diff --git a/doc/source/developer-notes/V-38633.rst b/doc/source/developer-notes/V-38633.rst index d1ad7046..0ba670ab 100644 --- a/doc/source/developer-notes/V-38633.rst +++ b/doc/source/developer-notes/V-38633.rst @@ -8,5 +8,3 @@ by adjusting the following Ansible variable: .. code-block:: yaml security_max_log_file: 6 - - diff --git a/handlers/main.yml b/handlers/main.yml index 87224c90..cecdc8cf 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -46,7 +46,7 @@ - name: restart ssh service: - name: ssh + name: "{{ ssh_service }}" state: restarted - name: restart vsftpd diff --git a/meta/main.yml b/meta/main.yml index 29e97535..828df4f4 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -6,9 +6,13 @@ galaxy_info: license: Apache min_ansible_version: 1.8.3 platforms: + - name: EL + versions: + - 7 - name: Ubuntu versions: - trusty + - xenial categories: - cloud - security diff --git a/other-requirements.txt b/other-requirements.txt index 67cd643a..a145f8b4 100644 --- a/other-requirements.txt +++ b/other-requirements.txt @@ -14,7 +14,13 @@ # TODO(odyssey4me) remove this once https://review.openstack.org/288634 has merged # and the disk images are rebuilt and redeployed. curl +wget # Requirements for Paramiko 2.0 -libssl-dev -libffi-dev +libssl-dev [platform:dpkg] +libffi-dev [platform:dpkg] +libffi-devel [platform:rpm] +openssl-devel [platform:rpm] + +# For selinux +libselinux-python [platform:rpm] diff --git a/releasenotes/notes/support-for-centos-xenial-2b89c318cc3df4b0.yaml b/releasenotes/notes/support-for-centos-xenial-2b89c318cc3df4b0.yaml new file mode 100644 index 00000000..41d4c710 --- /dev/null +++ b/releasenotes/notes/support-for-centos-xenial-2b89c318cc3df4b0.yaml @@ -0,0 +1,5 @@ +--- +features: + - The openstack-ansible-security role supports the application of the Red + Hat Enterprise Linux 6 STIG configurations to systems running CentOS 7 and + Ubuntu 16.04 LTS. diff --git a/tasks/apt.yml b/tasks/apt.yml index d063fcb9..0e12adb1 100644 --- a/tasks/apt.yml +++ b/tasks/apt.yml @@ -13,6 +13,23 @@ # See the License for the specific language governing permissions and # limitations under the License. +#TODO(evrardjp): Replace the next 2 tasks by a standard apt with cache +#when https://github.com/ansible/ansible-modules-core/pull/1517 is merged +#in 1.9.x or we move to 2.0 (if tested working) +- name: Check apt last update file + stat: + path: /var/cache/apt + register: apt_cache_stat + tags: + - auditd-apt-packages + +- name: Update apt if needed + apt: + update_cache: yes + when: "ansible_date_time.epoch|float - apt_cache_stat.stat.mtime > {{cache_timeout}}" + tags: + - auditd-apt-packages + # Notes for V-38476 ########################################################### # # These GPG keys are valid as of Ubuntu 14.04 in late 2015, but they could @@ -29,7 +46,7 @@ msg: "FAILED: Missing Ubuntu 14.04 Archive signing keys" when: "'437D05B5' not in v38476_result.stdout or 'C0B21F32' not in v38476_result.stdout" tags: - - apt + - package - cat1 - V-38476 @@ -48,7 +65,7 @@ failed_when: False always_run: True tags: - - auth + - package - cat1 - V-38462 @@ -57,7 +74,7 @@ msg: "FAILED: Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified." when: "v38462_result.rc == 0" tags: - - auth + - package - cat1 - V-38462 @@ -67,7 +84,7 @@ state: present when: security_unattended_upgrades_enabled | bool tags: - - apt + - package - cat2 - V-38481 @@ -77,7 +94,7 @@ dest: /etc/apt/apt.conf.d/20auto-upgrades when: security_unattended_upgrades_enabled | bool tags: - - apt + - package - cat2 - V-38481 @@ -90,6 +107,6 @@ - security_unattended_upgrades_enabled | bool - security_unattended_upgrades_notifications | bool tags: - - apt + - package - cat2 - V-38481 diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 067dec67..fc8e1c87 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -13,27 +13,22 @@ # See the License for the specific language governing permissions and # limitations under the License. -#TODO(evrardjp): Replace the next 2 tasks by a standard apt with cache -#when https://github.com/ansible/ansible-modules-core/pull/1517 is merged -#in 1.9.x or we move to 2.0 (if tested working) -- name: Check apt last update file - stat: - path: /var/cache/apt - register: apt_cache_stat - tags: - - auditd-apt-packages - -- name: Update apt if needed +- name: V-38631/38632 - The operating system must produce audit records (install auditd with apt) apt: - update_cache: yes - when: "ansible_date_time.epoch|float - apt_cache_stat.stat.mtime > {{cache_timeout}}" - tags: - - auditd-apt-packages - -- name: V-38631/38632 - The operating system must produce audit records (install auditd) - apt: - name: auditd + name: "{{ auditd_pkg }}" state: present + when: ansible_pkg_mgr == 'apt' + tags: + - auditd + - cat2 + - V-38632 + - V-38631 + +- name: V-38631/38632 - The operating system must produce audit records (install auditd with yum) + yum: + name: "{{ auditd_pkg }}" + state: present + when: ansible_pkg_mgr == 'yum' tags: - auditd - cat2 @@ -104,6 +99,7 @@ apt: name: debsums state: present + when: ansible_pkg_mgr == 'apt' tags: - auditd - cat2 @@ -117,6 +113,7 @@ register: v38637_result changed_when: False failed_when: "'not installed' in v38637_result.stdout" + when: ansible_pkg_mgr == 'apt' tags: - auditd - cat2 @@ -125,7 +122,31 @@ - name: V-38637 - Contents of auditd package must be verified fail: msg: "FAILED: Could not verify that files from auditd package are unaltered" - when: not check_mode and v38637_result.rc == 2 + when: + - not check_mode + - ansible_pkg_mgr == 'apt' + - v38637_result.rc == 2 + tags: + - auditd + - cat2 + - V-38637 + +- name: Check audit package contents for alterations with rpm (for V-38637) + shell: rpmverify audit audit-libs | grep -v audit.conf | wc -l + register: v38637_result + when: ansible_pkg_mgr == 'yum' + tags: + - auditd + - cat2 + - V-38637 + +- name: V-38637 - Contents of auditd package must be verified + fail: + msg: "FAILED: Could not verify that files from auditd package are unaltered" + when: + - not check_mode + - ansible_pkg_mgr == 'yum' + - v38637_result.stdout != "0" tags: - auditd - cat2 diff --git a/tasks/auth.yml b/tasks/auth.yml index a6618ccc..46a049c9 100644 --- a/tasks/auth.yml +++ b/tasks/auth.yml @@ -104,7 +104,7 @@ # /etc/pam.d/common-auth - name: V-38497 - The system must not have accounts configured with blank or null passwords. lineinfile: - dest: /etc/pam.d/common-auth + dest: "{{ pam_auth_file }}" state: present regexp: "^(.*)nullok_secure(.*)$" line: '\1\2' @@ -191,21 +191,49 @@ - cat2 - V-38501 -- name: V-38591 - Remove rshd +- name: V-38591 - Remove rshd with apt apt: name: rsh-server state: absent - when: security_remove_rsh_server | bool + when: + - ansible_pkg_mgr == 'apt' + - security_remove_rsh_server | bool tags: - auth - cat1 - V-38591 -- name: V-38587 - Remove telnet-server - apt: - name: telnetd +- name: V-38591 - Remove rshd with yum + yum: + name: rsh-server state: absent - when: security_remove_telnet_server | bool + when: + - ansible_pkg_mgr == 'yum' + - security_remove_rsh_server | bool + tags: + - auth + - cat1 + - V-38591 + +- name: V-38587 - Remove telnet-server with apt + apt: + name: "{{ telnet_server_pkg }}" + state: absent + when: + - ansible_pkg_mgr == 'apt' + - security_remove_telnet_server | bool + tags: + - auth + - cat1 + - V-38587 + +- name: V-38587 - Remove telnet-server with yum + yum: + name: "{{ telnet_server_pkg }}" + state: absent + when: + - ansible_pkg_mgr == 'yum' + - security_remove_telnet_server | bool tags: - auth - cat1 @@ -261,7 +289,7 @@ # SHA512 is the minimum requirement and it happens to be Ubuntu 14.04's default # hashing algorithm as well. - name: Check password hashing algorithm used by PAM (for V-38574) - shell: "grep '^\\s*password.*pam_unix.*sha512' /etc/pam.d/common-password" + shell: "grep '^\\s*password.*pam_unix.*sha512' {{ pam_password_file }}" register: v38574_result changed_when: False failed_when: False diff --git a/tasks/console.yml b/tasks/console.yml index d9c1abb5..2b630295 100644 --- a/tasks/console.yml +++ b/tasks/console.yml @@ -19,6 +19,15 @@ regexp: '^(#)?exec shutdown -r now "Control-Alt-Delete pressed"' line: '#exec shutdown -r now "Control-Alt-Delete pressed"' state: present + when: not systemd_running | bool + tags: + - console + - cat1 + - V-38668 + +- name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled + command: systemctl mask ctrl-alt-del.target + when: systemd_running | bool tags: - console - cat1 diff --git a/tasks/mail.yml b/tasks/mail.yml index 6c814fe0..ab7b758a 100644 --- a/tasks/mail.yml +++ b/tasks/mail.yml @@ -13,10 +13,21 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: V-38669 - The postfix service must be enabled for mail delivery (install postfix) +- name: V-38669 - The postfix service must be enabled for mail delivery (install postfix with apt) apt: name: postfix state: present + when: ansible_pkg_mgr == 'apt' + tags: + - mail + - cat3 + - V-38669 + +- name: V-38669 - The postfix service must be enabled for mail delivery (install postfix with yum) + yum: + name: postfix + state: present + when: ansible_pkg_mgr == 'yum' tags: - mail - cat3 diff --git a/tasks/main.yml b/tasks/main.yml index dc9cc8fb..6a317253 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -13,15 +13,42 @@ # See the License for the specific language governing permissions and # limitations under the License. - - name: Verify if we're using check mode + - name: Gather variables for each operating system + include_vars: "{{ item }}" + with_first_found: + - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml" + - "{{ ansible_distribution | lower }}.yml" + - "{{ ansible_os_family | lower }}.yml" + tags: + - always + + - name: Check if we're in check/audit mode command: /bin/true register: noop_result - - name: Set a fact if we're in check mode + - name: Check to see if systemd is in use + command: systemctl status + register: systemd_check + failed_when: False + always_run: True + + - name: Set facts set_fact: - check_mode: "{{ noop_result|skipped }}" + check_mode: "{{ noop_result | skipped }}" + systemd_running: "{{ systemd_check | success }}" - include: apt.yml + when: ansible_pkg_mgr == 'apt' + tag: + - apt + - package + + - include: rpm.yml + when: ansible_pkg_mgr == 'yum' or ansible_pkg_mgr == 'dnf' + tag: + - package + - rpm + - include: auditd.yml - include: auth.yml - include: boot.yml diff --git a/tasks/misc.yml b/tasks/misc.yml index e60176e2..b9067a22 100644 --- a/tasks/misc.yml +++ b/tasks/misc.yml @@ -13,10 +13,20 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: V-38489 - Install AIDE +- name: V-38489 - Install AIDE (with apt) apt: - name: aide - state: present + name: aide + state: present + when: ansible_pkg_mgr == 'apt' + tags: + - cat2 + - V-38489 + +- name: V-38489 - Install AIDE (with yum) + yum: + name: aide + state: present + when: ansible_pkg_mgr == 'yum' tags: - cat2 - V-38489 @@ -76,10 +86,20 @@ - cat2 - V-38619 -- name: V-38620 - Synchronize system clock (installing chrony) +- name: V-38620 - Synchronize system clock (installing chrony with apt) apt: name: chrony state: present + when: ansible_pkg_mgr == 'apt' + tags: + - cat2 + - V-38620 + +- name: V-38620 - Synchronize system clock (installing chrony with yum) + yum: + name: chrony + state: present + when: ansible_pkg_mgr == 'yum' tags: - cat2 - V-38620 @@ -117,10 +137,20 @@ # The openstack-ansible project will configure logs to be rotated weekly and # compressed with each run. We won't change the interval here, but we will # ensure that logrotate is installed (to meet the STIG requirement). -- name: V-38624 - System logs must be rotated daily (install logrotate) +- name: V-38624 - System logs must be rotated daily (install logrotate with apt) apt: name: logrotate state: present + when: ansible_pkg_mgr == 'apt' + tags: + - cat3 + - V-38624 + +- name: V-38624 - System logs must be rotated daily (install logrotate with yum) + yum: + name: logrotate + state: present + when: ansible_pkg_mgr == 'yum' tags: - cat3 - V-38624 @@ -138,7 +168,7 @@ msg: "FAILED: Cron job for logrotate is missing" when: - not check_mode - - v38624_result.stat.exists == False + - not v38624_result.stat.exists | bool tags: - cat3 - V-38624 @@ -158,32 +188,53 @@ regexp: "^(;)?client signing" line: "client signing = mandatory" insertafter: "############ Misc ############" - when: v38656_result.stat.exists == True + when: v38656_result.stat.exists | bool notify: - restart samba tags: - cat3 - V-38656 -- name: Check if SNMP daemon is installed (for V-38660) +- name: Check if SNMP daemon is installed using dpkg (for V-38660) shell: "dpkg --status snmpd | grep \"^Status:.*ok installed\"" - register: v38660_snmpd_installed + register: v38660_snmpd_apt changed_when: False failed_when: False always_run: True + when: ansible_pkg_mgr == 'apt' tags: - cat2 - V-38660 +- name: Check if SNMP daemon is installed using rpm (for V-38660) + shell: "rpm -qi net-snmp" + register: v38660_snmpd_rpm + changed_when: False + failed_when: False + always_run: True + when: ansible_pkg_mgr == 'yum' + tags: + - cat2 + - V-38660 + +- name: Set fact for SNMP being installed + set_fact: + snmpd_installed: True + when: | + (v38660_snmpd_apt.rc is defined and v38660_snmpd_apt.rc == 0) or + (v38660_snmpd_rpm.rc is defined and v38660_snmpd_rpm.rc == 0) + # We shouldn't get any output from this grep since it looks for configuration # lines for the SNMP v1 and v2c protocols. - name: Check for insecure SNMP protocols (for V-38660) shell: "egrep 'v1|v2c|com2sec|community' /etc/snmp/snmpd.conf | grep -v '^\\s*#'" register: v38660_result - when: v38660_snmpd_installed.rc == 0 changed_when: False failed_when: False always_run: True + when: + - snmpd_installed is defined + - snmpd_installed | bool tags: - cat2 - V-38660 @@ -193,7 +244,8 @@ msg: "FAILED: Insecure SNMP configuration found -- use SNMPv3 only" when: - not check_mode - - v38660_snmpd_installed.rc == 0 + - snmpd_installed is defined + - snmpd_installed | bool - v38660_result.rc == 0 tags: - cat2 @@ -219,23 +271,46 @@ - cat3 - V-38684 -- name: Check if vsftpd installed (for V-38599 and V-38702) +- name: Check if vsftpd installed using dpkg (for V-38599 and V-38702) shell: "dpkg --status vsftpd | grep \"^Status:.*ok installed\"" - register: v38599_result + register: v38599_vsftpd_apt changed_when: False failed_when: False always_run: True + when: ansible_pkg_mgr == 'apt' tags: - cat2 - cat3 - V-38599 - V-38702 +- name: Check if vsftpd installed using rpm (for V-38599 and V-38702) + shell: "rpm -qi vsftpd" + register: v38599_vsftpd_rpm + changed_when: False + failed_when: False + always_run: True + when: ansible_pkg_mgr == 'yum' + tags: + - cat2 + - cat3 + - V-38599 + - V-38702 + +- name: Set fact for vsftpd being installed + set_fact: + vsftpd_installed: True + when: | + (v38599_vsftpd_apt.rc is defined and v38599_vsftpd_apt.rc == 0) or + (v38599_vsftpd_rpm.rc is defined and v38599_vsftpd_rpm.rc == 0) + - name: Copy login banner (for V-38599) copy: src: login_banner.txt dest: /etc/issue.net - when: v38599_result.rc == 0 + when: + - vsftpd_installed is defined + - vsftpd_installed | bool notify: - restart vsftpd tags: @@ -244,10 +319,12 @@ - name: V-38599 - Set warning banner for FTPS/FTP logins lineinfile: - dest: /etc/vsftpd/vsftpd.conf + dest: "{{ vsftpd_conf_file }}" regexp: "^(#)?banner_file" line: "banner_file=/etc/issue.net" - when: v38599_result.rc == 0 + when: + - vsftpd_installed is defined + - vsftpd_installed | bool notify: - restart vsftpd tags: @@ -256,10 +333,12 @@ - name: V-38702 - Enable xferlog lineinfile: - dest: /etc/vsftpd.conf + dest: "{{ vsftpd_conf_file }}" regexp: "^(#)?xferlog_enable" line: "xferlog_enable=YES" - when: v38599_result.rc == 0 + when: + - vsftpd_installed is defined + - vsftpd_installed | bool notify: - restart vsftpd tags: @@ -268,10 +347,12 @@ - name: V-38702 - Disable xferlog_std_format lineinfile: - dest: /etc/vsftpd.conf + dest: "{{ vsftpd_conf_file }}" regexp: "^(#)?xferlog_std_format" line: "xferlog_std_format=NO" - when: v38599_result.rc == 0 + when: + - vsftpd_installed is defined + - vsftpd_installed | bool notify: - restart vsftpd tags: @@ -280,10 +361,12 @@ - name: V-38702 - Enable log_ftp_protocol lineinfile: - dest: /etc/vsftpd.conf + dest: "{{ vsftpd_conf_file }}" regexp: "^(#)?log_ftp_protocol" line: "log_ftp_protocol=YES" - when: v38599_result.rc == 0 + when: + - vsftpd_installed is defined + - vsftpd_installed | bool notify: - restart vsftpd tags: @@ -295,6 +378,7 @@ register: v38674_result changed_when: False always_run: True + when: not systemd_running | bool tags: - cat2 - V-38674 @@ -302,7 +386,29 @@ - name: V-38674 - X Windows must not be enabled fail: msg: "FAILED: Default runlevel should be 2 (no X windows)" - when: v38674_result.rc != 0 + when: + - not systemd_running | bool + - v38674_result.rc != 0 + tags: + - cat2 + - V-38674 + +- name: Check if systemd is configured to load the graphical target + shell: "systemctl list-units --type=target | grep '^graphical.target.*loaded active active'" + register: v38674_result + always_run: True + failed_when: v38674_result.rc > 1 + when: systemd_running | bool + tags: + - cat2 + - V-38674 + +- name: V-38674 - X Windows must not be enabled + fail: + msg: "FAILED: Graphical target must not be enabled in systemd." + when: + - systemd_running | bool + - v38674_result.rc == 0 tags: - cat2 - V-38674 @@ -312,6 +418,7 @@ register: v51337_result changed_when: False always_run: True + when: ansible_pkg_mgr == 'apt' tags: - cat2 - V-51337 @@ -319,7 +426,30 @@ - name: V-51337 - The system must use a Linux Security Module at boot time fail: msg: "FAILED: AppArmor isn't enabled" - when: "'apparmor module is loaded' not in v51337_result.stdout" + when: + - ansible_pkg_mgr == 'apt' + - "'apparmor module is loaded' not in v51337_result.stdout" + tags: + - cat2 + - V-51337 + + +- name: Check if SELinux is enforcing (for V-51337) + command: getenforce + register: v51337_result + changed_when: False + always_run: True + when: ansible_pkg_mgr == 'yum' + tags: + - cat2 + - V-51337 + +- name: V-51337 - The system must use a Linux Security Module at boot time + fail: + msg: "FAILED: SELinux is not in enforcing mode." + when: + - ansible_pkg_mgr == 'yum' + - "'Enforcing' not in v51337_result.stdout" tags: - cat2 - V-51337 diff --git a/tasks/nfsd.yml b/tasks/nfsd.yml index 6fb133c8..0376e8f1 100644 --- a/tasks/nfsd.yml +++ b/tasks/nfsd.yml @@ -29,6 +29,7 @@ shell: grep all_squash /etc/exports register: v38460_result changed_when: v38460_result.rc == 0 + failed_when: False when: exports.stat.exists tags: - nfs @@ -49,6 +50,7 @@ shell: grep insecure_locks /etc/exports register: v38677_result changed_when: v38677_result.rc == 0 + failed_when: False when: exports.stat.exists tags: - nfs diff --git a/tasks/rpm.yml b/tasks/rpm.yml new file mode 100644 index 00000000..99de2566 --- /dev/null +++ b/tasks/rpm.yml @@ -0,0 +1,76 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Check if CentOS 7 GPG keys are installed (for V-38476) + command: rpm -qi gpg-pubkey-f4a80eb5-53a7ff4b + register: v38476_result + changed_when: "v38476_result.rc != 0" + failed_when: False + always_run: True + tags: + - package + - cat1 + - V-38476 + +- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. + fail: + msg: "FAILED: Missing CentOS 7 GPG keys" + when: "v38476_result.rc != 0" + tags: + - package + - cat1 + - V-38476 + +- name: Search for yum repositories with GPG checks disabled + command: grep -r "gpgcheck=0" /etc/yum.repos.d/ + register: v38462_result + changed_when: False + failed_when: False + always_run: True + tags: + - package + - cat1 + - V-38462 + +- name: V-38462 - Package management tool must verify authenticity of packages + fail: + msg: "FAILED: Ensure all repo files in /etc/yum.repos.d/ have 'gpgcheck=1' set." + when: "v38462_result.rc == 0" + tags: + - package + - cat1 + - V-38462 + +- name: V-38481 - Install yum-cron for automatic updates + yum: + name: yum-cron + state: installed + when: security_unattended_upgrades_enabled | bool + tags: + - package + - cat2 + - V-38481 + +- name: V-38481 - System security patches and updates must be installed and up-to-date + lineinfile: + dest: /etc/yum/yum-cron.conf + regexp: "^apply_updates" + line: "apply_updates = yes" + state: present + when: security_unattended_upgrades_enabled | bool + tags: + - package + - cat2 + - V-38481 diff --git a/tasks/services.yml b/tasks/services.yml index 55977452..8dcedc38 100644 --- a/tasks/services.yml +++ b/tasks/services.yml @@ -13,9 +13,9 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Generate list of sysv_services +- name: Generate list of services_installed shell: "find /etc/init.d/ -printf '%f\n'" - register: sysv_services + register: sysv_services_installed changed_when: false always_run: True tags: @@ -24,12 +24,29 @@ - cat2 - cat3 +- name: Generate a list of systemd service unit files + shell: "systemctl list-units --type=service --no-legend | awk '{print $1}'" + register: systemd_services_installed + changed_when: false + always_run: True + tags: + - services + - cat1 + - cat2 + - cat3 + +- name: Register which services are installed depending on platform + set_fact: + services_installed: "{{ (systemd_running | bool) | ternary (systemd_services_installed, sysv_services_installed)}}" + - name: V-38437 - Automated file system mounting tools must be disabled service: name: autofs state: stopped enabled: no - when: security_disable_autofs | bool and 'autofs' in sysv_services.stdout + when: + - security_disable_autofs | bool + - "'autofs' in services_installed.stdout" tags: - services - cat3 @@ -40,7 +57,9 @@ name: abrtd state: stopped enabled: no - when: security_disable_abrtd | bool and 'abrtd' in sysv_services.stdout + when: + - security_disable_abrtd | bool + - "'abrtd' in services_installed.stdout" tags: - services - cat3 @@ -51,7 +70,9 @@ name: atd state: stopped enabled: no - when: security_disable_atd | bool and 'atd' in sysv_services.stdout + when: + - security_disable_atd | bool + - "'atd' in services_installed.stdout" tags: - services - cat3 @@ -62,7 +83,9 @@ name: qpidd state: stopped enabled: no - when: security_disable_qpidd | bool and 'qpidd' in sysv_services.stdout + when: + - security_disable_qpidd | bool + - "'qpidd' in services_installed.stdout" tags: - services - cat3 @@ -73,7 +96,9 @@ name: bluetooth state: stopped enabled: no - when: security_disable_bluetooth | bool and 'bluetooth' in sysv_services.stdout + when: + - security_disable_bluetooth | bool + - "'bluetooth' in services_installed.stdout" tags: - services - cat2 @@ -84,28 +109,58 @@ name: xinetd state: stopped enabled: no - when: security_disable_xinetd | bool and 'xinetd' in sysv_services.stdout + when: + - security_disable_xinetd | bool + - "'xinetd' in services_installed.stdout" tags: - services - cat2 - V-38582 -- name: V-38584 - xinetd must be uninstalled if not in use +- name: V-38584 - xinetd must be uninstalled if not in use (apt) apt: name: xinetd state: absent - when: security_remove_xinetd | bool + when: + - ansible_pkg_mgr == 'apt' + - security_remove_xinetd | bool + tags: + - services + - cat3 + - V-38584 + +- name: V-38584 - xinetd must be uninstalled if not in use (yum) + yum: + name: xinetd + state: absent + when: + - ansible_pkg_mgr == 'yum' + - security_remove_xinetd | bool tags: - services - cat3 - V-38584 # Ubuntu's equivalent of Red Hat's ypserv package is 'nis' -- name: V-38603 - Remove ypserv (nis) package +- name: V-38603 - Remove ypserv package with apt apt: - name: nis + name: "{{ ypserv_pkg }}" state: absent - when: security_remove_ypserv | bool + when: + - ansible_pkg_mgr == 'apt' + - security_remove_ypserv | bool + tags: + - services + - cat2 + - V-38603 + +- name: V-38603 - Remove ypserv package with yum + yum: + name: "{{ ypserv_pkg }}" + state: absent + when: + - ansible_pkg_mgr == 'yum' + - security_remove_ypserv | bool tags: - services - cat2 @@ -113,7 +168,7 @@ - name: V-38605 - The cron service must be running service: - name: cron + name: "{{ cron_service }}" state: started enabled: yes tags: @@ -121,11 +176,25 @@ - cat2 - V-38605 -- name: V-38606 - The tftp-server package must not be installed unless required +- name: V-38606 - The tftp-server package must not be installed unless required (apt) apt: - name: tftpd + name: "{{ tftp_pkg }}" state: absent - when: security_remove_tftp_server | bool + when: + - ansible_pkg_mgr == 'apt' + - security_remove_tftp_server | bool + tags: + - services + - cat2 + - V-38606 + +- name: V-38606 - The tftp-server package must not be installed unless required (yum) + yum: + name: "{{ tftp_pkg }}" + state: absent + when: + - ansible_pkg_mgr == 'yum' + - security_remove_tftp_server | bool tags: - services - cat2 @@ -136,37 +205,81 @@ name: avahi-daemon state: stopped enabled: no - when: security_disable_avahi | bool and 'avahi' in sysv_services.stdout + when: + - security_disable_avahi | bool + - "'avahi' in services_installed.stdout" tags: - services - cat3 - V-38618 -- name: V-38627 - Remove LDAP servers unless required +- name: V-38627 - Remove LDAP servers unless required (apt) apt: - name: slapd + name: "{{ ldap_server_pkg }}" state: absent - when: security_remove_ldap_server | bool + when: + - ansible_pkg_mgr == 'apt' + - security_remove_ldap_server | bool tags: - services - cat3 - V-38627 -- name: V-38671 - Remove sendmail +- name: V-38627 - Remove LDAP servers unless required (yum) + yum: + name: "{{ ldap_server_pkg }}" + state: absent + when: + - ansible_pkg_mgr == 'yum' + - security_remove_ldap_server | bool + tags: + - services + - cat3 + - V-38627 + +- name: V-38671 - Remove sendmail with apt apt: name: sendmail state: absent - when: security_remove_sendmail | bool + when: + - ansible_pkg_mgr == 'apt' + - security_remove_sendmail | bool tags: - services - cat2 - V-38671 -- name: V-38676 - The X windows package must not be installed - apt: - name: xserver-xorg +- name: V-38671 - Remove sendmail with yum + yum: + name: sendmail state: absent - when: security_remove_xorg | bool + when: + - ansible_pkg_mgr == 'yum' + - security_remove_sendmail | bool + tags: + - services + - cat2 + - V-38671 + +- name: V-38676 - The X windows package must not be installed (apt) + apt: + name: "{{ xserver_pkg }}" + state: absent + when: + - ansible_pkg_mgr == 'apt' + - security_remove_xorg | bool + tags: + - services + - cat3 + - V-38676 + +- name: V-38676 - The X windows package must not be installed (yum) + yum: + name: "{{ xserver_pkg }}" + state: absent + when: + - ansible_pkg_mgr == 'yum' + - security_remove_xorg | bool tags: - services - cat3 diff --git a/tests/test.yml b/tests/test.yml index a7b6dd6c..b0cfc812 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -19,26 +19,32 @@ - name: Ensure apt cache is updated before testing apt: update_cache: yes + when: ansible_pkg_mgr == 'apt' post_tasks: - name: Stat 20auto-upgrades file stat: path: /etc/apt/apt.conf.d/20auto-upgrades register: auto_upgrades_file + when: ansible_pkg_mgr == 'apt' - name: Slurp contents of 50unattended-upgrades file slurp: src: /etc/apt/apt.conf.d/50unattended-upgrades register: unattended_upgrades_file_encoded + when: ansible_pkg_mgr == 'apt' - name: Decode slurp'd 50-unattended-upgrades file set_fact: unattended_upgrades_file: "{{ unattended_upgrades_file_encoded.content | b64decode }}" + when: ansible_pkg_mgr == 'apt' - name: Ensure auto updates has been enabled assert: that: - auto_upgrades_file.stat.exists + when: ansible_pkg_mgr == 'apt' - name: Ensure that auto update notifications has been enabled assert: that: - "'\nUnattended-Upgrade::Mail \"root\";\n' in unattended_upgrades_file" + when: ansible_pkg_mgr == 'apt' roles: - role: "{{ rolename }}" vars: diff --git a/tox.ini b/tox.ini index 79319864..bbe6b89e 100644 --- a/tox.ini +++ b/tox.ini @@ -13,6 +13,7 @@ passenv = HOME whitelist_externals = bash + cat git rm setenv = @@ -91,6 +92,7 @@ commands = --syntax-check \ --list-tasks \ -e "rolename={toxinidir}" \ + -t ssh \ {toxinidir}/tests/test.yml @@ -103,16 +105,21 @@ commands = # NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now building # images with apt config Apt::Get::AllowUnauthenticated set # to true. -# NOTE(mhayden): Some infra images don't have AppArmor enabled, so V-51337 -# must be skipped. +# NOTE(mhayden): V-51337: OpenStack infra images don't have AppArmor +# enabled, so it must be skipped. +# V-38674: OpenStack infra images have graphical target +# enabled, so it must be skipped. +# V-38574: OpenStack infra images have non-standard pam +# configurations that don't match a standard CentOS 7 server +# or cloud image. It must be skipped. commands = rm -rf {homedir}/.ansible git clone https://git.openstack.org/openstack/openstack-ansible-plugins \ {homedir}/.ansible/plugins ansible-playbook -i {toxinidir}/tests/inventory \ -e "rolename={toxinidir}" \ - {toxinidir}/tests/test.yml \ - --skip-tag V-38462,V-51337 + --skip-tag V-38462,V-51337,V-38574,V-38674 \ + {toxinidir}/tests/test.yml [testenv:linters] diff --git a/vars/redhat.yml b/vars/redhat.yml new file mode 100644 index 00000000..f093f40f --- /dev/null +++ b/vars/redhat.yml @@ -0,0 +1,31 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Configuration file paths +pam_auth_file: /etc/pam.d/system-auth +pam_password_file: /etc/pam.d/password-auth-ac +vsftpd_conf_file: /etc/vsftpd/vsftpd.conf + +# Package names +auditd_pkg: audit +ldap_server_pkg: openldap-servers +telnet_server_pkg: telnet-server +tftp_pkg: tftp-server +xserver_pkg: xorg-x11-server-Xorg +ypserv_pkg: ypserv + +# Service names +cron_service: crond +ssh_service: sshd diff --git a/vars/ubuntu.yml b/vars/ubuntu.yml new file mode 100644 index 00000000..0ce42281 --- /dev/null +++ b/vars/ubuntu.yml @@ -0,0 +1,34 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Maximum age of the apt cache before a refresh is required +cache_timeout: 600 + +# Configuration file paths +pam_auth_file: /etc/pam.d/common-auth +pam_password_file: /etc/pam.d/common-password +vsftpd_conf_file: /etc/vsftpd.conf + +# Package names +auditd_pkg: auditd +ldap_server_pkg: slapd +telnet_server_pkg: telnetd +tftp_pkg: tftpd +xserver_pkg: xorg-xserver +ypserv_pkg: nis + +# Service name +cron_service: cron +ssh_service: ssh