Ansible role for security hardening
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

misc.yml 11KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436
  1. ---
  2. # Copyright 2016, Rackspace US, Inc.
  3. #
  4. # Licensed under the Apache License, Version 2.0 (the "License");
  5. # you may not use this file except in compliance with the License.
  6. # You may obtain a copy of the License at
  7. #
  8. # http://www.apache.org/licenses/LICENSE-2.0
  9. #
  10. # Unless required by applicable law or agreed to in writing, software
  11. # distributed under the License is distributed on an "AS IS" BASIS,
  12. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13. # See the License for the specific language governing permissions and
  14. # limitations under the License.
  15. - name: Check autofs service
  16. command: systemctl status autofs
  17. register: autofs_check
  18. failed_when: autofs_check.rc not in [0,3,4]
  19. changed_when: False
  20. check_mode: no
  21. tags:
  22. - always
  23. - name: V-71985 - File system automounter must be disabled unless required.
  24. service:
  25. name: autofs
  26. state: stopped
  27. enabled: no
  28. when:
  29. - autofs_check.rc not in [3,4]
  30. - security_rhel7_disable_autofs | bool
  31. tags:
  32. - medium
  33. - misc
  34. - V-71985
  35. # This returns an exit code of 0 if it's running, 3 if it's masked.
  36. - name: Check if ctrl-alt-del.target is already masked
  37. command: systemctl status ctrl-alt-del.target
  38. register: cad_mask_check
  39. check_mode: no
  40. changed_when: False
  41. failed_when: cad_mask_check.rc not in [0,3]
  42. tags:
  43. - always
  44. - name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled
  45. command: systemctl mask ctrl-alt-del.target
  46. when:
  47. - security_rhel7_disable_ctrl_alt_delete | bool
  48. - cad_mask_check.rc != 3
  49. notify:
  50. - reload systemd
  51. tags:
  52. - high
  53. - misc
  54. - V-71993
  55. - name: Check for /home on mounted filesystem
  56. debug:
  57. msg: |
  58. The STIG requires that /home is on its own filesystem, but this system
  59. does not appear to be following the requirement.
  60. when:
  61. - ansible_mounts | selectattr('mount', 'equalto', '/home') | list | length == 0
  62. tags:
  63. - low
  64. - misc
  65. - V-72059
  66. - name: Check for /var on mounted filesystem
  67. debug:
  68. msg: |
  69. The STIG requires that /var is on its own filesystem, but this system
  70. does not appear to be following the requirement.
  71. when:
  72. - ansible_mounts | selectattr('mount', 'equalto', '/var') | list | length == 0
  73. tags:
  74. - low
  75. - misc
  76. - V-72067
  77. - name: Check for /var/log/audit on mounted filesystem
  78. debug:
  79. msg: |
  80. The STIG requires that /var/log/audit is on its own filesystem, but this system
  81. does not appear to be following the requirement.
  82. when:
  83. - ansible_mounts | selectattr('mount', 'equalto', '/var/log/audit') | list | length == 0
  84. tags:
  85. - low
  86. - misc
  87. - V-72063
  88. - name: Check for /tmp on mounted filesystem
  89. debug:
  90. msg: |
  91. The STIG requires that /tmp is on its own filesystem, but this system
  92. does not appear to be following the requirement.
  93. when:
  94. - ansible_mounts | selectattr('mount', 'equalto', '/tmp') | list | length == 0
  95. tags:
  96. - low
  97. - misc
  98. - V-72065
  99. - name: Check if syslog output is being sent to another server
  100. command: 'grep "^[^#].*@" /etc/rsyslog.conf'
  101. register: rsyslog_transmit_check
  102. changed_when: False
  103. failed_when: False
  104. check_mode: no
  105. tags:
  106. - always
  107. - name: V-72209 - The system must send rsyslog output to a log aggregation server.
  108. debug:
  109. msg: Output from syslog must be sent to another server.
  110. when:
  111. - rsyslog_transmit_check is defined
  112. - rsyslog_transmit_check.rc != 0
  113. tags:
  114. - medium
  115. - misc
  116. - V-72209
  117. - name: Check if ClamAV is installed
  118. stat:
  119. path: /usr/bin/clamdscan
  120. register: clamav_install_check
  121. changed_when: False
  122. tags:
  123. - always
  124. - name: Remove 'Example' line from ClamAV configuration files
  125. lineinfile:
  126. dest: "{{ item }}"
  127. regexp: "^Example"
  128. state: absent
  129. with_items:
  130. - /etc/freshclam.conf
  131. - /etc/clamd.d/scan.conf
  132. when:
  133. - clamav_install_check.stat.exists
  134. - security_enable_virus_scanner | bool
  135. - ansible_os_family | lower == 'redhat'
  136. notify:
  137. - restart clamav
  138. tags:
  139. - misc
  140. - V-72213
  141. - name: Set ClamAV server type as socket
  142. lineinfile:
  143. dest: /etc/clamd.d/scan.conf
  144. regexp: "^(#)?LocalSocket (.*)$"
  145. line: 'LocalSocket \2'
  146. backrefs: yes
  147. when:
  148. - clamav_install_check.stat.exists
  149. - security_enable_virus_scanner | bool
  150. - ansible_os_family | lower == 'redhat'
  151. notify:
  152. - restart clamav
  153. tags:
  154. - misc
  155. - V-72213
  156. - name: Allow automatic freshclam updates
  157. lineinfile:
  158. dest: /etc/sysconfig/freshclam
  159. regexp: "^FRESHCLAM_DELAY"
  160. state: absent
  161. when:
  162. - clamav_install_check.stat.exists
  163. - security_enable_virus_scanner | bool
  164. - ansible_os_family | lower == 'redhat'
  165. notify:
  166. - restart clamav
  167. tags:
  168. - misc
  169. - V-72213
  170. - name: Check if ClamAV update process is already running
  171. shell: "ps -ef | egrep [f]reshclam -q"
  172. register: freshclam_proc
  173. changed_when: False
  174. failed_when: False
  175. check_mode: no
  176. tags:
  177. - always
  178. - name: Update ClamAV database
  179. command: freshclam
  180. changed_when: False
  181. when:
  182. - freshclam_proc.rc != 0
  183. - clamav_install_check.stat.exists
  184. - security_enable_virus_scanner | bool
  185. - security_run_virus_scanner_update | bool
  186. async: 300
  187. poll: 5
  188. tags:
  189. - misc
  190. - V-72213
  191. - name: Ensure ClamAV is running
  192. service:
  193. name: "{{ clamav_service }}"
  194. state: started
  195. enabled: yes
  196. when:
  197. - clamav_install_check.stat.exists
  198. - security_enable_virus_scanner | bool
  199. tags:
  200. - misc
  201. - V-72213
  202. # NOTE(mhayden): This role changed names and this task ensures that the old
  203. # configuration block is properly removed. Without this task, /etc/profile
  204. # will have two config blocks that set the same variable and this leads to
  205. # errors on the command prompt. See LP bug 1736702.
  206. # TODO(mhayden): Remove this task when the Rocky release is in development.
  207. - name: Remove old config block for V-72223 from openstack-ansible-security
  208. blockinfile:
  209. dest: /etc/profile
  210. state: absent
  211. insertbefore: EOF
  212. marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
  213. tags:
  214. - medium
  215. - misc
  216. - V-72223
  217. - name: V-72223 - Set 10 minute timeout on communication sessions
  218. blockinfile:
  219. dest: /etc/profile
  220. state: present
  221. insertbefore: EOF
  222. marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
  223. block: |
  224. # Set a {{ security_rhel7_session_timeout }} second timeout for sessions
  225. TMOUT={{ security_rhel7_session_timeout }}
  226. readonly TMOUT
  227. export TMOUT
  228. tags:
  229. - medium
  230. - misc
  231. - V-72223
  232. - name: Start and enable chrony
  233. service:
  234. name: "{{ chrony_service }}"
  235. state: started
  236. enabled: yes
  237. when:
  238. - not check_mode
  239. - security_rhel7_enable_chrony | bool
  240. tags:
  241. - medium
  242. - misc
  243. - V-72269
  244. - name: Check if chrony configuration file exists
  245. stat:
  246. path: "{{ chrony_conf_file }}"
  247. register: chrony_conf_check
  248. tags:
  249. - always
  250. - name: V-72269 - Synchronize system clock (configuration file)
  251. template:
  252. src: chrony.conf.j2
  253. dest: "{{ chrony_conf_file }}"
  254. when:
  255. - chrony_conf_check.stat.exists
  256. - security_rhel7_enable_chrony | bool
  257. notify:
  258. - restart chrony
  259. tags:
  260. - medium
  261. - misc
  262. - V-72269
  263. # Returns 0 if installed, 3 if not installed
  264. - name: Check firewalld status
  265. command: systemctl status firewalld
  266. register: firewalld_status_check
  267. failed_when: firewalld_status_check.rc not in [0,3,4]
  268. changed_when: False
  269. check_mode: no
  270. tags:
  271. - always
  272. - name: Ensure firewalld is running and enabled
  273. service:
  274. name: firewalld
  275. state: started
  276. enabled: yes
  277. when:
  278. - firewalld_status_check.rc not in [3,4]
  279. - security_enable_firewalld | bool
  280. tags:
  281. - medium
  282. - misc
  283. - V-72273
  284. - name: Limit new TCP connections to 25/minute and allow bursting to 100
  285. command: "firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{ security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT"
  286. register: add_rate_limit_firewalld_rule
  287. changed_when: "'ALREADY_ENABLED' not in add_rate_limit_firewalld_rule.stdout"
  288. when:
  289. - firewalld_status_check.rc != 3
  290. - security_enable_firewalld_rate_limit | bool
  291. tags:
  292. - medium
  293. - misc
  294. - V-72271
  295. # Linting checks need to be skipped because this command doesn't create any
  296. # files.
  297. - name: Count nameserver entries in /etc/resolv.conf
  298. command: grep nameserver /etc/resolv.conf
  299. register: nameserver_check
  300. check_mode: no
  301. changed_when: False
  302. failed_when: False
  303. tags:
  304. - always
  305. - skip_ansible_lint
  306. - name: V-72281 - For systems using DNS resolution, at least two name servers must be configured.
  307. debug:
  308. msg: |
  309. Two or more nameservers must be configured in /etc/resolv.conf.
  310. Nameservers found: {{ nameserver_check.stdout_lines | length }}
  311. when:
  312. - nameserver_check is defined
  313. - nameserver_check.stdout_lines | length < 2
  314. tags:
  315. - low
  316. - misc
  317. - V-72281
  318. - name: Check for interfaces in promiscuous mode
  319. shell: "ip link | grep -i promisc"
  320. register: promiscuous_interface_check
  321. changed_when: False
  322. failed_when: False
  323. check_mode: no
  324. tags:
  325. - always
  326. - name: V-72295 - Network interfaces must not be in promiscuous mode.
  327. debug:
  328. msg: >
  329. One or more network interfaces were found to be in promiscuous mode.
  330. Review all interfaces and disable promiscuous mode.
  331. when:
  332. - promiscuous_interface_check.rc == 0
  333. tags:
  334. - medium
  335. - misc
  336. - V-72295
  337. - name: Check for postfix configuration file
  338. stat:
  339. path: /etc/postfix/main.cf
  340. register: postfix_conf_check
  341. tags:
  342. - always
  343. - name: V-72297 - Prevent unrestricted mail relaying
  344. lineinfile:
  345. dest: /etc/postfix/main.cf
  346. regexp: '^smtpd_client_restrictions'
  347. line: 'smtpd_client_restrictions = permit_mynetworks, reject'
  348. when:
  349. - postfix_conf_check.stat.exists
  350. - security_rhel7_restrict_mail_relaying | bool
  351. tags:
  352. - medium
  353. - misc
  354. - V-72297
  355. - name: Check for TFTP server configuration file
  356. stat:
  357. path: /etc/xinetd.d/tftp
  358. register: tftp_config_check
  359. check_mode: no
  360. tags:
  361. - always
  362. - name: Check TFTP configuration mode
  363. command: 'grep server_args /etc/xinetd.d/tftp'
  364. register: tftp_secure_check
  365. changed_when: False
  366. failed_when: False
  367. check_mode: no
  368. when:
  369. - tftp_config_check.stat.exists
  370. tags:
  371. - always
  372. - name: V-72305 - TFTP must be configured to operate in secure mode
  373. debug:
  374. msg: TFTP must be configured to run in secure mode with the '-s' flag.
  375. when:
  376. - tftp_config_check.stat.exists
  377. - "'-s' not in tftp_secure_check.stdout"
  378. tags:
  379. - medium
  380. - misc
  381. - V-72305
  382. - name: Check to see if snmpd config contains public/private
  383. shell: 'egrep "^[^#].*(public|private)" /etc/snmp/snmpd.conf'
  384. register: snmp_public_private_check
  385. changed_when: False
  386. failed_when: False
  387. check_mode: no
  388. tags:
  389. - always
  390. - name: V-72313 - Change SNMP community strings from default.
  391. debug:
  392. msg: >
  393. Change the SNMP community strings from the defaults of 'public' and
  394. 'private' to meet the requirements of V-72313.
  395. when:
  396. - snmp_public_private_check.rc == 0
  397. tags:
  398. - high
  399. - misc
  400. - V-72313