8d223feb2c
The greaterthan/lessthan test plugins were added into openstack-ansible-plugins a month ago, but they are needed in the security role to ensure that the role can run on a system without openstack-ansible-plugins installed. The test plugins in this role should be removed once jinja 2.9.5 is available for use in OpenStack (likely after Ocata release). Closes-bug: 1660060 Change-Id: Ic86dc9a9e8ae8d03fe52a7c3fc52e580b9936711
186 lines
4.9 KiB
YAML
186 lines
4.9 KiB
YAML
---
|
|
# Copyright 2016, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: RHEL-07-010010 - Get packages with incorrect file permissions or ownership
|
|
shell: "grep '^.M' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'"
|
|
args:
|
|
warn: no
|
|
register: rhel_07_010010_packages
|
|
changed_when: False
|
|
when:
|
|
- not check_mode | bool
|
|
- ansible_os_family | lower == 'redhat'
|
|
- security_reset_perm_ownership | bool
|
|
tags:
|
|
- file_perms
|
|
- high
|
|
- RHEL-07-010010
|
|
|
|
- name: RHEL-07-010010 - Reset file permissions/ownership to vendor values
|
|
shell: "rpm {{ item[0] }} `rpm -qf {{ item[1] }}`"
|
|
args:
|
|
warn: no
|
|
changed_when: false
|
|
with_nested:
|
|
- ['--setperms', '--setugids']
|
|
- "{{ rhel_07_010010_packages.stdout_lines | default([]) }}"
|
|
when:
|
|
- not check_mode | bool
|
|
- ansible_os_family | lower == 'redhat'
|
|
- rhel_07_010010_packages is defined
|
|
- rhel_07_010010_packages.stdout_lines | length > 0
|
|
tags:
|
|
- file_perms
|
|
- high
|
|
- RHEL-07-010010
|
|
# don't trigger ANSIBLE0013
|
|
- skip_ansible_lint
|
|
|
|
- name: Search for files/directories with an invalid owner
|
|
command: find / -xdev -nouser -fstype local
|
|
args:
|
|
warn: no
|
|
register: invalid_owner_files
|
|
changed_when: false
|
|
when:
|
|
- security_search_for_invalid_owner | bool
|
|
tags:
|
|
- always
|
|
|
|
- name: RHEL-07-020360 - All files and directories must have a valid owner.
|
|
debug:
|
|
msg: |
|
|
Files and directories were found that are owned by an invalid user:
|
|
{{ invalid_owner_files.stdout_lines | join('\n') }}
|
|
when:
|
|
- invalid_owner_files is defined
|
|
- invalid_owner_files.stdout_lines is defined
|
|
- invalid_owner_files.stdout_lines | length > 0
|
|
tags:
|
|
- file_perms
|
|
- medium
|
|
- RHEL-07-020360
|
|
|
|
- name: Search for files/directories with an invalid group owner
|
|
command: find / -xdev -nogroup -fstype local
|
|
args:
|
|
warn: no
|
|
register: invalid_group_owner_files
|
|
changed_when: false
|
|
when:
|
|
- security_search_for_invalid_group_owner | bool
|
|
tags:
|
|
- always
|
|
|
|
- name: RHEL-07-020370 - All files and directories must have a valid group owner.
|
|
debug:
|
|
msg: |
|
|
Files and directories were found that are owned by an invalid group:
|
|
{{ invalid_group_owner_files.stdout_lines | join('\n') }}
|
|
when:
|
|
- invalid_group_owner_files is defined
|
|
- invalid_group_owner_files.stdout_lines is defined
|
|
- invalid_group_owner_files.stdout_lines | length > 0
|
|
tags:
|
|
- file_perms
|
|
- medium
|
|
- RHEL-07-020370
|
|
|
|
- name: Set proper owner, group owner, and permissions on home directories
|
|
file:
|
|
dest: "{{ item.dir }}"
|
|
owner: "{{ item.name }}"
|
|
group: "{{ item.group.name }}"
|
|
mode: "u-X,g-ws,o-rwxt"
|
|
when:
|
|
- item.uid >= 1000
|
|
- security_set_home_directory_permissions_and_owners | bool
|
|
with_items: "{{ user_list.users | selectattr('uid', 'greaterthan', 999) | list }}"
|
|
tags:
|
|
- medium
|
|
- file_perms
|
|
- RHEL-07-020650
|
|
- RHEL-07-020660
|
|
- RHEL-07-020670
|
|
|
|
- name: Find all world-writable directories
|
|
shell: "find / -perm -002 -type d -exec ls -lLd {} \\; | tr -s ' ' | cut -d' ' -f 4,9 | grep -v ^root"
|
|
register: world_writable_dirs
|
|
changed_when: False
|
|
failed_when: False
|
|
check_mode: no
|
|
tags:
|
|
- always
|
|
|
|
- name: RHEL-07-021050 - All world-writable directories must be group-owned by root, sys, bin, or an application group.
|
|
debug:
|
|
msg: |
|
|
The group owners on the following world-writable directories should be examined:
|
|
{{ world_writable_dirs.stdout }}
|
|
when:
|
|
- world_writable_dirs is defined
|
|
tags:
|
|
- medium
|
|
- file_perms
|
|
- RHEL-07-021050
|
|
|
|
- name: Check if /etc/cron.allow exists
|
|
stat:
|
|
path: /etc/cron.allow
|
|
register: cron_allow_check
|
|
tags:
|
|
- always
|
|
|
|
- name: Set owner/group owner on /etc/cron.allow
|
|
file:
|
|
path: /etc/cron.allow
|
|
owner: root
|
|
group: root
|
|
when:
|
|
- cron_allow_check is defined
|
|
- cron_allow_check.stat.exists
|
|
tags:
|
|
- medium
|
|
- file_perms
|
|
- RHEL-07-021190
|
|
- RHEL-07-021200
|
|
|
|
- name: Check if cn_map file is present
|
|
stat:
|
|
path: /etc/pam_pkcs11/cn_map
|
|
check_mode: no
|
|
register: cn_map_check
|
|
tags:
|
|
- medium
|
|
- file_perms
|
|
- RHEL-07-040060
|
|
- RHEL-07-040070
|
|
- RHEL-07-040080
|
|
|
|
- name: Set file permissions on cn_map file
|
|
file:
|
|
path: /etc/pam_pkcs11/cn_map
|
|
mode: "u-x,g-wx,o-wx"
|
|
owner: root
|
|
group: root
|
|
when:
|
|
- cn_map_check.stat.exists
|
|
tags:
|
|
- medium
|
|
- file_perms
|
|
- RHEL-07-040060
|
|
- RHEL-07-040070
|
|
- RHEL-07-040080
|