110 lines
2.9 KiB
YAML
110 lines
2.9 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Check if CentOS 7 GPG keys are installed (for V-38476)
|
|
command: rpm -qi gpg-pubkey-f4a80eb5-53a7ff4b
|
|
register: v38476_result
|
|
changed_when: v38476_result | failed
|
|
failed_when: False
|
|
always_run: True
|
|
when:
|
|
- ansible_distribution == 'CentOS'
|
|
tags:
|
|
- package
|
|
- cat1
|
|
- V-38476
|
|
- skip_ansible_lint
|
|
|
|
- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. (CentOS)
|
|
fail:
|
|
msg: "Missing CentOS 7 GPG keys"
|
|
when:
|
|
- ansible_distribution == 'CentOS'
|
|
- v38476_result | failed
|
|
tags:
|
|
- package
|
|
- cat1
|
|
- V-38476
|
|
|
|
- name: Check if Red Hat Enterprise Linux 7 GPG keys are installed (for V-38476)
|
|
command: "rpm -qi {{ item }}"
|
|
register: v38476_result
|
|
changed_when: v38476_result | failed
|
|
failed_when: False
|
|
always_run: True
|
|
with_items:
|
|
- gpg-pubkey-fd431d51-4ae0493b
|
|
- gpg-pubkey-2fa658e0-45700c69
|
|
when:
|
|
- ansible_distribution == 'RedHat'
|
|
tags:
|
|
- package
|
|
- cat1
|
|
- V-38476
|
|
- skip_ansible_lint
|
|
|
|
- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. (Red Hat Enteprise Linux)
|
|
fail:
|
|
msg: "Missing Red Hat Enterprise Linux 7 GPG keys"
|
|
when:
|
|
- ansible_distribution == 'RedHat'
|
|
- v38476_result | failed
|
|
tags:
|
|
- package
|
|
- cat1
|
|
- V-38476
|
|
|
|
- name: Search for yum repositories with GPG checks disabled
|
|
command: grep -r "gpgcheck=0" /etc/yum.repos.d/
|
|
register: v38462_result
|
|
changed_when: False
|
|
failed_when: False
|
|
always_run: True
|
|
tags:
|
|
- package
|
|
- cat1
|
|
- V-38462
|
|
|
|
- name: V-38462 - Package management tool must verify authenticity of packages
|
|
fail:
|
|
msg: "Ensure all repo files in /etc/yum.repos.d/ have 'gpgcheck=1' set."
|
|
when: "v38462_result.rc == 0"
|
|
tags:
|
|
- package
|
|
- cat1
|
|
- V-38462
|
|
|
|
- name: V-38481 - Install yum-cron for automatic updates
|
|
yum:
|
|
name: yum-cron
|
|
state: "{{ security_package_state }}"
|
|
when: security_unattended_upgrades_enabled | bool
|
|
tags:
|
|
- package
|
|
- cat2
|
|
- V-38481
|
|
|
|
- name: V-38481 - System security patches and updates must be installed and up-to-date
|
|
lineinfile:
|
|
dest: /etc/yum/yum-cron.conf
|
|
regexp: "^apply_updates"
|
|
line: "apply_updates = yes"
|
|
state: present
|
|
when: security_unattended_upgrades_enabled | bool
|
|
tags:
|
|
- package
|
|
- cat2
|
|
- V-38481
|