diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 00000000..b0c6b0ae --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,4 @@ +--- + +skip_list: + - '106' diff --git a/library/get_users b/library/get_users index 72675898..b2306124 100755 --- a/library/get_users +++ b/library/get_users @@ -109,8 +109,8 @@ def main(): # Get the users that match our criteria. user_list = [x for x in all_users - if (x['uid'] >= module.params['min_uid'] and - x['uid'] <= module.params['max_uid'])] + if (x['uid'] >= module.params['min_uid'] + and x['uid'] <= module.params['max_uid'])] # noqa: W503 # Return the user data to the Ansible task. module.exit_json( @@ -118,5 +118,6 @@ def main(): users=user_list ) + if __name__ == '__main__': main() diff --git a/meta/main.yml b/meta/main.yml index a21f8548..b998252a 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -4,22 +4,25 @@ galaxy_info: description: Security hardening role for OpenStack-Ansible company: OpenStack license: Apache - min_ansible_version: 2.3 + min_ansible_version: 2.10 platforms: - name: Debian versions: - jessie + - buster - name: Fedora versions: - 25 - name: EL versions: - 7 + - 8 - name: Ubuntu versions: - trusty - xenial - bionic + - focal - name: opensuse versions: - 42.1 diff --git a/tasks/rhel7stig/accounts.yml b/tasks/rhel7stig/accounts.yml index 0a4d045b..978698d0 100644 --- a/tasks/rhel7stig/accounts.yml +++ b/tasks/rhel7stig/accounts.yml @@ -83,7 +83,7 @@ # may be attached to a Kerberos realm and they may not have shadow data on the # system. See bug 1659232 for more details. - name: Set minimum password lifetime limit to 24 hours for interactive accounts - shell: "chage -m 1 {{ item.name }}" + command: "chage -m 1 {{ item.name }}" when: - item.shadow is mapping - item.shadow.min_days != 1 @@ -99,7 +99,7 @@ # may be attached to a Kerberos realm and they may not have shadow data on the # system. See bug 1659232 for more details. - name: Set maximum password lifetime limit to 60 days for interactive accounts - shell: "chage -M 60 {{ item.name }}" + command: "chage -M 60 {{ item.name }}" when: - item.shadow is mapping - item.shadow.max_days > 60 @@ -144,7 +144,7 @@ line: "{{ item.parameter }} {{ item.value }}" state: present when: - - item.value != '' + - item.value is truthy(convert_bool=True) - item.ansible_os_family == 'all' or item.ansible_os_family == ansible_os_family with_items: "{{ shadow_utils_rhel7 }}" tags: @@ -210,7 +210,7 @@ stat: path: "{{ item['dir'] }}" when: - - item['dir'] != '' + - item['dir'] | length > 0 with_items: "{{ user_list.users }}" register: home_directory_checks tags: diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml index 26641cac..4454b37c 100644 --- a/tasks/rhel7stig/auth.yml +++ b/tasks/rhel7stig/auth.yml @@ -177,7 +177,8 @@ - name: Set a GRUB 2 password for single-user/maintenance modes block: - - blockinfile: + - name: Define password options for grub + blockinfile: path: "{{ grub_custom_file }}" insertbefore: EOF marker: "# {mark} MANAGED BY ANSIBLE-HARDENING" @@ -187,7 +188,8 @@ state: present notify: - update grub config - - lineinfile: + - name: Set CLASS for grub file + lineinfile: path: "{{ grub_linux_file }}" regexp: '^CLASS=.*' line: 'CLASS="--class gnu-linux --class gnu --class os --unrestricted"' @@ -246,8 +248,8 @@ failed_when: False changed_when: False register: job_result - until: job_result.finished | bool - retries: 30 + until: job_result.finished + retries: 60 when: - shosts_find is not skipped tags: diff --git a/tasks/rhel7stig/kernel.yml b/tasks/rhel7stig/kernel.yml index 512d4eb8..2210ea1d 100644 --- a/tasks/rhel7stig/kernel.yml +++ b/tasks/rhel7stig/kernel.yml @@ -49,7 +49,7 @@ - C-00001 - name: Check kdump service - command: systemctl status kdump + command: systemctl status kdump # noqa 303 register: kdump_service_check failed_when: kdump_service_check.rc not in [0,3,4] changed_when: False diff --git a/tasks/rhel7stig/lsm.yml b/tasks/rhel7stig/lsm.yml index c663a345..8cd6f38e 100644 --- a/tasks/rhel7stig/lsm.yml +++ b/tasks/rhel7stig/lsm.yml @@ -21,6 +21,7 @@ failed_when: false when: - ansible_pkg_mgr in ['apt', 'zypper'] + - security_rhel7_enable_linux_security_module | bool tags: - high - V-71989 @@ -31,13 +32,14 @@ # started apparmor each time. This breaks idempotency and we check # systemd's status directly as an alternative. - name: Check if apparmor is running - command: "systemctl status apparmor" + command: "systemctl status apparmor" # noqa 303 register: systemctl_apparmor_status check_mode: no changed_when: false failed_when: false when: - ansible_pkg_mgr in ['apt', 'zypper'] + - security_rhel7_enable_linux_security_module | bool tags: - high - V-71989 @@ -49,6 +51,7 @@ when: - ansible_pkg_mgr in ['apt', 'zypper'] - security_rhel7_enable_linux_security_module | bool + - not check_mode tags: - high - V-71989 diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml index 871d37c5..860e608c 100644 --- a/tasks/rhel7stig/main.yml +++ b/tasks/rhel7stig/main.yml @@ -14,9 +14,10 @@ # limitations under the License. - name: Create temporary directory to hold any temporary files - command: "mktemp -d" + tempfile: + state: directory + suffix: hardening register: mktemp_result - changed_when: False when: - not check_mode | bool tags: @@ -24,7 +25,7 @@ - name: Set a fact for the temporary directory set_fact: - temp_dir: "{{ mktemp_result.stdout }}" + temp_dir: "{{ mktemp_result.path }}" changed_when: False when: - not check_mode | bool diff --git a/tasks/rhel7stig/misc.yml b/tasks/rhel7stig/misc.yml index 5f009197..a62634db 100644 --- a/tasks/rhel7stig/misc.yml +++ b/tasks/rhel7stig/misc.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: Check autofs service - command: systemctl status autofs + command: systemctl status autofs # noqa 303 register: autofs_check failed_when: autofs_check.rc not in [0,3,4] changed_when: False @@ -289,7 +289,7 @@ # Returns 0 if installed, 3 if not installed - name: Check firewalld status - command: systemctl status firewalld + command: systemctl status firewalld # noqa 303 register: firewalld_status_check failed_when: firewalld_status_check.rc not in [0,3,4] changed_when: False