437 lines
11 KiB
YAML
437 lines
11 KiB
YAML
---
|
|
# Copyright 2016, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Check autofs service
|
|
command: systemctl status autofs
|
|
register: autofs_check
|
|
failed_when: autofs_check.rc not in [0,3,4]
|
|
changed_when: False
|
|
check_mode: no
|
|
tags:
|
|
- always
|
|
|
|
- name: V-71985 - File system automounter must be disabled unless required.
|
|
service:
|
|
name: autofs
|
|
state: stopped
|
|
enabled: no
|
|
when:
|
|
- autofs_check.rc not in [3,4]
|
|
- security_rhel7_disable_autofs | bool
|
|
tags:
|
|
- medium
|
|
- misc
|
|
- V-71985
|
|
|
|
# This returns an exit code of 0 if it's running, 3 if it's masked.
|
|
- name: Check if ctrl-alt-del.target is already masked
|
|
command: systemctl status ctrl-alt-del.target
|
|
register: cad_mask_check
|
|
check_mode: no
|
|
changed_when: False
|
|
failed_when: cad_mask_check.rc not in [0,3]
|
|
tags:
|
|
- always
|
|
|
|
- name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled
|
|
command: systemctl mask ctrl-alt-del.target
|
|
when:
|
|
- security_rhel7_disable_ctrl_alt_delete | bool
|
|
- cad_mask_check.rc != 3
|
|
notify:
|
|
- reload systemd
|
|
tags:
|
|
- high
|
|
- misc
|
|
- V-71993
|
|
|
|
- name: Check for /home on mounted filesystem
|
|
debug:
|
|
msg: |
|
|
The STIG requires that /home is on its own filesystem, but this system
|
|
does not appear to be following the requirement.
|
|
when:
|
|
- ansible_mounts | selectattr('mount', 'equalto', '/home') | list | length == 0
|
|
tags:
|
|
- low
|
|
- misc
|
|
- V-72059
|
|
|
|
- name: Check for /var on mounted filesystem
|
|
debug:
|
|
msg: |
|
|
The STIG requires that /var is on its own filesystem, but this system
|
|
does not appear to be following the requirement.
|
|
when:
|
|
- ansible_mounts | selectattr('mount', 'equalto', '/var') | list | length == 0
|
|
tags:
|
|
- low
|
|
- misc
|
|
- V-72067
|
|
|
|
- name: Check for /var/log/audit on mounted filesystem
|
|
debug:
|
|
msg: |
|
|
The STIG requires that /var/log/audit is on its own filesystem, but this system
|
|
does not appear to be following the requirement.
|
|
when:
|
|
- ansible_mounts | selectattr('mount', 'equalto', '/var/log/audit') | list | length == 0
|
|
tags:
|
|
- low
|
|
- misc
|
|
- V-72063
|
|
|
|
- name: Check for /tmp on mounted filesystem
|
|
debug:
|
|
msg: |
|
|
The STIG requires that /tmp is on its own filesystem, but this system
|
|
does not appear to be following the requirement.
|
|
when:
|
|
- ansible_mounts | selectattr('mount', 'equalto', '/tmp') | list | length == 0
|
|
tags:
|
|
- low
|
|
- misc
|
|
- V-72065
|
|
|
|
- name: Check if syslog output is being sent to another server
|
|
command: 'grep "^[^#].*@" /etc/rsyslog.conf'
|
|
register: rsyslog_transmit_check
|
|
changed_when: False
|
|
failed_when: False
|
|
check_mode: no
|
|
tags:
|
|
- always
|
|
|
|
- name: V-72209 - The system must send rsyslog output to a log aggregation server.
|
|
debug:
|
|
msg: Output from syslog must be sent to another server.
|
|
when:
|
|
- rsyslog_transmit_check is defined
|
|
- rsyslog_transmit_check.rc != 0
|
|
tags:
|
|
- medium
|
|
- misc
|
|
- V-72209
|
|
|
|
- name: Check if ClamAV is installed
|
|
stat:
|
|
path: /usr/bin/clamdscan
|
|
register: clamav_install_check
|
|
changed_when: False
|
|
tags:
|
|
- always
|
|
|
|
- name: Remove 'Example' line from ClamAV configuration files
|
|
lineinfile:
|
|
dest: "{{ item }}"
|
|
regexp: "^Example"
|
|
state: absent
|
|
with_items:
|
|
- /etc/freshclam.conf
|
|
- /etc/clamd.d/scan.conf
|
|
when:
|
|
- clamav_install_check.stat.exists
|
|
- security_enable_virus_scanner | bool
|
|
- ansible_os_family | lower == 'redhat'
|
|
notify:
|
|
- restart clamav
|
|
tags:
|
|
- misc
|
|
- V-72213
|
|
|
|
- name: Set ClamAV server type as socket
|
|
lineinfile:
|
|
dest: /etc/clamd.d/scan.conf
|
|
regexp: "^(#)?LocalSocket (.*)$"
|
|
line: 'LocalSocket \2'
|
|
backrefs: yes
|
|
when:
|
|
- clamav_install_check.stat.exists
|
|
- security_enable_virus_scanner | bool
|
|
- ansible_os_family | lower == 'redhat'
|
|
notify:
|
|
- restart clamav
|
|
tags:
|
|
- misc
|
|
- V-72213
|
|
|
|
- name: Allow automatic freshclam updates
|
|
lineinfile:
|
|
dest: /etc/sysconfig/freshclam
|
|
regexp: "^FRESHCLAM_DELAY"
|
|
state: absent
|
|
when:
|
|
- clamav_install_check.stat.exists
|
|
- security_enable_virus_scanner | bool
|
|
- ansible_os_family | lower == 'redhat'
|
|
notify:
|
|
- restart clamav
|
|
tags:
|
|
- misc
|
|
- V-72213
|
|
|
|
- name: Check if ClamAV update process is already running
|
|
shell: "ps -ef | egrep [f]reshclam -q"
|
|
register: freshclam_proc
|
|
changed_when: False
|
|
failed_when: False
|
|
check_mode: no
|
|
tags:
|
|
- always
|
|
|
|
- name: Update ClamAV database
|
|
command: freshclam
|
|
changed_when: False
|
|
when:
|
|
- freshclam_proc.rc != 0
|
|
- clamav_install_check.stat.exists
|
|
- security_enable_virus_scanner | bool
|
|
- security_run_virus_scanner_update | bool
|
|
async: 300
|
|
poll: 5
|
|
tags:
|
|
- misc
|
|
- V-72213
|
|
|
|
- name: Ensure ClamAV is running
|
|
service:
|
|
name: "{{ clamav_service }}"
|
|
state: started
|
|
enabled: yes
|
|
when:
|
|
- clamav_install_check.stat.exists
|
|
- security_enable_virus_scanner | bool
|
|
tags:
|
|
- misc
|
|
- V-72213
|
|
|
|
# NOTE(mhayden): This role changed names and this task ensures that the old
|
|
# configuration block is properly removed. Without this task, /etc/profile
|
|
# will have two config blocks that set the same variable and this leads to
|
|
# errors on the command prompt. See LP bug 1736702.
|
|
# TODO(mhayden): Remove this task when the Rocky release is in development.
|
|
- name: Remove old config block for V-72223 from openstack-ansible-security
|
|
blockinfile:
|
|
dest: /etc/profile
|
|
state: absent
|
|
insertbefore: EOF
|
|
marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
|
|
tags:
|
|
- medium
|
|
- misc
|
|
- V-72223
|
|
|
|
- name: V-72223 - Set 10 minute timeout on communication sessions
|
|
blockinfile:
|
|
dest: /etc/profile
|
|
state: present
|
|
insertbefore: EOF
|
|
marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
|
|
block: |
|
|
# Set a {{ security_rhel7_session_timeout }} second timeout for sessions
|
|
TMOUT={{ security_rhel7_session_timeout }}
|
|
readonly TMOUT
|
|
export TMOUT
|
|
tags:
|
|
- medium
|
|
- misc
|
|
- V-72223
|
|
|
|
- name: Start and enable chrony
|
|
service:
|
|
name: "{{ chrony_service }}"
|
|
state: started
|
|
enabled: yes
|
|
when:
|
|
- not check_mode
|
|
- security_rhel7_enable_chrony | bool
|
|
tags:
|
|
- medium
|
|
- misc
|
|
- V-72269
|
|
|
|
- name: Check if chrony configuration file exists
|
|
stat:
|
|
path: "{{ chrony_conf_file }}"
|
|
register: chrony_conf_check
|
|
tags:
|
|
- always
|
|
|
|
- name: V-72269 - Synchronize system clock (configuration file)
|
|
template:
|
|
src: chrony.conf.j2
|
|
dest: "{{ chrony_conf_file }}"
|
|
when:
|
|
- chrony_conf_check.stat.exists
|
|
- security_rhel7_enable_chrony | bool
|
|
notify:
|
|
- restart chrony
|
|
tags:
|
|
- medium
|
|
- misc
|
|
- V-72269
|
|
|
|
# Returns 0 if installed, 3 if not installed
|
|
- name: Check firewalld status
|
|
command: systemctl status firewalld
|
|
register: firewalld_status_check
|
|
failed_when: firewalld_status_check.rc not in [0,3,4]
|
|
changed_when: False
|
|
check_mode: no
|
|
tags:
|
|
- always
|
|
|
|
- name: Ensure firewalld is running and enabled
|
|
service:
|
|
name: firewalld
|
|
state: started
|
|
enabled: yes
|
|
when:
|
|
- firewalld_status_check.rc not in [3,4]
|
|
- security_enable_firewalld | bool
|
|
tags:
|
|
- medium
|
|
- misc
|
|
- V-72273
|
|
|
|
- name: Limit new TCP connections to 25/minute and allow bursting to 100
|
|
command: "firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{ security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT"
|
|
register: add_rate_limit_firewalld_rule
|
|
changed_when: "'ALREADY_ENABLED' not in add_rate_limit_firewalld_rule.stdout"
|
|
when:
|
|
- firewalld_status_check.rc != 3
|
|
- security_enable_firewalld_rate_limit | bool
|
|
tags:
|
|
- medium
|
|
- misc
|
|
- V-72271
|
|
|
|
# Linting checks need to be skipped because this command doesn't create any
|
|
# files.
|
|
- name: Count nameserver entries in /etc/resolv.conf
|
|
command: grep nameserver /etc/resolv.conf
|
|
register: nameserver_check
|
|
check_mode: no
|
|
changed_when: False
|
|
failed_when: False
|
|
tags:
|
|
- always
|
|
- skip_ansible_lint
|
|
|
|
- name: V-72281 - For systems using DNS resolution, at least two name servers must be configured.
|
|
debug:
|
|
msg: |
|
|
Two or more nameservers must be configured in /etc/resolv.conf.
|
|
Nameservers found: {{ nameserver_check.stdout_lines | length }}
|
|
when:
|
|
- nameserver_check is defined
|
|
- nameserver_check.stdout_lines | length < 2
|
|
tags:
|
|
- low
|
|
- misc
|
|
- V-72281
|
|
|
|
- name: Check for interfaces in promiscuous mode
|
|
shell: "ip link | grep -i promisc"
|
|
register: promiscuous_interface_check
|
|
changed_when: False
|
|
failed_when: False
|
|
check_mode: no
|
|
tags:
|
|
- always
|
|
|
|
- name: V-72295 - Network interfaces must not be in promiscuous mode.
|
|
debug:
|
|
msg: >
|
|
One or more network interfaces were found to be in promiscuous mode.
|
|
Review all interfaces and disable promiscuous mode.
|
|
when:
|
|
- promiscuous_interface_check.rc == 0
|
|
tags:
|
|
- medium
|
|
- misc
|
|
- V-72295
|
|
|
|
- name: Check for postfix configuration file
|
|
stat:
|
|
path: /etc/postfix/main.cf
|
|
register: postfix_conf_check
|
|
tags:
|
|
- always
|
|
|
|
- name: V-72297 - Prevent unrestricted mail relaying
|
|
lineinfile:
|
|
dest: /etc/postfix/main.cf
|
|
regexp: '^smtpd_client_restrictions'
|
|
line: 'smtpd_client_restrictions = permit_mynetworks, reject'
|
|
when:
|
|
- postfix_conf_check.stat.exists
|
|
- security_rhel7_restrict_mail_relaying | bool
|
|
tags:
|
|
- medium
|
|
- misc
|
|
- V-72297
|
|
|
|
- name: Check for TFTP server configuration file
|
|
stat:
|
|
path: /etc/xinetd.d/tftp
|
|
register: tftp_config_check
|
|
check_mode: no
|
|
tags:
|
|
- always
|
|
|
|
- name: Check TFTP configuration mode
|
|
command: 'grep server_args /etc/xinetd.d/tftp'
|
|
register: tftp_secure_check
|
|
changed_when: False
|
|
failed_when: False
|
|
check_mode: no
|
|
when:
|
|
- tftp_config_check.stat.exists
|
|
tags:
|
|
- always
|
|
|
|
- name: V-72305 - TFTP must be configured to operate in secure mode
|
|
debug:
|
|
msg: TFTP must be configured to run in secure mode with the '-s' flag.
|
|
when:
|
|
- tftp_config_check.stat.exists
|
|
- "'-s' not in tftp_secure_check.stdout"
|
|
tags:
|
|
- medium
|
|
- misc
|
|
- V-72305
|
|
|
|
- name: Check to see if snmpd config contains public/private
|
|
shell: 'egrep "^[^#].*(public|private)" /etc/snmp/snmpd.conf'
|
|
register: snmp_public_private_check
|
|
changed_when: False
|
|
failed_when: False
|
|
check_mode: no
|
|
tags:
|
|
- always
|
|
|
|
- name: V-72313 - Change SNMP community strings from default.
|
|
debug:
|
|
msg: >
|
|
Change the SNMP community strings from the defaults of 'public' and
|
|
'private' to meet the requirements of V-72313.
|
|
when:
|
|
- snmp_public_private_check.rc == 0
|
|
tags:
|
|
- high
|
|
- misc
|
|
- V-72313
|