--- # Copyright 2015, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - name: V-38429 - Install AIDE apt: name: aide state: present tags: - cat2 - V-38489 - name: Check for AIDE cron job (for V-38670) stat: path: /etc/cron.daily/aide register: v38670_result changed_when: False tags: - cat2 - V-38670 - name: V-38670 - System must detect unauthorized changes to software and information fail: msg: "FAILED: AIDE cron job is missing" when: v38670_result.stat.exists == False tags: - cat2 - V-38670 - name: Search for .netrc files (for V-38619) shell: find /root /home -xdev -name .netrc | wc -l register: v38619_result changed_when: False tags: - cat2 - V-38619 - name: V-38619 - There must be no .netrc files on the system fail: msg: "FAILED: .netrc files found -- they must be removed" when: v38619_result.stdout != '0' tags: - cat2 - V-38619 - name: V-38620 - Synchronize system clock (installing chrony) apt: name: chrony state: present tags: - cat2 - V-38620 - name: V-38620 - Synchronize system clock (enable chrony) service: name: chrony state: started enabled: yes tags: - cat2 - V-38620 - name: V-38620 - Synchronize system clock (configuration file) template: src: chrony.conf.j2 dest: /etc/chrony/chrony.conf notify: - restart chrony tags: - cat2 - V-38620 # The STIG only requires that logrotate is installed and configured in cron. # The openstack-ansible project will configure logs to be rotated weekly and # compressed with each run. We won't change the interval here, but we will # ensure that logrotate is installed (to meet the STIG requirement). - name: V-38624 - System logs must be rotated daily (install logrotate) apt: name: logrotate state: present tags: - cat3 - V-38624 - name: Check for logrotate cron job (for V-38624) stat: path: /etc/cron.daily/logrotate register: v38624_result tags: - cat3 - V-38624 - name: V-38624 - System logs must be rotated daily (verify cron job) fail: msg: "FAILED: Cron job for logrotate is missing" when: v38624_result.stat.exists == False tags: - cat3 - V-38624 - name: V-38675 - Process core dump must be disabled lineinfile: dest: /etc/security/limits.d/V-38675-coredump.conf line: "* hard core 0" create: yes when: disable_core_dumps is defined tags: - cat3 - V-38675 - name: V-38684 - Maximum simultaneous logins per user lineinfile: dest: /etc/security/limits.d/V-38684-maxlogins.conf line: "* hard maxlogins {{ max_simultaneous_logins }}" create: yes when: max_simultaneous_logins is defined tags: - cat3 - V-38684 - name: Check if vsftpd is installed (for V-38702) stat: path: /etc/vsftpd.conf register: v38702_result changed_when: False tags: - cat3 - V-38702 - name: V-38702 - Enable xferlog lineinfile: dest: /etc/vsftpd.conf regexp: "^(#)?xferlog_enable" line: "xferlog_enable=YES" when: v38702_result.stat.exists == True notify: - restart vsftpd tags: - cat3 - V-38702 - name: V-38702 - Disable xferlog_std_format lineinfile: dest: /etc/vsftpd.conf regexp: "^(#)?xferlog_std_format" line: "xferlog_std_format=NO" when: v38702_result.stat.exists == True notify: - restart vsftpd tags: - cat3 - V-38702 - name: V-38702 - Enable log_ftp_protocol lineinfile: dest: /etc/vsftpd.conf regexp: "^(#)?log_ftp_protocol" line: "log_ftp_protocol=YES" when: v38702_result.stat.exists == True notify: - restart vsftpd tags: - cat3 - V-38702 - name: Check for default runlevel (for V-38674) shell: "grep 'DEFAULT_RUNLEVEL=2' /etc/init/rc-sysinit.conf" register: v38674_result changed_when: False tags: - cat2 - V-38674 - name: V-38674 - X Windows must not be enabled fail: msg: "FAILED: Default runlevel should be 2 (no X windows)" when: v38674_result.rc != 0 tags: - cat2 - V-38674