0df416900f
This patch adds the GPG verification requirements for packages from the following STIGs: * RHEL-07-020150 * RHEL-07-020151 * RHEL-07-020152 The implementation for CentOS is much more robust due to some shortcomings with apt on Ubuntu. Implements: blueprint security-rhel7-stig Change-Id: Ia125d6386a0d33f7c9d8c7a6de1c6d949018f671
92 lines
2.8 KiB
YAML
92 lines
2.8 KiB
YAML
---
|
|
# Copyright 2016, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Ensure debsums is installed
|
|
apt:
|
|
name: debsums
|
|
state: installed
|
|
|
|
- name: Gather debsums report
|
|
shell: "debsums > {{ temp_dir }}/debsums.txt"
|
|
changed_when: False
|
|
failed_when: False
|
|
when:
|
|
- not check_mode | bool
|
|
|
|
- name: RHEL-07-010020 - Get files with invalid checksums (apt)
|
|
shell: "grep -v OK$ {{ temp_dir }}/debsums.txt | awk '{ print $1 }'"
|
|
register: rhel_07_010020_files
|
|
changed_when: False
|
|
when:
|
|
- not check_mode | bool
|
|
- ansible_os_family | lower == 'debian'
|
|
tags:
|
|
- high
|
|
- RHEL-07-010020
|
|
|
|
- name: RHEL-07-010020 - Create comma-separated list
|
|
set_fact:
|
|
rhel_07_010020_violations: "{{ rhel_07_010020_files.stdout_lines | default([]) | join(', ') }}"
|
|
when:
|
|
- rhel_07_010020_files is defined
|
|
- rhel_07_010020_files.stdout is defined
|
|
tags:
|
|
- high
|
|
- RHEL-07-010020
|
|
|
|
- name: RHEL-07-010020 - The cryptographic hash of system files and commands must match vendor values (apt)
|
|
debug:
|
|
msg: >
|
|
The following files have checksums that differ from the checksum provided
|
|
with their package. Each of these should be verified manually to ensure
|
|
they have not been modified by an unauthorized user:
|
|
{{ rhel_07_010020_violations }}
|
|
when:
|
|
- ansible_os_family | lower == 'debian'
|
|
- rhel_07_010020_files is defined
|
|
- rhel_07_010020_files.stdout is defined
|
|
tags:
|
|
- high
|
|
- RHEL-07-010020
|
|
|
|
# See the documentation for RHEL-07-020150 for more details on this check.
|
|
- name: Search for AllowUnauthenticated in /etc/apt/apt.conf.d/
|
|
command: grep -r AllowUnauthenticated /etc/apt/apt.conf.d/
|
|
register: gpgcheck_result
|
|
changed_when: False
|
|
failed_when: False
|
|
always_run: True
|
|
|
|
- name: RHEL-07-020150 - Package management tool must verify authenticity of packages
|
|
debug:
|
|
msg: "Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified."
|
|
when: "gpgcheck_result.rc == 0"
|
|
tags:
|
|
- high
|
|
- RHEL-07-020150
|
|
- RHEL-07-020152
|
|
|
|
- name: RHEL-07-020151 - Package management tool must verify authenticity of locally-installed packages
|
|
lineinfile:
|
|
dest: /etc/dpkg/dpkg.cfg
|
|
regexp: "^(#)?no-debsig"
|
|
line: "#no-debsig"
|
|
state: present
|
|
when:
|
|
- security_enable_gpgcheck | bool
|
|
tags:
|
|
- high
|
|
- RHEL-07-020151
|