Use ansible_facts[] instead of fact variables
See https://github.com/ansible/ansible/issues/73654 Change-Id: I3dc2486a0666367d673b23403f2510c94c40eaf4
This commit is contained in:
parent
087919c425
commit
b9a9310d7c
@ -92,7 +92,7 @@ security_rhel7_audit_failure_flag: 1 # V-72081
|
|||||||
security_rhel7_auditd_disk_full_action: syslog # V-72087
|
security_rhel7_auditd_disk_full_action: syslog # V-72087
|
||||||
security_rhel7_auditd_network_failure_action: syslog # V-72087
|
security_rhel7_auditd_network_failure_action: syslog # V-72087
|
||||||
# Size of remaining disk space (in MB) that triggers alerts.
|
# Size of remaining disk space (in MB) that triggers alerts.
|
||||||
security_rhel7_auditd_space_left: "{{ (ansible_mounts | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # V-72089
|
security_rhel7_auditd_space_left: "{{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # V-72089
|
||||||
# Action to take when the space_left threshold is reached.
|
# Action to take when the space_left threshold is reached.
|
||||||
security_rhel7_auditd_space_left_action: email # V-72091
|
security_rhel7_auditd_space_left_action: email # V-72091
|
||||||
# Send auditd email alerts to this user.
|
# Send auditd email alerts to this user.
|
||||||
|
@ -16,11 +16,11 @@
|
|||||||
- name: Gather variables for each operating system
|
- name: Gather variables for each operating system
|
||||||
include_vars: "{{ item }}"
|
include_vars: "{{ item }}"
|
||||||
with_first_found:
|
with_first_found:
|
||||||
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
|
- "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_version'] | lower }}.yml"
|
||||||
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
|
- "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml"
|
||||||
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
|
- "{{ ansible_facts['os_family'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml"
|
||||||
- "{{ ansible_distribution | lower }}.yml"
|
- "{{ ansible_facts['distribution'] | lower }}.yml"
|
||||||
- "{{ ansible_os_family | lower }}.yml"
|
- "{{ ansible_facts['os_family'] | lower }}.yml"
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
@ -33,14 +33,14 @@
|
|||||||
|
|
||||||
- name: Check to see if we are booting with EFI or UEFI
|
- name: Check to see if we are booting with EFI or UEFI
|
||||||
set_fact:
|
set_fact:
|
||||||
booted_with_efi: "{{ ansible_mounts | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}"
|
booted_with_efi: "{{ ansible_facts['mounts'] | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}"
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
- name: Set facts
|
- name: Set facts
|
||||||
set_fact:
|
set_fact:
|
||||||
check_mode: "{{ noop_result is skipped }}"
|
check_mode: "{{ noop_result is skipped }}"
|
||||||
linux_security_module: "{{ (ansible_os_family == 'Debian') | ternary('apparmor','selinux') }}"
|
linux_security_module: "{{ (ansible_facts['os_family'] == 'Debian') | ternary('apparmor','selinux') }}"
|
||||||
grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}"
|
grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}"
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
@ -73,7 +73,7 @@
|
|||||||
backup: yes
|
backup: yes
|
||||||
when:
|
when:
|
||||||
- security_libuser_crypt_style_sha512 | bool
|
- security_libuser_crypt_style_sha512 | bool
|
||||||
- ansible_os_family | lower == 'redhat'
|
- ansible_facts['os_family'] | lower == 'redhat'
|
||||||
tags:
|
tags:
|
||||||
- accounts
|
- accounts
|
||||||
- medium
|
- medium
|
||||||
@ -145,7 +145,7 @@
|
|||||||
state: present
|
state: present
|
||||||
when:
|
when:
|
||||||
- item.value is truthy(convert_bool=True)
|
- item.value is truthy(convert_bool=True)
|
||||||
- item.ansible_os_family == 'all' or item.ansible_os_family == ansible_os_family
|
- item.ansible_os_family == 'all' or item.ansible_os_family == ansible_facts['os_family']
|
||||||
with_items: "{{ shadow_utils_rhel7 }}"
|
with_items: "{{ shadow_utils_rhel7 }}"
|
||||||
tags:
|
tags:
|
||||||
- accounts
|
- accounts
|
||||||
|
@ -58,7 +58,7 @@
|
|||||||
/sbin NORMAL
|
/sbin NORMAL
|
||||||
when:
|
when:
|
||||||
- aide_conf.results[0].stat.exists | bool
|
- aide_conf.results[0].stat.exists | bool
|
||||||
- ansible_os_family | lower == 'debian'
|
- ansible_facts['os_family'] | lower == 'debian'
|
||||||
tags:
|
tags:
|
||||||
- low
|
- low
|
||||||
- aide
|
- aide
|
||||||
@ -76,7 +76,7 @@
|
|||||||
backrefs: yes
|
backrefs: yes
|
||||||
when:
|
when:
|
||||||
- aide_conf.results[1].stat.exists | bool
|
- aide_conf.results[1].stat.exists | bool
|
||||||
- ansible_pkg_mgr == 'zypper'
|
- ansible_facts['pkg_mgr'] == 'zypper'
|
||||||
tags:
|
tags:
|
||||||
- low
|
- low
|
||||||
- aide
|
- aide
|
||||||
@ -116,7 +116,7 @@
|
|||||||
changed_when: false
|
changed_when: false
|
||||||
when:
|
when:
|
||||||
- aide_init is not skipped
|
- aide_init is not skipped
|
||||||
- ansible_pkg_mgr in ['yum', 'zypper']
|
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
|
||||||
tags:
|
tags:
|
||||||
- medium
|
- medium
|
||||||
- aide
|
- aide
|
||||||
@ -133,7 +133,7 @@
|
|||||||
special_time: daily
|
special_time: daily
|
||||||
job: "/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root"
|
job: "/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root"
|
||||||
when:
|
when:
|
||||||
- ansible_pkg_mgr in ['yum', 'zypper']
|
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
|
||||||
tags:
|
tags:
|
||||||
- medium
|
- medium
|
||||||
- aide
|
- aide
|
||||||
|
@ -34,7 +34,7 @@
|
|||||||
when:
|
when:
|
||||||
- security_check_package_checksums | bool
|
- security_check_package_checksums | bool
|
||||||
- not check_mode | bool
|
- not check_mode | bool
|
||||||
- ansible_os_family | lower == 'debian'
|
- ansible_facts['os_family'] | lower == 'debian'
|
||||||
tags:
|
tags:
|
||||||
- high
|
- high
|
||||||
- V-71855
|
- V-71855
|
||||||
@ -59,7 +59,7 @@
|
|||||||
{{ invalid_checksum_files_violations }}
|
{{ invalid_checksum_files_violations }}
|
||||||
when:
|
when:
|
||||||
- security_check_package_checksums | bool
|
- security_check_package_checksums | bool
|
||||||
- ansible_os_family | lower == 'debian'
|
- ansible_facts['os_family'] | lower == 'debian'
|
||||||
- invalid_checksum_files is defined
|
- invalid_checksum_files is defined
|
||||||
- invalid_checksum_files.stdout is defined
|
- invalid_checksum_files.stdout is defined
|
||||||
tags:
|
tags:
|
||||||
@ -105,7 +105,7 @@
|
|||||||
create: yes
|
create: yes
|
||||||
when:
|
when:
|
||||||
- security_package_clean_on_remove | bool
|
- security_package_clean_on_remove | bool
|
||||||
- ansible_os_family | lower == 'debian'
|
- ansible_facts['os_family'] | lower == 'debian'
|
||||||
tags:
|
tags:
|
||||||
- low
|
- low
|
||||||
- packages
|
- packages
|
||||||
@ -116,7 +116,7 @@
|
|||||||
src: 20auto-upgrades
|
src: 20auto-upgrades
|
||||||
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
||||||
when:
|
when:
|
||||||
- ansible_os_family | lower == 'debian'
|
- ansible_facts['os_family'] | lower == 'debian'
|
||||||
- security_rhel7_automatic_package_updates | bool
|
- security_rhel7_automatic_package_updates | bool
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
poll: 0
|
poll: 0
|
||||||
when:
|
when:
|
||||||
- not check_mode | bool
|
- not check_mode | bool
|
||||||
- ansible_os_family | lower in ['redhat', 'suse']
|
- ansible_facts['os_family'] | lower in ['redhat', 'suse']
|
||||||
tags:
|
tags:
|
||||||
- rpm
|
- rpm
|
||||||
- high
|
- high
|
||||||
|
@ -61,7 +61,7 @@
|
|||||||
|
|
||||||
- name: Get valid system architectures for audit rules
|
- name: Get valid system architectures for audit rules
|
||||||
set_fact:
|
set_fact:
|
||||||
auditd_architectures: "{{ (ansible_architecture == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}"
|
auditd_architectures: "{{ (ansible_facts['architecture'] == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}"
|
||||||
check_mode: no
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
@ -24,7 +24,7 @@
|
|||||||
backrefs: yes
|
backrefs: yes
|
||||||
when:
|
when:
|
||||||
- security_shadow_utils_fail_delay is defined
|
- security_shadow_utils_fail_delay is defined
|
||||||
- ansible_os_family | lower == 'debian'
|
- ansible_facts['os_family'] | lower == 'debian'
|
||||||
tags:
|
tags:
|
||||||
- auth
|
- auth
|
||||||
- medium
|
- medium
|
||||||
@ -39,7 +39,7 @@
|
|||||||
backup: yes
|
backup: yes
|
||||||
backrefs: yes
|
backrefs: yes
|
||||||
when:
|
when:
|
||||||
- ansible_os_family == 'Debian'
|
- ansible_facts['os_family'] == 'Debian'
|
||||||
- security_disallow_blank_password_login | bool
|
- security_disallow_blank_password_login | bool
|
||||||
tags:
|
tags:
|
||||||
- auth
|
- auth
|
||||||
@ -58,7 +58,7 @@
|
|||||||
- auth
|
- auth
|
||||||
- password
|
- password
|
||||||
when:
|
when:
|
||||||
- ansible_os_family == 'RedHat'
|
- ansible_facts['os_family'] == 'RedHat'
|
||||||
- security_disallow_blank_password_login | bool
|
- security_disallow_blank_password_login | bool
|
||||||
tags:
|
tags:
|
||||||
- auth
|
- auth
|
||||||
@ -77,7 +77,7 @@
|
|||||||
- "{{ pam_auth_file }}"
|
- "{{ pam_auth_file }}"
|
||||||
- "{{ pam_password_file }}"
|
- "{{ pam_password_file }}"
|
||||||
when:
|
when:
|
||||||
- ansible_pkg_mgr == 'zypper'
|
- ansible_facts['pkg_mgr'] == 'zypper'
|
||||||
- security_disallow_blank_password_login | bool
|
- security_disallow_blank_password_login | bool
|
||||||
tags:
|
tags:
|
||||||
- auth
|
- auth
|
||||||
@ -92,7 +92,7 @@
|
|||||||
insertbefore: EOF
|
insertbefore: EOF
|
||||||
block: "{{ lookup('template', 'pam_faillock.j2') }}"
|
block: "{{ lookup('template', 'pam_faillock.j2') }}"
|
||||||
when:
|
when:
|
||||||
- ansible_pkg_mgr in ['yum', 'zypper']
|
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
|
||||||
- security_pam_faillock_enable | bool
|
- security_pam_faillock_enable | bool
|
||||||
tags:
|
tags:
|
||||||
- auth
|
- auth
|
||||||
|
@ -21,8 +21,8 @@
|
|||||||
check_mode: no
|
check_mode: no
|
||||||
register: dnf_automatic_config_check
|
register: dnf_automatic_config_check
|
||||||
when:
|
when:
|
||||||
- ansible_os_family | lower == 'redhat'
|
- ansible_facts['os_family'] | lower == 'redhat'
|
||||||
- ansible_pkg_mgr == 'dnf'
|
- ansible_facts['pkg_mgr'] == 'dnf'
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
@ -33,8 +33,8 @@
|
|||||||
line: "apply_updates = yes"
|
line: "apply_updates = yes"
|
||||||
state: present
|
state: present
|
||||||
when:
|
when:
|
||||||
- ansible_os_family | lower == 'redhat'
|
- ansible_facts['os_family'] | lower == 'redhat'
|
||||||
- ansible_pkg_mgr == 'dnf'
|
- ansible_facts['pkg_mgr'] == 'dnf'
|
||||||
- dnf_automatic_config_check.stat.exists | bool
|
- dnf_automatic_config_check.stat.exists | bool
|
||||||
- security_rhel7_automatic_package_updates | bool
|
- security_rhel7_automatic_package_updates | bool
|
||||||
tags:
|
tags:
|
||||||
@ -53,8 +53,8 @@
|
|||||||
check_mode: no
|
check_mode: no
|
||||||
changed_when: False
|
changed_when: False
|
||||||
when:
|
when:
|
||||||
- ansible_os_family | lower == 'redhat'
|
- ansible_facts['os_family'] | lower == 'redhat'
|
||||||
- ansible_pkg_mgr == 'dnf'
|
- ansible_facts['pkg_mgr'] == 'dnf'
|
||||||
- dnf_automatic_config_check.stat.exists | bool
|
- dnf_automatic_config_check.stat.exists | bool
|
||||||
- security_rhel7_automatic_package_updates | bool
|
- security_rhel7_automatic_package_updates | bool
|
||||||
tags:
|
tags:
|
||||||
@ -67,8 +67,8 @@
|
|||||||
set_fact:
|
set_fact:
|
||||||
dnf_automatic_timer: "{{ ('dnf-automatic-install.timer' in dnf_automatic_timers.stdout) | ternary('dnf-automatic-install.timer', 'dnf-automatic.timer') }}"
|
dnf_automatic_timer: "{{ ('dnf-automatic-install.timer' in dnf_automatic_timers.stdout) | ternary('dnf-automatic-install.timer', 'dnf-automatic.timer') }}"
|
||||||
when:
|
when:
|
||||||
- ansible_os_family | lower == 'redhat'
|
- ansible_facts['os_family'] | lower == 'redhat'
|
||||||
- ansible_pkg_mgr == 'dnf'
|
- ansible_facts['pkg_mgr'] == 'dnf'
|
||||||
- dnf_automatic_config_check.stat.exists | bool
|
- dnf_automatic_config_check.stat.exists | bool
|
||||||
- security_rhel7_automatic_package_updates | bool
|
- security_rhel7_automatic_package_updates | bool
|
||||||
tags:
|
tags:
|
||||||
@ -83,8 +83,8 @@
|
|||||||
enabled: yes
|
enabled: yes
|
||||||
state: started
|
state: started
|
||||||
when:
|
when:
|
||||||
- ansible_os_family | lower == 'redhat'
|
- ansible_facts['os_family'] | lower == 'redhat'
|
||||||
- ansible_pkg_mgr == 'dnf'
|
- ansible_facts['pkg_mgr'] == 'dnf'
|
||||||
- dnf_automatic_config_check.stat.exists | bool
|
- dnf_automatic_config_check.stat.exists | bool
|
||||||
- security_rhel7_automatic_package_updates | bool
|
- security_rhel7_automatic_package_updates | bool
|
||||||
tags:
|
tags:
|
||||||
|
@ -21,7 +21,7 @@
|
|||||||
changed_when: False
|
changed_when: False
|
||||||
when:
|
when:
|
||||||
- not check_mode | bool
|
- not check_mode | bool
|
||||||
- ansible_pkg_mgr in ['yum', 'zypper']
|
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
|
||||||
- security_reset_perm_ownership | bool
|
- security_reset_perm_ownership | bool
|
||||||
tags:
|
tags:
|
||||||
- file_perms
|
- file_perms
|
||||||
@ -38,7 +38,7 @@
|
|||||||
- "{{ rpmverify_package_list.stdout_lines | default([]) }}"
|
- "{{ rpmverify_package_list.stdout_lines | default([]) }}"
|
||||||
when:
|
when:
|
||||||
- not check_mode | bool
|
- not check_mode | bool
|
||||||
- ansible_pkg_mgr in ['yum', 'zypper']
|
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
|
||||||
- rpmverify_package_list is defined
|
- rpmverify_package_list is defined
|
||||||
- rpmverify_package_list.stdout_lines | length > 0
|
- rpmverify_package_list.stdout_lines | length > 0
|
||||||
async: 300
|
async: 300
|
||||||
|
@ -79,7 +79,7 @@
|
|||||||
failed_when: False
|
failed_when: False
|
||||||
check_mode: no
|
check_mode: no
|
||||||
when:
|
when:
|
||||||
- ansible_pkg_mgr in ['yum', 'zypper']
|
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
@ -89,7 +89,7 @@
|
|||||||
FIPS is not enabled at boot time on this server.
|
FIPS is not enabled at boot time on this server.
|
||||||
The STIG requires FIPS to be enabled at boot time.
|
The STIG requires FIPS to be enabled at boot time.
|
||||||
when:
|
when:
|
||||||
- ansible_pkg_mgr in ['yum', 'zypper']
|
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
|
||||||
- fips_check is defined
|
- fips_check is defined
|
||||||
- fips_check.stdout != '1'
|
- fips_check.stdout != '1'
|
||||||
tags:
|
tags:
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
changed_when: false
|
changed_when: false
|
||||||
failed_when: false
|
failed_when: false
|
||||||
when:
|
when:
|
||||||
- ansible_pkg_mgr in ['apt', 'zypper']
|
- ansible_facts['pkg_mgr'] in ['apt', 'zypper']
|
||||||
- security_rhel7_enable_linux_security_module | bool
|
- security_rhel7_enable_linux_security_module | bool
|
||||||
tags:
|
tags:
|
||||||
- high
|
- high
|
||||||
@ -38,7 +38,7 @@
|
|||||||
changed_when: false
|
changed_when: false
|
||||||
failed_when: false
|
failed_when: false
|
||||||
when:
|
when:
|
||||||
- ansible_pkg_mgr in ['apt', 'zypper']
|
- ansible_facts['pkg_mgr'] in ['apt', 'zypper']
|
||||||
- security_rhel7_enable_linux_security_module | bool
|
- security_rhel7_enable_linux_security_module | bool
|
||||||
tags:
|
tags:
|
||||||
- high
|
- high
|
||||||
@ -49,7 +49,7 @@
|
|||||||
name: apparmor
|
name: apparmor
|
||||||
enabled: yes
|
enabled: yes
|
||||||
when:
|
when:
|
||||||
- ansible_pkg_mgr in ['apt', 'zypper']
|
- ansible_facts['pkg_mgr'] in ['apt', 'zypper']
|
||||||
- security_rhel7_enable_linux_security_module | bool
|
- security_rhel7_enable_linux_security_module | bool
|
||||||
- not check_mode
|
- not check_mode
|
||||||
tags:
|
tags:
|
||||||
@ -66,7 +66,7 @@
|
|||||||
changed_when:
|
changed_when:
|
||||||
- '"active (exited)" not in systemctl_apparmor_status.stdout'
|
- '"active (exited)" not in systemctl_apparmor_status.stdout'
|
||||||
when:
|
when:
|
||||||
- ansible_pkg_mgr in ['apt', 'zypper']
|
- ansible_facts['pkg_mgr'] in ['apt', 'zypper']
|
||||||
- security_rhel7_enable_linux_security_module | bool
|
- security_rhel7_enable_linux_security_module | bool
|
||||||
- not check_mode
|
- not check_mode
|
||||||
- '"apparmor filesystem is not mounted" not in apparmor_status_output.stderr'
|
- '"apparmor filesystem is not mounted" not in apparmor_status_output.stderr'
|
||||||
@ -83,9 +83,9 @@
|
|||||||
state: enforcing
|
state: enforcing
|
||||||
policy: targeted
|
policy: targeted
|
||||||
register: selinux_status_change
|
register: selinux_status_change
|
||||||
changed_when: selinux_status_change is changed and ansible_selinux.status != 'disabled'
|
changed_when: selinux_status_change is changed and ansible_facts['selinux']['status'] != 'disabled'
|
||||||
when:
|
when:
|
||||||
- ansible_os_family == "RedHat"
|
- ansible_facts['os_family'] == "RedHat"
|
||||||
- security_rhel7_enable_linux_security_module | bool
|
- security_rhel7_enable_linux_security_module | bool
|
||||||
tags:
|
tags:
|
||||||
- high
|
- high
|
||||||
@ -97,7 +97,7 @@
|
|||||||
path: /.autorelabel
|
path: /.autorelabel
|
||||||
state: touch
|
state: touch
|
||||||
when:
|
when:
|
||||||
- ansible_os_family == "RedHat"
|
- ansible_facts['os_family'] == "RedHat"
|
||||||
- security_rhel7_enable_linux_security_module | bool
|
- security_rhel7_enable_linux_security_module | bool
|
||||||
- selinux_status_change is changed
|
- selinux_status_change is changed
|
||||||
tags:
|
tags:
|
||||||
@ -113,8 +113,8 @@
|
|||||||
changed_when: False
|
changed_when: False
|
||||||
check_mode: no
|
check_mode: no
|
||||||
when:
|
when:
|
||||||
- ansible_os_family == 'RedHat'
|
- ansible_facts['os_family'] == 'RedHat'
|
||||||
- ansible_selinux.status == 'enabled'
|
- ansible_facts['selinux']['status'] == 'enabled'
|
||||||
tags:
|
tags:
|
||||||
- lsm
|
- lsm
|
||||||
- medium
|
- medium
|
||||||
@ -128,7 +128,7 @@
|
|||||||
{{ device }}
|
{{ device }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
when:
|
when:
|
||||||
- ansible_os_family == 'RedHat'
|
- ansible_facts['os_family'] == 'RedHat'
|
||||||
- unlabeled_devices.stdout is defined
|
- unlabeled_devices.stdout is defined
|
||||||
- unlabeled_devices.stdout | length > 0
|
- unlabeled_devices.stdout | length > 0
|
||||||
tags:
|
tags:
|
||||||
|
@ -59,7 +59,7 @@
|
|||||||
name: "{{ security_epel_release_package }}"
|
name: "{{ security_epel_release_package }}"
|
||||||
state: "{{ security_package_state }}"
|
state: "{{ security_package_state }}"
|
||||||
when:
|
when:
|
||||||
- ansible_pkg_mgr == 'yum'
|
- ansible_facts['pkg_mgr'] == 'yum'
|
||||||
- security_epel_install_repository | bool
|
- security_epel_install_repository | bool
|
||||||
- security_enable_virus_scanner | bool
|
- security_enable_virus_scanner | bool
|
||||||
tags:
|
tags:
|
||||||
@ -73,7 +73,7 @@
|
|||||||
|
|
||||||
# Package managers are managed first since the changes in these tasks will
|
# Package managers are managed first since the changes in these tasks will
|
||||||
# affect the remainder of the tasks in the role.
|
# affect the remainder of the tasks in the role.
|
||||||
- include_tasks: "{{ ansible_pkg_mgr }}.yml"
|
- include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml"
|
||||||
|
|
||||||
# The bulk of the security changes are applied in these tasks. The tasks in
|
# The bulk of the security changes are applied in these tasks. The tasks in
|
||||||
# each file are tagged with the same name (for example, tasks in `auth.yml`
|
# each file are tagged with the same name (for example, tasks in `auth.yml`
|
||||||
|
@ -67,7 +67,7 @@
|
|||||||
The STIG requires that /home is on its own filesystem, but this system
|
The STIG requires that /home is on its own filesystem, but this system
|
||||||
does not appear to be following the requirement.
|
does not appear to be following the requirement.
|
||||||
when:
|
when:
|
||||||
- ansible_mounts | selectattr('mount', 'equalto', '/home') | list | length == 0
|
- ansible_facts['mounts'] | selectattr('mount', 'equalto', '/home') | list | length == 0
|
||||||
tags:
|
tags:
|
||||||
- low
|
- low
|
||||||
- misc
|
- misc
|
||||||
@ -79,7 +79,7 @@
|
|||||||
The STIG requires that /var is on its own filesystem, but this system
|
The STIG requires that /var is on its own filesystem, but this system
|
||||||
does not appear to be following the requirement.
|
does not appear to be following the requirement.
|
||||||
when:
|
when:
|
||||||
- ansible_mounts | selectattr('mount', 'equalto', '/var') | list | length == 0
|
- ansible_facts['mounts'] | selectattr('mount', 'equalto', '/var') | list | length == 0
|
||||||
tags:
|
tags:
|
||||||
- low
|
- low
|
||||||
- misc
|
- misc
|
||||||
@ -91,7 +91,7 @@
|
|||||||
The STIG requires that /var/log/audit is on its own filesystem, but this system
|
The STIG requires that /var/log/audit is on its own filesystem, but this system
|
||||||
does not appear to be following the requirement.
|
does not appear to be following the requirement.
|
||||||
when:
|
when:
|
||||||
- ansible_mounts | selectattr('mount', 'equalto', '/var/log/audit') | list | length == 0
|
- ansible_facts['mounts'] | selectattr('mount', 'equalto', '/var/log/audit') | list | length == 0
|
||||||
tags:
|
tags:
|
||||||
- low
|
- low
|
||||||
- misc
|
- misc
|
||||||
@ -103,7 +103,7 @@
|
|||||||
The STIG requires that /tmp is on its own filesystem, but this system
|
The STIG requires that /tmp is on its own filesystem, but this system
|
||||||
does not appear to be following the requirement.
|
does not appear to be following the requirement.
|
||||||
when:
|
when:
|
||||||
- ansible_mounts | selectattr('mount', 'equalto', '/tmp') | list | length == 0
|
- ansible_facts['mounts'] | selectattr('mount', 'equalto', '/tmp') | list | length == 0
|
||||||
tags:
|
tags:
|
||||||
- low
|
- low
|
||||||
- misc
|
- misc
|
||||||
@ -148,7 +148,7 @@
|
|||||||
when:
|
when:
|
||||||
- clamav_install_check.stat.exists
|
- clamav_install_check.stat.exists
|
||||||
- security_enable_virus_scanner | bool
|
- security_enable_virus_scanner | bool
|
||||||
- ansible_os_family | lower == 'redhat'
|
- ansible_facts['os_family'] | lower == 'redhat'
|
||||||
notify:
|
notify:
|
||||||
- restart clamav
|
- restart clamav
|
||||||
tags:
|
tags:
|
||||||
@ -164,7 +164,7 @@
|
|||||||
when:
|
when:
|
||||||
- clamav_install_check.stat.exists
|
- clamav_install_check.stat.exists
|
||||||
- security_enable_virus_scanner | bool
|
- security_enable_virus_scanner | bool
|
||||||
- ansible_os_family | lower == 'redhat'
|
- ansible_facts['os_family'] | lower == 'redhat'
|
||||||
notify:
|
notify:
|
||||||
- restart clamav
|
- restart clamav
|
||||||
tags:
|
tags:
|
||||||
@ -179,7 +179,7 @@
|
|||||||
when:
|
when:
|
||||||
- clamav_install_check.stat.exists
|
- clamav_install_check.stat.exists
|
||||||
- security_enable_virus_scanner | bool
|
- security_enable_virus_scanner | bool
|
||||||
- ansible_os_family | lower == 'redhat'
|
- ansible_facts['os_family'] | lower == 'redhat'
|
||||||
notify:
|
notify:
|
||||||
- restart clamav
|
- restart clamav
|
||||||
tags:
|
tags:
|
||||||
|
@ -35,7 +35,7 @@
|
|||||||
when:
|
when:
|
||||||
- security_check_package_checksums | bool
|
- security_check_package_checksums | bool
|
||||||
- not check_mode | bool
|
- not check_mode | bool
|
||||||
- ansible_os_family | lower == 'redhat'
|
- ansible_facts['os_family'] | lower == 'redhat'
|
||||||
tags:
|
tags:
|
||||||
- rpm
|
- rpm
|
||||||
- high
|
- high
|
||||||
@ -54,7 +54,7 @@
|
|||||||
when:
|
when:
|
||||||
- security_check_package_checksums | bool
|
- security_check_package_checksums | bool
|
||||||
- not check_mode | bool
|
- not check_mode | bool
|
||||||
- ansible_os_family | lower == 'redhat'
|
- ansible_facts['os_family'] | lower == 'redhat'
|
||||||
- invalid_checksum_files is defined
|
- invalid_checksum_files is defined
|
||||||
- invalid_checksum_files.stdout is defined
|
- invalid_checksum_files.stdout is defined
|
||||||
tags:
|
tags:
|
||||||
@ -84,7 +84,7 @@
|
|||||||
state: present
|
state: present
|
||||||
when:
|
when:
|
||||||
- security_package_clean_on_remove | bool
|
- security_package_clean_on_remove | bool
|
||||||
- ansible_os_family | lower == 'redhat'
|
- ansible_facts['os_family'] | lower == 'redhat'
|
||||||
tags:
|
tags:
|
||||||
- low
|
- low
|
||||||
- packages
|
- packages
|
||||||
|
@ -21,7 +21,7 @@
|
|||||||
check_mode: no
|
check_mode: no
|
||||||
register: yum_cron_config_check
|
register: yum_cron_config_check
|
||||||
when:
|
when:
|
||||||
- ansible_os_family | lower == 'redhat'
|
- ansible_facts['os_family'] | lower == 'redhat'
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
@ -32,7 +32,7 @@
|
|||||||
line: "apply_updates = yes"
|
line: "apply_updates = yes"
|
||||||
state: present
|
state: present
|
||||||
when:
|
when:
|
||||||
- ansible_os_family | lower == 'redhat'
|
- ansible_facts['os_family'] | lower == 'redhat'
|
||||||
- yum_cron_config_check.stat.exists | bool
|
- yum_cron_config_check.stat.exists | bool
|
||||||
- security_rhel7_automatic_package_updates | bool
|
- security_rhel7_automatic_package_updates | bool
|
||||||
tags:
|
tags:
|
||||||
|
@ -31,7 +31,7 @@
|
|||||||
{# Verify that the variable controlling the rule is enabled and any distro- #}
|
{# Verify that the variable controlling the rule is enabled and any distro- #}
|
||||||
{# specific requirements are met. #}
|
{# specific requirements are met. #}
|
||||||
{# #}
|
{# #}
|
||||||
{% if vars['security_rhel7_audit_' + command_sanitized ] | bool and (audited_command['distro'] | default(ansible_os_family | lower) == ansible_os_family | lower) %}
|
{% if vars['security_rhel7_audit_' + command_sanitized ] | bool and (audited_command['distro'] | default(ansible_facts['os_family'] | lower) == ansible_facts['os_family'] | lower) %}
|
||||||
# {{ audited_command['stig_id'] }} - All uses of the {{ audited_command['command'] }} command must be audited.
|
# {{ audited_command['stig_id'] }} - All uses of the {{ audited_command['command'] }} command must be audited.
|
||||||
{# #}
|
{# #}
|
||||||
{# Some audit rules are specific to syscalls. Different rules are needed for #}
|
{# Some audit rules are specific to syscalls. Different rules are needed for #}
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
cache_valid_time: "{{ cache_timeout }}"
|
cache_valid_time: "{{ cache_timeout }}"
|
||||||
changed_when: False
|
changed_when: False
|
||||||
when:
|
when:
|
||||||
- ansible_pkg_mgr == 'apt'
|
- ansible_facts['pkg_mgr'] == 'apt'
|
||||||
register: refresh_cache
|
register: refresh_cache
|
||||||
until: refresh_cache is success
|
until: refresh_cache is success
|
||||||
retries: 5
|
retries: 5
|
||||||
@ -31,7 +31,7 @@
|
|||||||
file:
|
file:
|
||||||
path: /etc/cron.daily/logrotate
|
path: /etc/cron.daily/logrotate
|
||||||
state: touch
|
state: touch
|
||||||
when: ansible_os_family == 'RedHat'
|
when: ansible_facts['os_family'] == 'RedHat'
|
||||||
changed_when: False
|
changed_when: False
|
||||||
- name: Install dconf package to test graphical session locks
|
- name: Install dconf package to test graphical session locks
|
||||||
package:
|
package:
|
||||||
@ -39,7 +39,7 @@
|
|||||||
state: installed
|
state: installed
|
||||||
changed_when: False
|
changed_when: False
|
||||||
when:
|
when:
|
||||||
- ansible_os_family == 'RedHat'
|
- ansible_facts['os_family'] == 'RedHat'
|
||||||
register: install_packages
|
register: install_packages
|
||||||
until: install_packages is success
|
until: install_packages is success
|
||||||
retries: 5
|
retries: 5
|
||||||
|
@ -55,7 +55,7 @@ auditd_config:
|
|||||||
# otherwise 'no' (required)
|
# otherwise 'no' (required)
|
||||||
# path: the path to the command (optional, default is '/usr/bin')
|
# path: the path to the command (optional, default is '/usr/bin')
|
||||||
# distro: restrict deployment to a single Linux distribution (optional,
|
# distro: restrict deployment to a single Linux distribution (optional,
|
||||||
# should be equal to 'ansible_os_family | lower', such as 'redhat'
|
# should be equal to 'ansible_facts['os_family'] | lower', such as 'redhat'
|
||||||
# or 'ubuntu')
|
# or 'ubuntu')
|
||||||
#
|
#
|
||||||
audited_commands:
|
audited_commands:
|
||||||
|
@ -25,14 +25,14 @@ pam_password_file: /etc/pam.d/password-auth
|
|||||||
pam_postlogin_file: /etc/pam.d/postlogin
|
pam_postlogin_file: /etc/pam.d/postlogin
|
||||||
vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
|
vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
|
||||||
grub_conf_file: /boot/grub2/grub.cfg
|
grub_conf_file: /boot/grub2/grub.cfg
|
||||||
grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg"
|
grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_facts['distribution'] | lower | replace(' ', '') }}/grub.cfg"
|
||||||
aide_cron_job_path: /etc/cron.d/aide
|
aide_cron_job_path: /etc/cron.d/aide
|
||||||
aide_database_file: /var/lib/aide/aide.db.gz
|
aide_database_file: /var/lib/aide/aide.db.gz
|
||||||
aide_database_out_file: /var/lib/aide/aide.db.new.gz
|
aide_database_out_file: /var/lib/aide/aide.db.new.gz
|
||||||
chrony_conf_file: /etc/chrony.conf
|
chrony_conf_file: /etc/chrony.conf
|
||||||
chrony_key_file: /etc/chrony.keys
|
chrony_key_file: /etc/chrony.keys
|
||||||
daemon_init_params_file: /etc/init.d/functions
|
daemon_init_params_file: /etc/init.d/functions
|
||||||
pkg_mgr_config: "{{ (ansible_pkg_mgr == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}"
|
pkg_mgr_config: "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}"
|
||||||
|
|
||||||
# Service names
|
# Service names
|
||||||
cron_service: crond
|
cron_service: crond
|
||||||
@ -91,7 +91,7 @@ stig_packages_rhel7:
|
|||||||
state: "{{ security_package_state }}"
|
state: "{{ security_package_state }}"
|
||||||
enabled: "{{ security_enable_firewalld }}"
|
enabled: "{{ security_enable_firewalld }}"
|
||||||
- packages:
|
- packages:
|
||||||
- "{{ (ansible_pkg_mgr == 'yum') | ternary('yum-cron', 'dnf-automatic') }}"
|
- "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('yum-cron', 'dnf-automatic') }}"
|
||||||
state: "{{ security_package_state }}"
|
state: "{{ security_package_state }}"
|
||||||
enabled: "{{ security_rhel7_automatic_package_updates }}"
|
enabled: "{{ security_rhel7_automatic_package_updates }}"
|
||||||
- packages:
|
- packages:
|
||||||
|
@ -25,14 +25,14 @@ pam_password_file: /etc/pam.d/password-auth
|
|||||||
pam_postlogin_file: /etc/pam.d/postlogin
|
pam_postlogin_file: /etc/pam.d/postlogin
|
||||||
vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
|
vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
|
||||||
grub_conf_file: /boot/grub2/grub.cfg
|
grub_conf_file: /boot/grub2/grub.cfg
|
||||||
grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg"
|
grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_facts['distribution'] | lower | replace(' ', '') }}/grub.cfg"
|
||||||
aide_cron_job_path: /etc/cron.d/aide
|
aide_cron_job_path: /etc/cron.d/aide
|
||||||
aide_database_file: /var/lib/aide/aide.db.gz
|
aide_database_file: /var/lib/aide/aide.db.gz
|
||||||
aide_database_out_file: /var/lib/aide/aide.db.new.gz
|
aide_database_out_file: /var/lib/aide/aide.db.new.gz
|
||||||
chrony_conf_file: /etc/chrony.conf
|
chrony_conf_file: /etc/chrony.conf
|
||||||
chrony_key_file: /etc/chrony.keys
|
chrony_key_file: /etc/chrony.keys
|
||||||
daemon_init_params_file: /etc/init.d/functions
|
daemon_init_params_file: /etc/init.d/functions
|
||||||
pkg_mgr_config: "{{ (ansible_pkg_mgr == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}"
|
pkg_mgr_config: "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}"
|
||||||
|
|
||||||
# Service names
|
# Service names
|
||||||
cron_service: crond
|
cron_service: crond
|
||||||
@ -90,7 +90,7 @@ stig_packages_rhel7:
|
|||||||
state: "{{ security_package_state }}"
|
state: "{{ security_package_state }}"
|
||||||
enabled: "{{ security_enable_firewalld }}"
|
enabled: "{{ security_enable_firewalld }}"
|
||||||
- packages:
|
- packages:
|
||||||
- "{{ (ansible_pkg_mgr == 'yum') | ternary('yum-cron', 'dnf-automatic') }}"
|
- "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('yum-cron', 'dnf-automatic') }}"
|
||||||
state: "{{ security_package_state }}"
|
state: "{{ security_package_state }}"
|
||||||
enabled: "{{ security_rhel7_automatic_package_updates }}"
|
enabled: "{{ security_rhel7_automatic_package_updates }}"
|
||||||
- packages:
|
- packages:
|
||||||
|
@ -27,7 +27,7 @@ grub_conf_file: /boot/grub2/grub.cfg
|
|||||||
# NOTE(hwoarang) SUSE seems to be using the ID field from /etc/os-release to
|
# NOTE(hwoarang) SUSE seems to be using the ID field from /etc/os-release to
|
||||||
# create the EFI distro directory. Since this information is not available on
|
# create the EFI distro directory. Since this information is not available on
|
||||||
# Ansible, we have to improvise a bit...
|
# Ansible, we have to improvise a bit...
|
||||||
grub_conf_file_efi: "{% set os_id = ansible_distribution.split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg"
|
grub_conf_file_efi: "{% set os_id = ansible_facts['distribution'].split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg"
|
||||||
aide_cron_job_path: /etc/cron.daily/aide
|
aide_cron_job_path: /etc/cron.daily/aide
|
||||||
aide_database_file: /var/lib/aide/aide.db
|
aide_database_file: /var/lib/aide/aide.db
|
||||||
aide_database_out_file: /var/lib/aide/aide.db.new
|
aide_database_out_file: /var/lib/aide/aide.db.new
|
||||||
|
Loading…
x
Reference in New Issue
Block a user