debian'
- security_disallow_blank_password_login | bool
@ -51,9 +51,9 @@
dest: "{{ item[1] }}"
state: present
regexp: "^({{ item[0] }}.*sufficient.*)nullok(.*)$"
line: '\1\2'
backup: yes
backrefs: yes
line: "\\1\\2"
backup: true
backrefs: true
loop: "{{ ['auth', 'password'] | product(['{{ pam_auth_file }}', '{{ pam_password_file }}']) | list }}"
when:
- ansible_facts['os_family'] == 'RedHat'
@ -68,9 +68,9 @@
dest: "{{ item }}"
state: present
regexp: "^(.*required.*)nullok(.*)$"
line: '\1\2'
backup: yes
backrefs: yes
line: "\\1\\2"
backup: true
backrefs: true
with_items:
- "{{ pam_auth_file }}"
- "{{ pam_password_file }}"
@ -108,7 +108,7 @@
- name: Check for 'nopasswd' in sudoers files
shell: 'grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ | egrep -v "^([[:space:]]*)?(#|$)" || echo "not found"' # noqa risky-shell-pipe
register: sudoers_nopasswd_check
changed_when: False
changed_when: false
when:
- security_sudoers_nopasswd_check_enable | bool
tags:
@ -134,7 +134,7 @@
- name: Check for '!authenticate' in sudoers files
shell: grep -ir '\!authenticate' /etc/sudoers /etc/sudoers.d/ || echo 'not found'
register: sudoers_authenticate_check
changed_when: False
changed_when: false
tags:
- auth
- medium
@ -159,7 +159,7 @@
stat:
path: /etc/sssd/sssd.conf
register: sssd_conf_check
check_mode: no
check_mode: false
tags:
- always
@ -169,7 +169,7 @@
stat:
path: "{{ grub_custom_file }}"
register: grub_custom_file_check
check_mode: no
check_mode: false
tags:
- always
@ -189,10 +189,10 @@
- name: Set CLASS for grub file
lineinfile:
path: "{{ grub_linux_file }}"
regexp: '^CLASS=.*'
regexp: "^CLASS=.*"
line: 'CLASS="--class gnu-linux --class gnu --class os --unrestricted"'
state: present
backrefs: yes
backrefs: true
notify:
- Update grub config
when:
@ -207,7 +207,7 @@
- name: V-72217 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
blockinfile:
dest: /etc/security/limits.d/ansible-hardening-maxlogins.conf
create: yes
create: true
mode: "0644"
block: |
# Deployed by the ansible-hardening role
@ -223,9 +223,9 @@
- name: Check for pam_lastlog in PAM configuration
command: "grep pam_lastlog {{ pam_postlogin_file }}"
register: pam_lastlog_check
changed_when: False
failed_when: False
check_mode: no
changed_when: false
failed_when: false
check_mode: false
tags:
- always
@ -244,8 +244,8 @@
- name: Ensure .shosts find has finished
async_status:
jid: "{{ shosts_find.ansible_job_id }}"
failed_when: False
changed_when: False
failed_when: false
changed_when: false
register: job_result
until: job_result.finished
retries: 60

8
tasks/rhel7stig/dnf.yml
View File

@ -19,7 +19,7 @@
- name: Check if /etc/dnf/automatic.conf exists
stat:
path: /etc/dnf/automatic.conf
check_mode: no
check_mode: false
register: dnf_automatic_config_check
when:
- ansible_facts['os_family'] | lower == 'redhat'
@ -49,8 +49,8 @@
- name: Check to see which dnf automatic timers are available
shell: "rpm -ql dnf-automatic | grep timer || true" # noqa: command-instead-of-module
register: dnf_automatic_timers
check_mode: no
changed_when: False
check_mode: false
changed_when: false
when:
- ansible_facts['os_family'] | lower == 'redhat'
- ansible_facts['pkg_mgr'] == 'dnf'
@ -79,7 +79,7 @@
- name: Enable dnf automatic timer for automatic package updates
systemd:
name: "{{ dnf_automatic_timer }}"
enabled: yes
enabled: true
state: started
when:
- ansible_facts['os_family'] | lower == 'redhat'

10
tasks/rhel7stig/file_perms.yml
View File

@ -16,7 +16,7 @@
- name: V-71849 - Get packages with incorrect file permissions or ownership
shell: "grep '^.M' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe
register: rpmverify_package_list
changed_when: False
changed_when: false
when:
- not check_mode | bool
- ansible_facts['pkg_mgr'] == 'dnf'
@ -30,7 +30,7 @@
shell: "rpm {{ item[0] }} `rpm -qf {{ item[1] }}`" # noqa: command-instead-of-shell command-instead-of-module risky-shell-pipe
changed_when: false
with_nested:
- ['--setperms', '--setugids']
- ["--setperms", "--setugids"]
- "{{ rpmverify_package_list.stdout_lines | default([]) }}"
when:
- not check_mode | bool
@ -113,9 +113,9 @@
- name: Find all world-writable directories
shell: "find / -perm -002 -type d -exec ls -lLd {} \\; | tr -s ' ' | cut -d' ' -f 4,9 | grep -v ^root" # noqa risky-shell-pipe
register: world_writable_dirs
changed_when: False
failed_when: False
check_mode: no
changed_when: false
failed_when: false
check_mode: false
when:
- security_find_world_writable_dirs | bool
tags:

2
tasks/rhel7stig/graphical.yml
View File

@ -17,7 +17,7 @@
stat:
path: /etc/gdm/custom.conf
register: gdm_conf_check
check_mode: no
check_mode: false
- name: V-71953 - The operating system must not allow an unattended or automatic logon to the system via a graphical user interface
lineinfile:

16
tasks/rhel7stig/kernel.yml
View File

@ -17,7 +17,7 @@
lineinfile:
dest: /etc/modprobe.d/ansible-hardening-disable-usb-storage.conf
line: install usb-storage /bin/true
create: yes
create: true
mode: "0644"
when:
- security_rhel7_disable_usb_storage | bool
@ -32,7 +32,7 @@
value: "{{ item.value }}"
state: "{{ item.enabled | ternary('present', 'absent') }}"
sysctl_file: "{{ security_sysctl_file }}"
reload: yes
reload: true
when:
- item.enabled | bool
with_items: "{{ sysctl_settings_rhel7 }}"
@ -54,8 +54,8 @@
command: systemctl status kdump # noqa: command-instead-of-module
register: kdump_service_check
failed_when: kdump_service_check.rc not in [0,3,4]
changed_when: False
check_mode: no
changed_when: false
check_mode: false
tags:
- kernel
- medium
@ -65,7 +65,7 @@
service:
name: kdump
state: stopped
enabled: no
enabled: false
when:
- kdump_service_check.rc not in [3,4]
- security_disable_kdump
@ -77,9 +77,9 @@
- name: Check if FIPS is enabled
command: cat /proc/sys/crypto/fips_enabled
register: fips_check
changed_when: False
failed_when: False
check_mode: no
changed_when: false
failed_when: false
check_mode: false
when:
- ansible_facts['pkg_mgr'] == 'dnf'
tags:

10
tasks/rhel7stig/lsm.yml
View File

@ -16,7 +16,7 @@
- name: Check apparmor_status output
command: apparmor_status
register: apparmor_status_output
check_mode: no
check_mode: false
changed_when: false
failed_when: false
when:
@ -34,7 +34,7 @@
- name: Check if apparmor is running
command: "systemctl status apparmor" # noqa: command-instead-of-module
register: systemctl_apparmor_status
check_mode: no
check_mode: false
changed_when: false
failed_when: false
when:
@ -47,7 +47,7 @@
- name: Ensure AppArmor is enabled at boot time
service:
name: apparmor
enabled: yes
enabled: true
when:
- ansible_facts['pkg_mgr'] in ['apt', 'zypper']
- security_rhel7_enable_linux_security_module | bool
@ -111,8 +111,8 @@
- name: Check for unlabeled device files
command: "find /dev -context '*unlabeled_t*'"
register: unlabeled_devices
changed_when: False
check_mode: no
changed_when: false
check_mode: false
when:
- ansible_facts['os_family'] == 'RedHat'
- ansible_facts['selinux']['status'] == 'enabled'

8
tasks/rhel7stig/main.yml
View File

@ -26,7 +26,7 @@
- name: Set a fact for the temporary directory
set_fact:
temp_dir: "{{ mktemp_result.path }}"
changed_when: False
changed_when: false
when:
- not check_mode | bool
tags:
@ -41,7 +41,7 @@
get_users:
min_uid: 0
register: hardening_user_list
check_mode: no
check_mode: false
tags:
- always
@ -49,7 +49,7 @@
get_users:
min_uid: "{{ security_interactive_user_minimum_uid }}"
register: interactive_user_list
check_mode: no
check_mode: false
tags:
- always
@ -108,7 +108,7 @@
file:
path: "{{ temp_dir }}"
state: absent
changed_when: False
changed_when: false
when:
- not check_mode | bool
tags:

72
tasks/rhel7stig/misc.yml
View File

@ -17,8 +17,8 @@
command: systemctl status autofs # noqa: command-instead-of-module
register: autofs_check
failed_when: autofs_check.rc not in [0,3,4]
changed_when: False
check_mode: no
changed_when: false
check_mode: false
tags:
- always
@ -26,7 +26,7 @@
service:
name: autofs
state: stopped
enabled: no
enabled: false
when:
- autofs_check.rc not in [3,4]
- security_rhel7_disable_autofs | bool
@ -41,7 +41,7 @@
- name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled
systemd:
name: ctrl-alt-del.target
enabled: no
enabled: false
when:
- security_rhel7_disable_ctrl_alt_delete | bool
tags:
@ -52,8 +52,8 @@
- name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled
systemd:
name: ctrl-alt-del.target
masked: yes
daemon_reload: yes
masked: true
daemon_reload: true
when:
- security_rhel7_disable_ctrl_alt_delete | bool
tags:
@ -112,9 +112,9 @@
- name: Check if syslog output is being sent to another server
command: 'grep "^[^#].*@" /etc/rsyslog.conf'
register: rsyslog_transmit_check
changed_when: False
failed_when: False
check_mode: no
changed_when: false
failed_when: false
check_mode: false
tags:
- always
@ -133,7 +133,7 @@
stat:
path: /usr/bin/clamdscan
register: clamav_install_check
changed_when: False
changed_when: false
tags:
- always
@ -160,7 +160,7 @@
dest: /etc/clamd.d/scan.conf
regexp: "^(#)?LocalSocket (.*)$"
line: "LocalSocket {{ clamav_service_details['socket_path'] }}"
backrefs: yes
backrefs: true
when:
- clamav_install_check.stat.exists
- security_enable_virus_scanner | bool
@ -205,15 +205,15 @@
- name: Check if ClamAV update process is already running
shell: "set -o pipefail; ps -ef | egrep [f]reshclam -q"
register: freshclam_proc
changed_when: False
failed_when: False
check_mode: no
changed_when: false
failed_when: false
check_mode: false
tags:
- always
- name: Update ClamAV database
command: freshclam
changed_when: False
changed_when: false
when:
- freshclam_proc.rc != 0
- clamav_install_check.stat.exists
@ -229,7 +229,7 @@
service:
name: "{{ clamav_service }}"
state: started
enabled: yes
enabled: true
when:
- clamav_install_check.stat.exists
- security_enable_virus_scanner | bool
@ -273,7 +273,7 @@
service:
name: "{{ chrony_service }}"
state: started
enabled: yes
enabled: true
when:
- not check_mode
- security_rhel7_enable_chrony | bool
@ -309,8 +309,8 @@
command: systemctl status firewalld # noqa: command-instead-of-module
register: firewalld_status_check
failed_when: firewalld_status_check.rc not in [0,3,4]
changed_when: False
check_mode: no
changed_when: false
check_mode: false
tags:
- always
@ -318,7 +318,7 @@
service:
name: firewalld
state: started
enabled: yes
enabled: true
when:
- firewalld_status_check.rc not in [3,4]
- security_enable_firewalld | bool
@ -346,9 +346,9 @@
- name: Count nameserver entries in /etc/resolv.conf
command: grep ^nameserver /etc/resolv.conf
register: nameserver_check
check_mode: no
changed_when: False
failed_when: False
check_mode: false
changed_when: false
failed_when: false
tags:
- always
- skip_ansible_lint
@ -369,9 +369,9 @@
- name: Check for interfaces in promiscuous mode
shell: "set -o pipefail; ip link | grep -i promisc"
register: promiscuous_interface_check
changed_when: False
failed_when: False
check_mode: no
changed_when: false
failed_when: false
check_mode: false
tags:
- always
@ -397,8 +397,8 @@
- name: V-72297 - Prevent unrestricted mail relaying
lineinfile:
dest: /etc/postfix/main.cf
regexp: '^smtpd_client_restrictions'
line: 'smtpd_client_restrictions = permit_mynetworks, reject'
regexp: "^smtpd_client_restrictions"
line: "smtpd_client_restrictions = permit_mynetworks, reject"
when:
- postfix_conf_check.stat.exists
- security_rhel7_restrict_mail_relaying | bool
@ -411,16 +411,16 @@
stat:
path: /etc/xinetd.d/tftp
register: tftp_config_check
check_mode: no
check_mode: false
tags:
- always
- name: Check TFTP configuration mode
command: 'grep server_args /etc/xinetd.d/tftp'
command: "grep server_args /etc/xinetd.d/tftp"
register: tftp_secure_check
changed_when: False
failed_when: False
check_mode: no
changed_when: false
failed_when: false
check_mode: false
when:
- tftp_config_check.stat.exists
tags:
@ -440,9 +440,9 @@
- name: Check to see if snmpd config contains public/private
command: 'egrep "^[^#].*(public|private)" /etc/snmp/snmpd.conf'
register: snmp_public_private_check
changed_when: False
failed_when: False
check_mode: no
changed_when: false
failed_when: false
check_mode: false
tags:
- always

6
tasks/rhel7stig/rpm.yml
View File

@ -16,8 +16,8 @@
- name: Ensure RPM verification task has finished
async_status:
jid: "{{ rpmverify_task.ansible_job_id }}"
failed_when: False
changed_when: False
failed_when: false
changed_when: false
register: job_result
until: job_result.finished
retries: 360
@ -32,7 +32,7 @@
- name: V-71855 - Get files with invalid checksums (rpm)
shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe
register: invalid_checksum_files
changed_when: False
changed_when: false
when:
- security_check_package_checksums | bool
- not check_mode | bool

14
tasks/rhel7stig/sshd.yml
View File

@ -30,8 +30,8 @@
lineinfile:
path: /etc/ssh/sshd_config
state: absent
regexp: '^{{ item.name }}\s+(?!{{ item.value }})'
validate: '/usr/sbin/sshd -T -f %s'
regexp: "^{{ item.name }}\\s+(?!{{ item.value }})"
validate: "/usr/sbin/sshd -T -f %s"
with_items: "{{ sshd_settings_rhel7 | selectattr('enabled') }}"
notify:
- Restart ssh
@ -64,7 +64,7 @@
state: present
marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
insertbefore: "BOF"
validate: '/usr/sbin/sshd -T -f %s'
validate: "/usr/sbin/sshd -T -f %s"
block: |-
{% set options = sshd_settings_rhel7 | selectattr('enabled') %}
{% for option in options %}
@ -99,7 +99,7 @@
- name: Ensure sshd is enabled at boot time
service:
name: "{{ ssh_service }}"
enabled: yes
enabled: true
when:
- security_enable_sshd | bool
tags:
@ -113,7 +113,7 @@
# The shell command will always report 'changed' so we need to
# ignore that since this role is supposed to be idempotent.
changed_when: false
check_mode: no
check_mode: false
tags:
- always
@ -134,7 +134,7 @@
# The shell command will always report 'changed' so we need to
# ignore that since this role is supposed to be idempotent
changed_when: false
check_mode: no
check_mode: false
tags:
- always
@ -152,6 +152,6 @@
- name: Manage motd in pam.d
replace:
path: /etc/pam.d/sshd
regexp: '^(#\s)?(session\s*optional\s*pam_motd.so.*)$'
regexp: "^(#\\s)?(session\\s*optional\\s*pam_motd.so.*)$"
replace: '{{ (security_sshd_dynamic_banner_disable | bool) | ternary("# \2", "\2") }}'
when: security_sshd_dynamic_banner_disable | bool

2
tasks/rhel7stig/yum.yml
View File

@ -19,7 +19,7 @@
- name: Check if /etc/yum/yum-cron.conf exists
stat:
path: /etc/yum/yum-cron.conf
check_mode: no
check_mode: false
register: yum_cron_config_check
when:
- ansible_facts['os_family'] | lower == 'redhat'

12
tasks/rhel7stig/zypper.yml
View File

@ -17,8 +17,8 @@
- name: Ensure RPM verification task has finished
async_status:
jid: "{{ rpmverify_task.ansible_job_id }}"
failed_when: False
changed_when: False
failed_when: false
changed_when: false
register: job_result
until: job_result.finished
retries: 360
@ -33,7 +33,7 @@
- name: V-71855 - Get files with invalid checksums (rpm)
shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe
register: invalid_checksum_files
changed_when: False
changed_when: false
when:
- security_check_package_checksums | bool
- not check_mode | bool
@ -70,7 +70,7 @@
- name: V-71977 - Require digital signatures for all packages and repositories
lineinfile:
dest: "{{ item }}"
regexp: '^(#)?\s*gpgcheck'
regexp: "^(#)?\\s*gpgcheck"
line: "gpgcheck=1"
state: present
with_items:
@ -86,8 +86,8 @@
- name: V-71987 - Clean requirements/dependencies when removing packages (SUSE)
lineinfile:
dest: "{{ pkg_mgr_config }}"
regexp: '^(#)?\s*solver\.cleandepsOnRemove'
line: 'solver.cleandepsOnRemove = true'
regexp: "^(#)?\\s*solver\\.cleandepsOnRemove"
line: "solver.cleandepsOnRemove = true"
state: present
when:
- security_package_clean_on_remove | bool

2
vars/debian.yml
View File

@ -60,7 +60,7 @@ stig_packages_rhel7:
- openssh-server
- screen
state: "{{ security_package_state }}"
enabled: True
enabled: true
- packages:
- aide
- aide-common

108
vars/main.yml
View File

@ -61,158 +61,158 @@ auditd_config:
audited_commands:
- command: chsh
stig_id: V-72167
arch_specific: no
arch_specific: false
- command: chage
stig_id: V-72155
arch_specific: no
arch_specific: false
- command: chcon
stig_id: V-72139
arch_specific: no
arch_specific: false
- command: chmod
stig_id: V-72105
arch_specific: yes
arch_specific: true
- command: chown
stig_id: V-72097
arch_specific: yes
arch_specific: true
- command: creat
stig_id: V-72123
arch_specific: yes
arch_specific: true
- command: crontab
stig_id: V-72183
arch_specific: no
arch_specific: false
- command: delete_module
stig_id: V-72189
arch_specific: yes
arch_specific: true
- command: fchmod
stig_id: V-72107
arch_specific: yes
arch_specific: true
- command: fchmodat
stig_id: V-72109
arch_specific: yes
arch_specific: true
- command: fchown
stig_id: V-72099
arch_specific: yes
arch_specific: true
- command: fchownat
stig_id: V-72103
arch_specific: yes
arch_specific: true
- command: fremovexattr
stig_id: V-72119
arch_specific: yes
arch_specific: true
- command: fsetxattr
stig_id: V-72113
arch_specific: yes
arch_specific: true
- command: ftruncate
stig_id: V-72133
arch_specific: yes
arch_specific: true
- command: init_module
stig_id: V-72187
arch_specific: yes
arch_specific: true
- command: gpasswd
stig_id: V-72153
arch_specific: no
arch_specific: false
- command: lchown
stig_id: V-72101
arch_specific: yes
arch_specific: true
- command: lremovexattr
stig_id: V-72121
arch_specific: yes
arch_specific: true
- command: lsetxattr
stig_id: V-72115
arch_specific: yes
arch_specific: true
- command: mount
path: /bin
stig_id: V-72171
arch_specific: no
arch_specific: false
- command: newgrp
stig_id: V-72165
arch_specific: no
arch_specific: false
- command: open
stig_id: V-72125
arch_specific: yes
arch_specific: true
- command: openat
stig_id: V-72127
arch_specific: yes
arch_specific: true
- command: open_by_handle_at
stig_id: V-72129
arch_specific: yes
arch_specific: true
- command: pam_timestamp_check
path: /sbin
stig_id: V-72185
arch_specific: no
arch_specific: false
- command: passwd
stig_id: V-72149
arch_specific: no
arch_specific: false
- command: postdrop
path: /usr/sbin
stig_id: V-72175
arch_specific: no
arch_specific: false
- command: postqueue
path: /usr/sbin
stig_id: V-72177
arch_specific: no
arch_specific: false
- command: removexattr
stig_id: V-72117
arch_specific: yes
arch_specific: true
- command: rename
stig_id: V-72199
arch_specific: yes
arch_specific: true
- command: renameat
stig_id: V-72201
arch_specific: yes
arch_specific: true
- command: restorecon
path: /usr/sbin
stig_id: V-72141
arch_specific: no
arch_specific: false
- command: rmdir
stig_id: V-72203
arch_specific: yes
arch_specific: true
- command: semanage
path: /usr/sbin
stig_id: V-72135
arch_specific: no
arch_specific: false
- command: setsebool
path: /usr/sbin
stig_id: V-72137
arch_specific: no
arch_specific: false
- command: setxattr
stig_id: V-72111
arch_specific: yes
arch_specific: true
- command: ssh-keysign
path: "{{ ssh_keysign_path }}"
stig_id: V-72179
arch_specific: no
arch_specific: false
- command: su
path: /bin
stig_id: V-72159
arch_specific: no
arch_specific: false
- command: sudo
stig_id: V-72161
arch_specific: no
arch_specific: false
- command: sudoedit
path: /bin
stig_id: V-72169
arch_specific: no
arch_specific: false
- command: truncate
stig_id: V-72131
arch_specific: yes
arch_specific: true
- command: umount
path: /bin
stig_id: V-72173
arch_specific: no
arch_specific: false
- command: unix_chkpwd
path: /sbin
stig_id: V-72151
arch_specific: no
arch_specific: false
- command: unlink
stig_id: V-72205
arch_specific: yes
arch_specific: true
- command: unlinkat
stig_id: V-72207
arch_specific: yes
arch_specific: true
- command: userhelper
path: /usr/sbin
stig_id: V-72157
arch_specific: no
arch_specific: false
## Password quality settings
# This variable is used in main/rhel7stig/auth.yml to set password quality
@ -368,15 +368,15 @@ sshd_settings_rhel7:
stig_id: V-71959
- name: Ciphers
value: "{{ security_sshd_cipher_list }}"
enabled: True
enabled: true
stig_id: V-72221
- name: ClientAliveInterval
value: "{{ security_sshd_client_alive_interval }}"
enabled: True
enabled: true
stig_id: V-72237
- name: ClientAliveCountMax
value: "{{ security_sshd_client_alive_count_max }}"
enabled: True
enabled: true
stig_id: V-72241
- name: PrintLastLog
value: "yes"
@ -388,7 +388,7 @@ sshd_settings_rhel7:
{% if security_sshd_permit_root_login | string in ['False', 'True'] %}
{{ (security_sshd_permit_root_login | bool) | ternary('yes', 'no') }}{% else %}
{{ security_sshd_permit_root_login }}{% endif %}
enabled: True
enabled: true
stig_id: V-72247
- name: IgnoreUserKnownHosts
value: "yes"
@ -404,11 +404,11 @@ sshd_settings_rhel7:
stig_id: V-72303
- name: Protocol
value: "{{ security_sshd_protocol }}"
enabled: yes
enabled: true
stig_id: V-72251
- name: MACs
value: "{{ security_sshd_allowed_macs }}"
enabled: yes
enabled: true
stig_id: V-72253
- name: UsePrivilegeSeparation
value: sandbox
@ -416,7 +416,7 @@ sshd_settings_rhel7:
stig_id: V-72265
- name: Compression
value: "{{ security_sshd_compression }}"
enabled: yes
enabled: true
stig_id: V-72267
- name: KerberosAuthentication
value: "no"

4
vars/redhat-7.yml
View File

@ -38,7 +38,7 @@ pkg_mgr_config: "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('/etc/yum.conf
cron_service: crond
ssh_service: sshd
chrony_service: chronyd
clamav_service: 'clamd@scan'
clamav_service: "clamd@scan"
# Clamav paparms
clamav_service_details:
@ -65,7 +65,7 @@ stig_packages_rhel7:
- openssh-server
- screen
state: "{{ security_package_state }}"
enabled: True
enabled: true
- packages:
- aide
state: "{{ security_package_state }}"

4
vars/redhat-8.yml
View File

@ -38,7 +38,7 @@ pkg_mgr_config: /etc/dnf/dnf.conf
cron_service: crond
ssh_service: sshd
chrony_service: chronyd
clamav_service: 'clamd@scan'
clamav_service: "clamd@scan"
# Clamav paparms
clamav_service_details:
@ -64,7 +64,7 @@ stig_packages_rhel7:
- openssh-clients
- openssh-server
state: "{{ security_package_state }}"
enabled: True
enabled: true
- packages:
- aide
state: "{{ security_package_state }}"

4
vars/redhat-9.yml
View File

@ -38,7 +38,7 @@ pkg_mgr_config: /etc/dnf/dnf.conf
cron_service: crond
ssh_service: sshd
chrony_service: chronyd
clamav_service: 'clamd@scan'
clamav_service: "clamd@scan"
# Clamav paparms
clamav_service_details:
@ -64,7 +64,7 @@ stig_packages_rhel7:
- openssh-clients
- openssh-server
state: "{{ security_package_state }}"
enabled: True
enabled: true
- packages:
- aide
state: "{{ security_package_state }}"

4
vars/suse.yml
View File

@ -41,7 +41,7 @@ pkg_mgr_config: /etc/zypp/zypp.conf
cron_service: crond
ssh_service: sshd
chrony_service: chronyd
clamav_service: 'clamd'
clamav_service: "clamd"
# Commands
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"
@ -59,7 +59,7 @@ stig_packages_rhel7:
- openssh
- screen
state: "{{ security_package_state }}"
enabled: True
enabled: true
- packages:
- aide
state: "{{ security_package_state }}"

1
zuul.d/project.yaml
View File

@ -1,3 +1,4 @@
---
# Copyright 2017, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");