diff --git a/tasks/apt.yml b/tasks/apt.yml index c75f95b5..3a680ee6 100644 --- a/tasks/apt.yml +++ b/tasks/apt.yml @@ -22,6 +22,7 @@ command: apt-key list register: v38476_result changed_when: "v38476_result.rc != 0" + always_run: True - name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. fail: @@ -45,6 +46,7 @@ register: v38462_result changed_when: False failed_when: False + always_run: True tags: - auth - cat1 diff --git a/tasks/auditd.yml b/tasks/auditd.yml index c73f5919..5784dec8 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -30,17 +30,28 @@ name: auditd state: started enabled: true + when: not check_mode tags: - auditd - cat2 - V-38632 - V-38631 +- name: Verify that auditd.conf exists + stat: + path: /etc/audit/auditd.conf + register: auditd_conf + always_run: true + tags: + - auditd + - always + - name: V-38633 - The system must set a maximum audit log file size lineinfile: dest: /etc/audit/auditd.conf regexp: "^(#)?max_log_file =" line: "max_log_file = {{ max_log_file }}" + when: auditd_conf.stat.exists | bool notify: - restart auditd tags: @@ -53,6 +64,7 @@ dest: /etc/audit/auditd.conf regexp: "^(#)?max_log_file_action =" line: "max_log_file_action = {{ max_log_file_action }}" + when: auditd_conf.stat.exists | bool notify: - restart auditd tags: @@ -65,6 +77,7 @@ dest: /etc/audit/auditd.conf regexp: "^(#)?num_logs =" line: "num_logs = {{ num_logs }}" + when: auditd_conf.stat.exists | bool notify: - restart auditd tags: @@ -97,17 +110,27 @@ - name: V-38637 - Contents of auditd package must be verified fail: msg: "FAILED: Could not verify that files from auditd package are unaltered" - when: v38637_result.rc == 2 + when: not check_mode and v38637_result.rc == 2 tags: - auditd - cat2 - V-38637 +- name: Verify that auditd log directory exists (for V-38445) + stat: + path: /var/log/audit/ + register: auditd_log_dir + always_run: True + tags: + - auditd + - always + - name: V-38445 - Audit log files must be group-owned by root file: dest: /var/log/audit/ group: root recurse: true + when: auditd_log_dir.stat.exists | bool tags: - auditd - cat2 @@ -118,6 +141,7 @@ dest: /etc/audit/auditd.conf regexp: "^(#)?disk_error_action" line: "disk_error_action = {{ disk_error_action }}" + when: auditd_conf.stat.exists | bool notify: - restart auditd tags: @@ -130,6 +154,7 @@ dest: /etc/audit/auditd.conf regexp: "^(#)?disk_full_action" line: "disk_full_action = {{ disk_full_action }}" + when: auditd_conf.stat.exists | bool notify: - restart auditd tags: @@ -142,6 +167,7 @@ dest: /etc/audit/auditd.conf regexp: "^(#)?space_left" line: "space_left = {{ space_left }}" + when: auditd_conf.stat.exists | bool notify: - restart auditd tags: @@ -154,6 +180,7 @@ dest: /etc/audit/auditd.conf regexp: "^(#)?space_left_action" line: "space_left_action = {{ space_left_action }}" + when: auditd_conf.stat.exists | bool notify: - restart auditd tags: @@ -166,6 +193,7 @@ dest: /etc/audit/auditd.conf regexp: "^(#)?action_mail_acct" line: "action_mail_acct = {{ action_mail_acct }}" + when: auditd_conf.stat.exists | bool notify: - restart auditd tags: @@ -178,6 +206,7 @@ dest: /var/log/audit/ owner: root recurse: true + when: auditd_log_dir.stat.exists | bool tags: - auditd - cat2 @@ -202,6 +231,7 @@ dest: "/var/log/audit/{{ item }}" mode: 0400 with_items: v38498_result.stdout_lines + when: v_38498_result is defined tags: - auditd - cat2 @@ -223,6 +253,7 @@ regexp: "^(#)?active" line: "active = yes" state: present + when: auditd_conf.stat.exists | bool notify: - restart auditd tags: @@ -235,6 +266,7 @@ dest: /etc/audit/auditd.conf regexp: "^(#)?admin_space_left_action" line: "admin_space_left_action = {{ admin_space_left_action }}" + when: auditd_conf.stat.exists | bool notify: - restart auditd tags: diff --git a/tasks/auth.yml b/tasks/auth.yml index a997c966..7e86c673 100644 --- a/tasks/auth.yml +++ b/tasks/auth.yml @@ -69,6 +69,7 @@ register: v38496_result changed_when: v38496_result.stdout != '0' failed_when: False + always_run: True tags: - auth - cat2 @@ -92,6 +93,7 @@ register: v38497_result changed_when: False failed_when: False + always_run: True tags: - auth - cat1 @@ -102,7 +104,7 @@ - name: V-38497 - The system must not have accounts configured with blank or null passwords. fail: msg: "FAILED: Remove 'nullok' from /etc/pam.d/system-auth for better security." - when: "v38497_result.rc == 0" + when: not check_mode and v38497_result.rc == 0 tags: - auth - cat1 @@ -141,6 +143,7 @@ shell: "awk -F: '($1 != \"root\") && ($3 == 0) {print}' /etc/passwd | wc -l" register: v38500_result changed_when: v38500_result.stdout != '0' + always_run: True tags: - auth - cat2 @@ -206,6 +209,7 @@ shell: "awk -F: '($2 != \"x\") {print}' /etc/passwd | wc -l" register: v38499_result changed_when: False + always_run: True tags: - auth - cat2 @@ -255,6 +259,7 @@ register: v38574_result changed_when: False failed_when: False + always_run: True tags: - auth - cat2 @@ -274,6 +279,7 @@ shell: "grep '^ENCRYPT_METHOD.*SHA512' /etc/login.defs" register: v38576_result changed_when: v38576_result.rc != 0 + always_run: True tags: - auth - cat2 @@ -298,6 +304,7 @@ register: v38577_libuser_check changed_when: False failed_when: False + always_run: True tags: - auth - cat2 @@ -331,6 +338,7 @@ register: v38681_result changed_when: False failed_when: v38681_result.rc > 1 + always_run: True tags: - auth - cat3 @@ -360,6 +368,7 @@ shell: pwck -rq | wc -l register: v38683_result changed_when: False + always_run: True tags: - auth - cat3 @@ -379,6 +388,7 @@ register: v58901_nopasswd_result changed_when: False failed_when: v58901_nopasswd_result.rc > 1 + always_run: True tags: - auth - cat2 @@ -389,6 +399,7 @@ register: v58901_authenticate_result changed_when: False failed_when: v58901_authenticate_result.rc > 1 + always_run: True tags: - auth - cat2 @@ -397,7 +408,9 @@ - name: V-58901 - The sudo command must require authentication fail: msg: "FAILED: NOPASSWD or !authenticate found in sudo configuration" - when: v58901_nopasswd_result.rc == 0 or v58901_authenticate_result.rc == 0 + when: > + not check_mode + and (v58901_nopasswd_result.rc == 0 or v58901_authenticate_result.rc == 0) tags: - auth - cat2 diff --git a/tasks/mail.yml b/tasks/mail.yml index 75561d6f..7e30dd64 100644 --- a/tasks/mail.yml +++ b/tasks/mail.yml @@ -22,11 +22,12 @@ - cat3 - V-38669 -- name: V-38669 - The postfix service must be enabled for mail delivery (ebable postfix) +- name: V-38669 - The postfix service must be enabled for mail delivery (enable postfix) service: name: postfix state: started enabled: yes + when: not check_mode tags: - mail - cat3 @@ -47,11 +48,20 @@ - cat2 - V-38446 +- name: Verify that Postfix's main.cf exists + stat: + path: /etc/postfix/main.cf + register: postfix_main_cf + always_run: true + tags: + - always + - name: V-38622 - Mail relaying must be restricted lineinfile: dest: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" line: "inet_interfaces = {{ postfix_inet_interfaces }}" + when: postfix_main_cf.stat.exists | bool notify: - restart postfix tags: diff --git a/tasks/main.yml b/tasks/main.yml index 126e0804..dc9cc8fb 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -13,6 +13,14 @@ # See the License for the specific language governing permissions and # limitations under the License. + - name: Verify if we're using check mode + command: /bin/true + register: noop_result + + - name: Set a fact if we're in check mode + set_fact: + check_mode: "{{ noop_result|skipped }}" + - include: apt.yml - include: auditd.yml - include: auth.yml diff --git a/tasks/misc.yml b/tasks/misc.yml index 27474405..0569012a 100644 --- a/tasks/misc.yml +++ b/tasks/misc.yml @@ -52,6 +52,7 @@ shell: find /root /home -xdev -name .netrc | wc -l register: v38619_result changed_when: False + always_run: True tags: - cat2 - V-38619 @@ -77,14 +78,24 @@ name: chrony state: started enabled: yes + when: not check_mode tags: - cat2 - V-38620 +- name: Check for chrony.conf + stat: + path: /etc/chrony/chrony.conf + register: chrony_conf + tags: + - always + - V-38620 + - name: V-38620 - Synchronize system clock (configuration file) template: src: chrony.conf.j2 dest: /etc/chrony/chrony.conf + when: chrony_conf.stat.exists | bool notify: - restart chrony tags: @@ -146,6 +157,7 @@ register: v38660_snmpd_installed changed_when: False failed_when: False + always_run: True tags: - cat2 - V-38660 @@ -158,6 +170,7 @@ when: v38660_snmpd_installed.rc == 0 changed_when: False failed_when: False + always_run: True tags: - cat2 - V-38660 @@ -195,6 +208,7 @@ register: v38599_result changed_when: False failed_when: False + always_run: True tags: - cat2 - cat3 @@ -264,6 +278,7 @@ shell: "grep 'DEFAULT_RUNLEVEL=2' /etc/init/rc-sysinit.conf" register: v38674_result changed_when: False + always_run: True tags: - cat2 - V-38674 @@ -280,6 +295,7 @@ shell: "apparmor_status 2>&1 | head -n 1" register: v51337_result changed_when: False + always_run: True tags: - cat2 - V-51337 diff --git a/tasks/services.yml b/tasks/services.yml index 70e24c27..e26884a6 100644 --- a/tasks/services.yml +++ b/tasks/services.yml @@ -17,6 +17,7 @@ shell: "find /etc/init.d/ -printf '%f\n'" register: sysv_services changed_when: false + always_run: True tags: - services - cat1