ansible-hardening/tasks/misc.yml

192 lines
4.5 KiB
YAML

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: V-38429 - Install AIDE
apt:
name: aide
state: present
tags:
- cat2
- V-38489
- name: Check for AIDE cron job (for V-38670)
stat:
path: /etc/cron.daily/aide
register: v38670_result
changed_when: False
tags:
- cat2
- V-38670
- name: V-38670 - System must detect unauthorized changes to software and information
fail:
msg: "FAILED: AIDE cron job is missing"
when: v38670_result.stat.exists == False
tags:
- cat2
- V-38670
- name: Search for .netrc files (for V-38619)
shell: find /root /home -xdev -name .netrc | wc -l
register: v38619_result
changed_when: False
tags:
- cat2
- V-38619
- name: V-38619 - There must be no .netrc files on the system
fail:
msg: "FAILED: .netrc files found -- they must be removed"
when: v38619_result.stdout != '0'
tags:
- cat2
- V-38619
- name: V-38620 - Synchronize system clock (installing chrony)
apt:
name: chrony
state: present
tags:
- cat2
- V-38620
- name: V-38620 - Synchronize system clock (enable chrony)
service:
name: chrony
state: started
enabled: yes
tags:
- cat2
- V-38620
- name: V-38620 - Synchronize system clock (configuration file)
template:
src: chrony.conf.j2
dest: /etc/chrony/chrony.conf
notify:
- restart chrony
tags:
- cat2
- V-38620
# The STIG only requires that logrotate is installed and configured in cron.
# The openstack-ansible project will configure logs to be rotated weekly and
# compressed with each run. We won't change the interval here, but we will
# ensure that logrotate is installed (to meet the STIG requirement).
- name: V-38624 - System logs must be rotated daily (install logrotate)
apt:
name: logrotate
state: present
tags:
- cat3
- V-38624
- name: Check for logrotate cron job (for V-38624)
stat:
path: /etc/cron.daily/logrotate
register: v38624_result
tags:
- cat3
- V-38624
- name: V-38624 - System logs must be rotated daily (verify cron job)
fail:
msg: "FAILED: Cron job for logrotate is missing"
when: v38624_result.stat.exists == False
tags:
- cat3
- V-38624
- name: V-38675 - Process core dump must be disabled
lineinfile:
dest: /etc/security/limits.d/V-38675-coredump.conf
line: "* hard core 0"
create: yes
when: disable_core_dumps is defined
tags:
- cat3
- V-38675
- name: V-38684 - Maximum simultaneous logins per user
lineinfile:
dest: /etc/security/limits.d/V-38684-maxlogins.conf
line: "* hard maxlogins {{ max_simultaneous_logins }}"
create: yes
when: max_simultaneous_logins is defined
tags:
- cat3
- V-38684
- name: Check if vsftpd is installed (for V-38702)
stat:
path: /etc/vsftpd.conf
register: v38702_result
changed_when: False
tags:
- cat3
- V-38702
- name: V-38702 - Enable xferlog
lineinfile:
dest: /etc/vsftpd.conf
regexp: "^(#)?xferlog_enable"
line: "xferlog_enable=YES"
when: v38702_result.stat.exists == True
notify:
- restart vsftpd
tags:
- cat3
- V-38702
- name: V-38702 - Disable xferlog_std_format
lineinfile:
dest: /etc/vsftpd.conf
regexp: "^(#)?xferlog_std_format"
line: "xferlog_std_format=NO"
when: v38702_result.stat.exists == True
notify:
- restart vsftpd
tags:
- cat3
- V-38702
- name: V-38702 - Enable log_ftp_protocol
lineinfile:
dest: /etc/vsftpd.conf
regexp: "^(#)?log_ftp_protocol"
line: "log_ftp_protocol=YES"
when: v38702_result.stat.exists == True
notify:
- restart vsftpd
tags:
- cat3
- V-38702
- name: Check for default runlevel (for V-38674)
shell: "grep 'DEFAULT_RUNLEVEL=2' /etc/init/rc-sysinit.conf"
register: v38674_result
changed_when: False
tags:
- cat2
- V-38674
- name: V-38674 - X Windows must not be enabled
fail:
msg: "FAILED: Default runlevel should be 2 (no X windows)"
when: v38674_result.rc != 0
tags:
- cat2
- V-38674