From fa2800419e65b0c4b0126358614f70ffd9c4abe5 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Mon, 9 May 2016 16:18:48 -0500 Subject: [PATCH] Migrate to unique variable names This patch migrates all of the remaining non-unique variable names in the security role to a pattern that begins with `security_*`. This will reduce potential variable collisions with other roles. This is a breaking change for deployers and users who are moving from the liberty or stable/mitaka branches to master. Release notes are included with additional details to help with the transition. Closes-Bug: 1578326 Change-Id: Ib716e81e6fed971b21dc5579ae1a871736e21189 --- defaults/main.yml | 90 ++++++++++--------- doc/source/configuration.rst | 23 ++--- doc/source/developer-notes/V-38446.rst | 4 +- doc/source/developer-notes/V-38464.rst | 16 ++-- doc/source/developer-notes/V-38468.rst | 18 ++-- doc/source/developer-notes/V-38470.rst | 20 ++--- doc/source/developer-notes/V-38475.rst | 2 +- doc/source/developer-notes/V-38477.rst | 2 +- doc/source/developer-notes/V-38479.rst | 2 +- doc/source/developer-notes/V-38480.rst | 2 +- doc/source/developer-notes/V-38481.rst | 2 +- doc/source/developer-notes/V-38497.rst | 2 +- doc/source/developer-notes/V-38501.rst | 10 +-- doc/source/developer-notes/V-38546.rst | 2 +- doc/source/developer-notes/V-38608.rst | 4 +- doc/source/developer-notes/V-38610.rst | 2 +- doc/source/developer-notes/V-38613.rst | 2 +- doc/source/developer-notes/V-38620.rst | 9 +- doc/source/developer-notes/V-38622.rst | 2 +- doc/source/developer-notes/V-38633.rst | 8 +- doc/source/developer-notes/V-38634.rst | 6 +- doc/source/developer-notes/V-38636.rst | 8 +- doc/source/developer-notes/V-38642.rst | 6 +- doc/source/developer-notes/V-38645.rst | 2 +- doc/source/developer-notes/V-38649.rst | 2 +- doc/source/developer-notes/V-38651.rst | 2 +- doc/source/developer-notes/V-38675.rst | 2 +- doc/source/developer-notes/V-38678.rst | 5 +- doc/source/developer-notes/V-38680.rst | 4 +- doc/source/developer-notes/V-38684.rst | 2 +- doc/source/developer-notes/V-38692.rst | 7 +- doc/source/developer-notes/V-51391.rst | 2 +- doc/source/developer-notes/V-54381.rst | 6 +- doc/source/developer-notes/V-58901.rst | 12 +-- handlers/main.yml | 2 +- ...e-variable-migration-c0639030b495438f.yaml | 20 +++++ tasks/apt.yml | 8 +- tasks/auditd.yml | 18 ++-- tasks/auth.yml | 30 +++---- tasks/file_perms.yml | 18 ++-- tasks/kernel.yml | 2 +- tasks/mail.yml | 12 +-- tasks/misc.yml | 6 +- tasks/sshd.yml | 6 +- templates/ZZ_aide_exclusions.j2 | 2 +- templates/chrony.conf.j2 | 4 +- templates/jail.local.j2 | 2 +- tests/test.yml | 4 +- 48 files changed, 225 insertions(+), 197 deletions(-) create mode 100644 releasenotes/notes/unique-variable-migration-c0639030b495438f.yaml diff --git a/defaults/main.yml b/defaults/main.yml index 872ba023..311db9ac 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -14,6 +14,8 @@ # limitations under the License. ## APT Cache Options +# This variable is used across multiple OpenStack-Ansible roles to handle the +# apt cache updates as efficiently as possible. cache_timeout: 600 ### Default configurations for openstack-ansible-security ##################### @@ -30,7 +32,7 @@ cache_timeout: 600 # terrible places on the system, such as /var/lib/lxc and images in /opt. # The following three default exclusions are highly recommended for AIDE to # work properly, but additional exclusions can be added to this list if needed. -aide_exclude_dirs: +security_aide_exclude_dirs: - /var/lib/lxc - /openstack - /opt @@ -39,7 +41,7 @@ aide_exclude_dirs: # consume plenty of CPU and I/O resources while it runs. To initialize the # AIDE database immediately when the playbook finishes, set the following # variable to 'true': -initialize_aide: false +security_initialize_aide: false ## Audit daemon # The following booleans control the rule sets added to auditd's default @@ -84,36 +86,36 @@ security_audit_sudoers: yes # V-38578 # # Set an action to occur when there is a disk error. Review the # documentation for V-38464 before changing this option. -disk_error_action: SYSLOG # V-38464 +security_disk_error_action: SYSLOG # V-38464 # # Set an action to occur when the disk is full. Review the documentation for # V-38468 before changing this option. -disk_full_action: SYSLOG # V-38468 +security_disk_full_action: SYSLOG # V-38468 # # V-38678 - Set the amount of megabytes left when the space_left_action # triggers. The STIG guideline doesn't specify a size, but Ubuntu chooses a # default of 75MB, which is reasonable. -space_left: 75 # V-38678 +security_space_left: 75 # V-38678 # # Set an action to occur when the disk is approaching its capacity. # Review the documentation for V-38470 before changing this option. -space_left_action: SYSLOG # V-38470 +security_space_left_action: SYSLOG # V-38470 # # Set the maximum size of a rotated log file. Ubuntu's default # matches the STIG requirement of 6MB. -max_log_file: 6 # V 38633 +security_max_log_file: 6 # V 38633 # # Sets the action to take when log files reach the maximum file size. # Review the documentation for V-38634 before changing this option. -max_log_file_action: ROTATE # V-38634 +security_max_log_file_action: ROTATE # V-38634 # # Set the number of rotated audit logs to keep. Ubuntu has 5 as the default # and this matches the STIG's requirements. -num_logs: 5 # V-38636 +security_num_logs: 5 # V-38636 # # Set the email address of someone who can receive and respond to notifications # about low disk space for log volumes. -action_mail_acct: root # V-38680 +security_action_mail_acct: root # V-38680 # # **IMMINENT DANGER** # The STIG says that the system should switch to single user mode when the @@ -121,18 +123,18 @@ action_mail_acct: root # V-38680 # and should only be set to 'single' for deployers in extremely high security # environments. Ubuntu's default is SUSPEND, which will suspend logging. # **IMMENENT DANGER** -admin_space_left_action: SUSPEND # V-54381 +security_admin_space_left_action: SUSPEND # V-54381 ## Chrony (NTP) configuration # Adjust the following NTP servers if necessary. -ntp_servers: +security_ntp_servers: - 0.north-america.pool.ntp.org - 1.north-america.pool.ntp.org - 2.north-america.pool.ntp.org - 3.north-america.pool.ntp.org # Chrony limits access to clients that are on certain subnets. Adjust the # following subnets here to limit client access to chrony servers. -allowed_ntp_subnets: +security_allowed_ntp_subnets: - 10/8 - 192.168/16 - 172.16/12 @@ -140,7 +142,7 @@ allowed_ntp_subnets: ## Core dumps # V-38675 requires disabling core dumps for all users unless absolutely # necessary. Set this variable to 'no' to skip this change. -disable_core_dumps: yes # V-38675 +security_disable_core_dumps: yes # V-38675 ## Services # The STIG recommends ensuring that some services are running if no services @@ -179,16 +181,16 @@ security_remove_ypserv: yes # V-38603 # they can be adjusted to fit a particular environment. # # Set a 15 minute time out for SSH sessions if there is no activity -ssh_client_alive_interval: 900 # V-38608 +security_ssh_client_alive_interval: 900 # V-38608 # # Timeout ssh sessions as soon as ClientAliveInterval is reached once -ssh_client_alive_count_max: 0 # V-38610 +security_ssh_client_alive_count_max: 0 # V-38610 # # The ssh daemon must not permit root logins. The default value of 'yes' is a # deviation from the STIG requirements due to how openstack-ansible operates, # especially within OpenStack CI gate jobs. See documentation for V-38613 for # more details. -ssh_permit_root_login: 'yes' # V-38613 +security_ssh_permit_root_login: 'yes' # V-38613 ## Kernel # Set these booleans to 'yes' to disable the kernel module (following the @@ -211,7 +213,7 @@ security_sysctl_tcp_syncookies: 1 # V-38539 # Deployers who wish to disable IPv6 entirely must set this configuration # variable to 'yes'. See the documentation for V-38546 before making this # change. -disable_ipv6: no # V-38546 +security_disable_ipv6: no # V-38546 ## Mail # The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will @@ -221,12 +223,12 @@ disable_ipv6: no # V-38546 # need to receive emails over the network (which isn't common). # # See the documentation for V-38622 for more details. -postfix_inet_interfaces: localhost # V-38622 +security_postfix_inet_interfaces: localhost # V-38622 # # Configuring an email address here will cause hosts to forward the root user's # email to another address. # -#root_forward_email: user@example.com +#security_root_forward_email: user@example.com ## PAM and authentication # V-38497 requires that accounts with null passwords aren't allowed to @@ -234,38 +236,40 @@ postfix_inet_interfaces: localhost # V-38622 # documentation for V-38497 for more details. Set the variable below to 'yes' # to remove 'nullok_secure' from the PAM configuration or set it to 'no' to # leave the PAM configuration unaltered. -pam_remove_nullok: yes # V-38497 +security_pam_remove_nullok: yes # V-38497 # # V-38501 requires that failed login attempts must lock a user account using # pam_faillock, but Ubuntu doesn't package that PAM module. Instead, fail2ban # can be installed to lock out IP addresses with failed logins for 15 minutes. # Set the variable below to 'yes' to install and configure fail2ban. -install_fail2ban: no # V-38501 +security_install_fail2ban: no # V-38501 # # The STIG requires bans to last 15 minutes. Adjust the following variable # to set the time an IP is banned by fail2ban (in seconds). -fail2ban_bantime: 900 # V-38501 +security_fail2ban_bantime: 900 # V-38501 ## Password complexity and aging -# V-38475 - There is no password length requirement by default in Ubuntu -# 14.04. To set a password length requirement, uncomment -# password_minimum_length below. The STIG recommendation is 14 characters. -#password_minimum_length: 14 # V-38475 -# V-38477 - There is no password change limitation set by default in Ubuntu. -# To set the minimum number of days between password changes, uncomment -# the password_minimum_days variable below. The STIG recommendation is 1 day. -#password_minimum_days: 1 # V-38477 +# V-38475 - There is no password length requirement by default in Ubuntu 14.04. +# To set a password length requirement, uncomment +# security_password_minimum_length below. The STIG recommendation is 14 +# characters. +#security_password_minimum_length: 14 # V-38475 +# V-38477 - There is no password change limitation set by default in Ubuntu. To +# set the minimum number of days between password changes, uncomment the +# security_password_minimum_days variable below. The STIG recommendation is 1 +# day. +#security_password_minimum_days: 1 # V-38477 # V-38479 - There is no age limit on password by default in Ubuntu. Uncomment # line below to use the STIG recommendation of 60 days. -#password_maximum_days: 60 # V-38479 +#security_password_maximum_days: 60 # V-38479 # V-38480 - To warn users before their password expires, uncomment the line # below and they will be warned 7 days prior (following the STIG). -#password_warn_age: 7 # V-38480 +#security_password_warn_age: 7 # V-38480 # V-38684 - Setting the maximum number of simultaneous logins per user. The # STIG sets a limit of 10. -#max_simultaneous_logins: 10 # V-38684 +#security_max_simultaneous_logins: 10 # V-38684 # V-38692 - Lock accounts that are inactive for 35 days. -#inactive_account_lock_days: 35 # V-38692 +#security_inactive_account_lock_days: 35 # V-38692 ## sudo # V-58901 requires that 'NOPASSWD' and '!authenticate' do not appear in any @@ -274,8 +278,8 @@ fail2ban_bantime: 900 # V-38501 # parameters or leave them set to 'no' (the default) to leave sudoers files # unaltered. Deployers are urged to review the documentation for this STIG # before making changes. -sudoers_remove_nopasswd: no # V-58901 -sudoers_remove_authenticate: no # V-58901 +security_sudoers_remove_nopasswd: no # V-58901 +security_sudoers_remove_authenticate: no # V-58901 ## umask settings # The STIG recommends changing various default umask settings for users and @@ -291,17 +295,17 @@ sudoers_remove_authenticate: no # V-58901 # service disruptions. # # V-38642 - Set umask for daemons in init scripts to 027 or 022 -#umask_daemons_init: 027 # V-38642 +#security_umask_daemons_init: 027 # V-38642 # # V-38645 - System default umask in /etc/login.defs must be 077 -#umask_login_defs: 077 # V-38645 +#security_umask_login_defs: 077 # V-38645 # # V-38649 - System default umask for csh must be 077 -#umask_csh: 077 # V-38649 +#security_umask_csh: 077 # V-38649 # # V-38651 - System default umask for bash must be 077 -#umask_bash: 077 # V-38651 +#security_umask_bash: 077 # V-38651 ## Unattended upgrades (APT) configuration -unattended_upgrades_enabled: false -unattended_upgrades_notifications: false +security_unattended_upgrades_enabled: false +security_unattended_upgrades_notifications: false diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index dbbcc814..1715bc98 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -41,7 +41,7 @@ the following variable to ``true``: .. code-block:: yaml - initialize_aide: true + security_initialize_aide: true Audit daemon ------------ @@ -102,9 +102,10 @@ The fail2ban service is installed to meet some requirements around failed login attempts. The STIG requires ``pam_faillock``, but that module isn't available in Ubuntu 14.04. -To opt-in for the fail2ban service to be installed, set ``install_fail2ban`` to -``yes`` and set an appropriate time for bans with ``fail2ban_bantime``. See -the notes for V-38501 for more details. +To opt-in for the fail2ban service to be installed, set +``security_install_fail2ban`` to ``yes`` and set an appropriate time for bans +with ``security_fail2ban_bantime``. See the notes for V-38501 for more +details. Kernel ------ @@ -136,9 +137,9 @@ certain types of attacks, like SYN floods. This can cause issues in some environments with busy load balancers. Deployers should review the notes for V-38539 for more details. -Also, the STIG requires IPv6 support to be fully disabled, and this could -cause issues for production systems. The role will not disable IPv6 by -default, but deployers can adjust this by changing ``disable_ipv6`` to ``yes``. +Also, the STIG requires IPv6 support to be fully disabled, and this could cause +issues for production systems. The role will not disable IPv6 by default, but +deployers can adjust this by changing ``security_disable_ipv6`` to ``yes``. Core dumps are also disabled by default in the openstack-ansible-security role. @@ -146,8 +147,8 @@ Mail ---- Deployers are strongly urged to configure an address to receive the ``root`` -user's email on various hosts. This is done with the ``root_forward_email`` -variable. +user's email on various hosts. This is done with the +``security_root_forward_email`` variable. The STIG requires that a valid user receives the email in case of errors or a security issue. @@ -229,5 +230,5 @@ umask adjustments Certain umask adjustments are required by the STIG, but these can cause problems with production systems. The requirements are commented out within ``defaults/main.yml`` and can be applied by uncommenting the variables that -start with ``umask_*``. There is extensive documentation available within -the developer notes for each STIG requirement. +start with ``security_umask_*``. There is extensive documentation available +within the developer notes for each STIG requirement. diff --git a/doc/source/developer-notes/V-38446.rst b/doc/source/developer-notes/V-38446.rst index de70a78c..ef72f854 100644 --- a/doc/source/developer-notes/V-38446.rst +++ b/doc/source/developer-notes/V-38446.rst @@ -1,4 +1,4 @@ Forwarding root's email to another user is highly recommended, but the Ansible tasks won't configure an email address to receive root's email unless that -email address is configured. Set ``root_forward_email`` to an email address -that is ready to receive root's email. +email address is configured. Set ``security_root_forward_email`` to an email +address that is ready to receive root's email. diff --git a/doc/source/developer-notes/V-38464.rst b/doc/source/developer-notes/V-38464.rst index 8bc9bcc5..1bd777e7 100644 --- a/doc/source/developer-notes/V-38464.rst +++ b/doc/source/developer-notes/V-38464.rst @@ -1,16 +1,16 @@ -Ubuntu's default for ``disk_error_action`` is ``SUSPEND``, which actually -only suspends audit logging. That could be a security issue, so ``SYSLOG`` -is recommended and is set by default by openstack-ansible-security. There -are additional options available, like ``EXEC``, ``SINGLE`` or ``HALT``. +Ubuntu's default for ``security_disk_error_action`` is ``SUSPEND``, which +actually only suspends audit logging. That could be a security issue, so +``SYSLOG`` is recommended and is set by default by openstack-ansible-security. +There are additional options available, like ``EXEC``, ``SINGLE`` or ``HALT``. -To configure a different ``disk_error_action``, set the following Ansible -variable: +To configure a different ``security_disk_error_action``, set the following +Ansible variable: .. code-block:: yaml - disk_error_action: SYSLOG + security_disk_error_action: SYSLOG For details on available settings and what they do, run ``man auditd.conf``. Some options can cause the host to go offline until the issue is fixed. Deployers are urged to **carefully read the auditd documentation** prior to -changing the ``disk_error_action`` setting from the default. +changing the ``security_disk_error_action`` setting from the default. diff --git a/doc/source/developer-notes/V-38468.rst b/doc/source/developer-notes/V-38468.rst index 01348435..26554f31 100644 --- a/doc/source/developer-notes/V-38468.rst +++ b/doc/source/developer-notes/V-38468.rst @@ -1,19 +1,19 @@ -Ubuntu's default for ``disk_full_action`` is ``SUSPEND``, which actually -only suspends audit logging. That could be a security issue, so ``SYSLOG`` -is recommended and is set by default by openstack-ansible-security. If syslog -messages are being sent to remote servers, these log messages should alert -an administrator about the disk being full. There are additional options +Ubuntu's default for ``security_disk_full_action`` is ``SUSPEND``, which +actually only suspends audit logging. That could be a security issue, so +``SYSLOG`` is recommended and is set by default by openstack-ansible-security. +If syslog messages are being sent to remote servers, these log messages should +alert an administrator about the disk being full. There are additional options available, like ``EXEC``, ``SINGLE`` or ``HALT``. -To configure a different ``disk_full_action``, set the following Ansible -variable: +To configure a different ``security_disk_full_action``, set the following +Ansible variable: .. code-block:: yaml - disk_full_action: SYSLOG + security_disk_full_action: SYSLOG For details on available settings and what they do, run ``man auditd.conf``. Some options can cause the host to go offline until the issue is fixed. Deployers are urged to **carefully read the auditd documentation** prior to -changing the ``disk_full_action`` setting from the default. +changing the ``security_disk_full_action`` setting from the default. diff --git a/doc/source/developer-notes/V-38470.rst b/doc/source/developer-notes/V-38470.rst index 01e7d202..c71050df 100644 --- a/doc/source/developer-notes/V-38470.rst +++ b/doc/source/developer-notes/V-38470.rst @@ -1,18 +1,18 @@ -Ubuntu's default for ``space_left_action`` is ``SUSPEND``, which actually -only suspends audit logging. That could be a security issue, so ``SYSLOG`` -is recommended and is set by default by openstack-ansible-security. If syslog -messages are being sent to remote servers, these log messages should alert -an administrator about the disk being almost full. There are additional options -available, like ``EXEC``, ``SINGLE`` or ``HALT``. +Ubuntu's default for ``security_space_left_action`` is ``SUSPEND``, which +actually only suspends audit logging. That could be a security issue, so +``SYSLOG`` is recommended and is set by default by openstack-ansible-security. +If syslog messages are being sent to remote servers, these log messages should +alert an administrator about the disk being almost full. There are additional +options available, like ``EXEC``, ``SINGLE`` or ``HALT``. -To configure a different ``space_left_action``, set the following Ansible -variable: +To configure a different ``security_space_left_action``, set the following +Ansible variable: .. code-block:: yaml - space_left_action: SYSLOG + security_space_left_action: SYSLOG For details on available settings and what they do, run ``man auditd.conf``. Some options can cause the host to go offline until the issue is fixed. Deployers are urged to **carefully read the auditd documentation** prior to -changing the ``space_left_action`` setting from the default. +changing the ``security_space_left_action`` setting from the default. diff --git a/doc/source/developer-notes/V-38475.rst b/doc/source/developer-notes/V-38475.rst index 2a5dc965..b4a411aa 100644 --- a/doc/source/developer-notes/V-38475.rst +++ b/doc/source/developer-notes/V-38475.rst @@ -6,7 +6,7 @@ setting, set the following Ansible variable: .. code-block:: yaml - password_minimum_length: 14 + security_password_minimum_length: 14 Deployers are urged to avoid the use of passwords and rely upon SSH keys if possible. diff --git a/doc/source/developer-notes/V-38477.rst b/doc/source/developer-notes/V-38477.rst index 7df792fa..f5327a56 100644 --- a/doc/source/developer-notes/V-38477.rst +++ b/doc/source/developer-notes/V-38477.rst @@ -7,4 +7,4 @@ To enable this configuration, use this Ansible variable: .. code-block:: yaml - password_minimum_days: 14 + security_password_minimum_days: 14 diff --git a/doc/source/developer-notes/V-38479.rst b/doc/source/developer-notes/V-38479.rst index 16d75124..651d7e31 100644 --- a/doc/source/developer-notes/V-38479.rst +++ b/doc/source/developer-notes/V-38479.rst @@ -8,5 +8,5 @@ To enable this configuration, use this Ansible variable: .. code-block:: yaml - password_maximum_days: 60 + security_password_maximum_days: 60 diff --git a/doc/source/developer-notes/V-38480.rst b/doc/source/developer-notes/V-38480.rst index 3ad15a57..8ef8b4ca 100644 --- a/doc/source/developer-notes/V-38480.rst +++ b/doc/source/developer-notes/V-38480.rst @@ -7,4 +7,4 @@ variable to configure the warning: .. code-block:: yaml - password_warn_age: 7 + security_password_warn_age: 7 diff --git a/doc/source/developer-notes/V-38481.rst b/doc/source/developer-notes/V-38481.rst index bc435db4..836878d7 100644 --- a/doc/source/developer-notes/V-38481.rst +++ b/doc/source/developer-notes/V-38481.rst @@ -9,7 +9,7 @@ variable to ``true``: .. code-block:: yaml - unattended_upgrades: true + security_unattended_upgrades: true Note that this will only apply updates made available to the distro-security (eg. trusty-security) repositories. diff --git a/doc/source/developer-notes/V-38497.rst b/doc/source/developer-notes/V-38497.rst index 813f4b2d..97cea9be 100644 --- a/doc/source/developer-notes/V-38497.rst +++ b/doc/source/developer-notes/V-38497.rst @@ -10,7 +10,7 @@ However, deployers can opt-out of this change by adjusting an Ansible variable: .. code-block:: yaml - pam_remove_nullok: no + security_pam_remove_nullok: no Setting the variable to ``yes`` (the default) will cause the Ansible tasks to remove the ``nullok_secure`` parameter while setting the variable to ``no`` diff --git a/doc/source/developer-notes/V-38501.rst b/doc/source/developer-notes/V-38501.rst index 8dbfbe52..9f83d9c8 100644 --- a/doc/source/developer-notes/V-38501.rst +++ b/doc/source/developer-notes/V-38501.rst @@ -19,14 +19,14 @@ addresses using the following logic * That IP will be banned for 15 minutes (via iptables rules) Deployers must opt-in for fail2ban to be installed and configured. To opt-in, -set the ``install_fail2ban`` Ansible variable to ``yes``. The time period for -bans can also be configured (in seconds) via tha ``fail2ban_bantime`` -variable: +set the ``security_install_fail2ban`` Ansible variable to ``yes``. The time +period for bans can also be configured (in seconds) via tha +``security_fail2ban_bantime`` variable: .. code-block:: yaml - install_fail2ban: yes - fail2ban_bantime: 900 + security_install_fail2ban: yes + security_fail2ban_bantime: 900 **NOTE:** Fail2ban can only review authentication attempts for services that listen on the network, such as ssh. It has no control over physical consoles. diff --git a/doc/source/developer-notes/V-38546.rst b/doc/source/developer-notes/V-38546.rst index 3776d343..99eb7110 100644 --- a/doc/source/developer-notes/V-38546.rst +++ b/doc/source/developer-notes/V-38546.rst @@ -8,7 +8,7 @@ To opt-in for this change, set the following Ansible variable to ``yes``: .. code-block:: yaml - disable_ipv6: yes + security_disable_ipv6: yes **NOTE:** This change will go into effect **immediately** on the system and persist through reboots. diff --git a/doc/source/developer-notes/V-38608.rst b/doc/source/developer-notes/V-38608.rst index b908dc7d..204794a0 100644 --- a/doc/source/developer-notes/V-38608.rst +++ b/doc/source/developer-notes/V-38608.rst @@ -1,9 +1,9 @@ The ``ClientAliveInterval`` in the ssh configuration will be set to 15 minutes as recommended by the STIG. However, this time is configurable by setting -``ssh_client_alive_interval`` to another value, in seconds. +``security_ssh_client_alive_interval`` to another value, in seconds. To change to 10 minutes, adjust the configuration item to 600 seconds: .. code-block:: yaml - ssh_client_alive_interval: 600 + security_ssh_client_alive_interval: 600 diff --git a/doc/source/developer-notes/V-38610.rst b/doc/source/developer-notes/V-38610.rst index 8a0bb726..59acaebc 100644 --- a/doc/source/developer-notes/V-38610.rst +++ b/doc/source/developer-notes/V-38610.rst @@ -5,4 +5,4 @@ to something other than ``0``: .. code-block:: yaml - ssh_client_alive_count_max: 0 + security_ssh_client_alive_count_max: 0 diff --git a/doc/source/developer-notes/V-38613.rst b/doc/source/developer-notes/V-38613.rst index 8259ccea..28ba14d7 100644 --- a/doc/source/developer-notes/V-38613.rst +++ b/doc/source/developer-notes/V-38613.rst @@ -7,7 +7,7 @@ To disallow root logins via ssh, simply adjust this configuration variable: .. code-block:: yaml - ssh_permit_root_login: 'no' + security_ssh_permit_root_login: 'no' **NOTE:** The quotes around ``'no'`` or ``'yes'`` are very important. Ansible will treat ``no`` and ``yes`` as booleans by default and that will cause a diff --git a/doc/source/developer-notes/V-38620.rst b/doc/source/developer-notes/V-38620.rst index 64877916..5de1db52 100644 --- a/doc/source/developer-notes/V-38620.rst +++ b/doc/source/developer-notes/V-38620.rst @@ -6,13 +6,14 @@ environments. There are two configurations available for users to adjust chrony's default configuration: -The ``ntp_servers`` variable is a list of NTP servers that +The ``security_ntp_servers`` variable is a list of NTP servers that chrony should use to synchronize time. They are set to North American NTP servers by default. -The ``allowed_ntp_subnets`` variable is a list of subnets (in CIDR notation) -that are allowed to reach your servers running chrony. A sane default is -chosen (all RFC1918 networks are allowed), but this can be easily adjusted. +The ``security_allowed_ntp_subnets`` variable is a list of subnets (in CIDR +notation) that are allowed to reach your servers running chrony. A sane +default is chosen (all RFC1918 networks are allowed), but this can be easily +adjusted. For more information on chrony, review the `chrony documentation`_ at the upstream site, or run `man chrony` on a host with chrony installed. diff --git a/doc/source/developer-notes/V-38622.rst b/doc/source/developer-notes/V-38622.rst index de2c6f4f..167f95cf 100644 --- a/doc/source/developer-notes/V-38622.rst +++ b/doc/source/developer-notes/V-38622.rst @@ -8,7 +8,7 @@ the following Ansible variable: .. code-block:: yaml - postfix_inet_interfaces: all + security_postfix_inet_interfaces: all Note that postfix can have ``inet_interfaces`` set to ``localhost`` and it can still send email on the network. The ``inet_interfaces`` directive only diff --git a/doc/source/developer-notes/V-38633.rst b/doc/source/developer-notes/V-38633.rst index b03c4f71..d1ad7046 100644 --- a/doc/source/developer-notes/V-38633.rst +++ b/doc/source/developer-notes/V-38633.rst @@ -1,12 +1,12 @@ -Ubuntu's default setting for ``max_log_files`` matches the STIG requirement of -rotating logs when they reach 6MB. The Ansible task for this STIG -requirement ensures that the secure default is maintained. +Ubuntu's default setting for ``security_max_log_file`` matches the STIG +requirement of rotating logs when they reach 6MB. The Ansible task for this +STIG requirement ensures that the secure default is maintained. Deployers who want to exceed the STIG guideline can increase the size of logs by adjusting the following Ansible variable: .. code-block:: yaml - max_log_file: 6 + security_max_log_file: 6 diff --git a/doc/source/developer-notes/V-38634.rst b/doc/source/developer-notes/V-38634.rst index 278e1a30..b5880d29 100644 --- a/doc/source/developer-notes/V-38634.rst +++ b/doc/source/developer-notes/V-38634.rst @@ -1,6 +1,6 @@ -Ubuntu's default action for ``max_log_file_action`` is to rotate the logs. -This meets the STIG requirements and the Ansible task will ensure that the -secure default is maintained. +Ubuntu's default action for ``security_max_log_file_action`` is to rotate the +logs. This meets the STIG requirements and the Ansible task will ensure that +the secure default is maintained. Use caution when changing this option. Certain values, like ``SUSPEND`` will cause the audit daemon to lock the machine when the maximum size for a log diff --git a/doc/source/developer-notes/V-38636.rst b/doc/source/developer-notes/V-38636.rst index 1711229f..e56ae4db 100644 --- a/doc/source/developer-notes/V-38636.rst +++ b/doc/source/developer-notes/V-38636.rst @@ -1,12 +1,12 @@ -Ubuntu keeps 5 rotated logs with the ``num_logs`` option and this meets the -STIG requirement. The Ansible task will ensure that the secure default is -maintained. +Ubuntu keeps 5 rotated logs with the ``security_num_logs`` option and this +meets the STIG requirement. The Ansible task will ensure that the secure +default is maintained. Deployers who want to allow logs to grow to larger sizes prior to rotation can adjust the following Ansible variable: .. code-block:: yaml - num_logs: 5 + security_num_logs: 5 diff --git a/doc/source/developer-notes/V-38642.rst b/doc/source/developer-notes/V-38642.rst index cb27284f..1b645714 100644 --- a/doc/source/developer-notes/V-38642.rst +++ b/doc/source/developer-notes/V-38642.rst @@ -1,7 +1,7 @@ The STIG requires that daemons have their umask set to ``027`` or ``022``. Since changing umasks can disrupt some systems, this is an opt-in change. -Deployers that want this change applied to their systems must set the -Ansible variable ``umask_daemons_init`` to ``027``. The current default -for Ubuntu 14.04 is ``027`` already, so deployers do not need to make any +Deployers that want this change applied to their systems must set the Ansible +variable ``security_umask_daemons_init`` to ``027``. The current default for +Ubuntu 14.04 is ``027`` already, so deployers do not need to make any adjustments to Ansible variables to meet the STIG requirement. diff --git a/doc/source/developer-notes/V-38645.rst b/doc/source/developer-notes/V-38645.rst index f6c385ea..41d810ba 100644 --- a/doc/source/developer-notes/V-38645.rst +++ b/doc/source/developer-notes/V-38645.rst @@ -5,4 +5,4 @@ requires ``077`` to be set. Since changing umask settings can disrupt some systems, this change requires a deployer to opt-in. To opt-in for this change and adjust the umask, the Ansible variable -``umask_login_defs`` must be set to ``077``. +``security_umask_login_defs`` must be set to ``077``. diff --git a/doc/source/developer-notes/V-38649.rst b/doc/source/developer-notes/V-38649.rst index 832eeb87..fc2766c6 100644 --- a/doc/source/developer-notes/V-38649.rst +++ b/doc/source/developer-notes/V-38649.rst @@ -3,7 +3,7 @@ Neither Ubuntu or openstack-ansible installs the csh shell by default. Since umask changes can be disruptive on some systems, the deployer must -opt-in for this change to happen. If the ``umask_csh`` Ansible variable is +opt-in for this change to happen. If the ``security_umask_csh`` Ansible variable is set **and** the csh package is installed, the Ansible tasks will ensure the appropriate umask is set in the csh configuration file. diff --git a/doc/source/developer-notes/V-38651.rst b/doc/source/developer-notes/V-38651.rst index fc81ffdc..6f69e283 100644 --- a/doc/source/developer-notes/V-38651.rst +++ b/doc/source/developer-notes/V-38651.rst @@ -2,4 +2,4 @@ Changing the umask for the bash shell is an opt-in setting. Deployers that want to set the umask for bash sessions to match the STIG requirement must -set the Ansible variable ``umask_bash`` to ``077``. +set the Ansible variable ``security_umask_bash`` to ``077``. diff --git a/doc/source/developer-notes/V-38675.rst b/doc/source/developer-notes/V-38675.rst index cfa86435..71419970 100644 --- a/doc/source/developer-notes/V-38675.rst +++ b/doc/source/developer-notes/V-38675.rst @@ -5,4 +5,4 @@ To opt-out of this change, set the following Ansible variable to ``no``: .. code-block:: yaml - disable_core_dumps: no + security_disable_core_dumps: no diff --git a/doc/source/developer-notes/V-38678.rst b/doc/source/developer-notes/V-38678.rst index 14afc899..c8e22e6a 100644 --- a/doc/source/developer-notes/V-38678.rst +++ b/doc/source/developer-notes/V-38678.rst @@ -1,6 +1,7 @@ When auditd notices that free disk space on its logging partition is low, it -will trigger the ``space_left_action``. The threshold of remaining disk space -is configured by ``space_left`` in ``/etc/audit/auditd.conf``. +will trigger the ``security_space_left_action``. The threshold of remaining +disk space is configured by ``security_space_left`` in +``/etc/audit/auditd.conf``. By default, Ubuntu sets this value to 75 megabytes. The STIG doesn't set a specific requirement for the exact size, so the Ansible task will ensure that diff --git a/doc/source/developer-notes/V-38680.rst b/doc/source/developer-notes/V-38680.rst index 2fae9bf0..31164aa7 100644 --- a/doc/source/developer-notes/V-38680.rst +++ b/doc/source/developer-notes/V-38680.rst @@ -2,5 +2,5 @@ By default, Ubuntu sets the default recipient for storage capacity issues in auditd to the root user. The Ansible task ensures that the default remains set. Deployers are strongly urged to review V-38446 to ensure they have set the -``root_forward_email`` variable so that the email system can route these -critical notifications to a monitored mailbox. +``security_root_forward_email`` variable so that the email system can route +these critical notifications to a monitored mailbox. diff --git a/doc/source/developer-notes/V-38684.rst b/doc/source/developer-notes/V-38684.rst index 7dda867c..f6523962 100644 --- a/doc/source/developer-notes/V-38684.rst +++ b/doc/source/developer-notes/V-38684.rst @@ -8,4 +8,4 @@ To opt-in for this change, set the following Ansible variable: .. code-block:: yaml - max_simultaneous_logins: 10 + security_max_simultaneous_logins: 10 diff --git a/doc/source/developer-notes/V-38692.rst b/doc/source/developer-notes/V-38692.rst index 0005bfeb..b77c3622 100644 --- a/doc/source/developer-notes/V-38692.rst +++ b/doc/source/developer-notes/V-38692.rst @@ -5,6 +5,7 @@ period of time. The STIG requires that accounts with 35 days of activity are locked. Deployers must opt-in for this change by setting the -``inactive_account_lock_days`` Ansible variable. The STIG requires this to be -set to 35 days at a maximum. The Ansible tasks will not make any changes to -``/etc/default/useradd`` unless ``inactive_account_lock_days`` is set. +``security_inactive_account_lock_days`` Ansible variable. The STIG requires +this to be set to 35 days at a maximum. The Ansible tasks will not make any +changes to ``/etc/default/useradd`` unless +``security_inactive_account_lock_days`` is set. diff --git a/doc/source/developer-notes/V-51391.rst b/doc/source/developer-notes/V-51391.rst index b032c8e2..c7d3222c 100644 --- a/doc/source/developer-notes/V-51391.rst +++ b/doc/source/developer-notes/V-51391.rst @@ -7,4 +7,4 @@ down the playbook run. Some directories are excluded from AIDE runs to prevent AIDE from wandering into directories where it shouldn't be hashing/monitoring files. The ``defaults/main.yml`` file has some recommended directories as part of the -``aide_exclude_dirs`` variable. +``security_aide_exclude_dirs`` variable. diff --git a/doc/source/developer-notes/V-54381.rst b/doc/source/developer-notes/V-54381.rst index 115af033..31d5b58a 100644 --- a/doc/source/developer-notes/V-54381.rst +++ b/doc/source/developer-notes/V-54381.rst @@ -6,12 +6,12 @@ single-user mode when the space for logging becomes dangerously low. **This will cause serious service disruptions for any environment and should only be enabled for extremely high security environments.** -Ubuntu sets ``admin_space_left_action`` to ``SUSPEND`` by default, and this -will cause logging to be temporarily suspended until disk space is freed. +Ubuntu sets ``security_admin_space_left_action`` to ``SUSPEND`` by default, and +this will cause logging to be temporarily suspended until disk space is freed. For extremely high security environments, this Ansible variable can be provided to meet the requirements of the STIG: .. code-block:: yaml - admin_space_left_action: SINGLE + security_admin_space_left_action: SINGLE diff --git a/doc/source/developer-notes/V-58901.rst b/doc/source/developer-notes/V-58901.rst index 2ba15a48..ef88dfd7 100644 --- a/doc/source/developer-notes/V-58901.rst +++ b/doc/source/developer-notes/V-58901.rst @@ -12,11 +12,11 @@ configuration files will not be altered: .. code-block:: yaml - sudoers_remove_nopasswd: no - sudoers_remove_authenticate: no + security_sudoers_remove_nopasswd: no + security_sudoers_remove_authenticate: no -Setting ``sudoers_remove_nopasswd`` to ``yes`` will cause the Ansible tasks to -search for any lines containing ``NOPASSWD`` and comment them out of the -configuration. Setting ``sudoers_remove_authenticate`` will do the same -actions on lines containing ``!authenticate``. Lines that are already +Setting ``security_sudoers_remove_nopasswd`` to ``yes`` will cause the Ansible +tasks to search for any lines containing ``NOPASSWD`` and comment them out of +the configuration. Setting ``security_sudoers_remove_authenticate`` will do the +same actions on lines containing ``!authenticate``. Lines that are already commented will be left unaltered. diff --git a/handlers/main.yml b/handlers/main.yml index ed5c88f5..87224c90 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -62,7 +62,7 @@ # the background so it doesn't hold up the whole playbook. - name: initialize AIDE shell: "aideinit -b" - when: initialize_aide | bool + when: security_initialize_aide | bool - name: rehash aliases command: newaliases diff --git a/releasenotes/notes/unique-variable-migration-c0639030b495438f.yaml b/releasenotes/notes/unique-variable-migration-c0639030b495438f.yaml new file mode 100644 index 00000000..0fa7d814 --- /dev/null +++ b/releasenotes/notes/unique-variable-migration-c0639030b495438f.yaml @@ -0,0 +1,20 @@ +--- +upgrade: + - | + All variables in the security role are now prepended with ``security_`` to + avoid collisions with variables in other roles. All deployers who have + used the security role in previous releases will need to prepend all + security role variables with ``security_``. + + For example, a deployer could have disabled direct root ssh logins with the + following variable: + + .. code-block:: yaml + + ssh_permit_root_login: yes + + That variable would become: + + .. code-block:: yaml + + security_ssh_permit_root_login: yes diff --git a/tasks/apt.yml b/tasks/apt.yml index 27e23249..d063fcb9 100644 --- a/tasks/apt.yml +++ b/tasks/apt.yml @@ -65,7 +65,7 @@ apt: name: unattended-upgrades state: present - when: unattended_upgrades_enabled | bool + when: security_unattended_upgrades_enabled | bool tags: - apt - cat2 @@ -75,7 +75,7 @@ copy: src: 20auto-upgrades dest: /etc/apt/apt.conf.d/20auto-upgrades - when: unattended_upgrades_enabled | bool + when: security_unattended_upgrades_enabled | bool tags: - apt - cat2 @@ -87,8 +87,8 @@ regexp: '^(\/\/)?Unattended-Upgrade::Mail "root";' line: 'Unattended-Upgrade::Mail "root";' when: - - unattended_upgrades_enabled | bool - - unattended_upgrades_notifications | bool + - security_unattended_upgrades_enabled | bool + - security_unattended_upgrades_notifications | bool tags: - apt - cat2 diff --git a/tasks/auditd.yml b/tasks/auditd.yml index e7ba398d..067dec67 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -65,7 +65,7 @@ lineinfile: dest: /etc/audit/auditd.conf regexp: "^(#)?max_log_file =" - line: "max_log_file = {{ max_log_file }}" + line: "max_log_file = {{ security_max_log_file }}" when: auditd_conf.stat.exists | bool notify: - restart auditd @@ -78,7 +78,7 @@ lineinfile: dest: /etc/audit/auditd.conf regexp: "^(#)?max_log_file_action =" - line: "max_log_file_action = {{ max_log_file_action }}" + line: "max_log_file_action = {{ security_max_log_file_action }}" when: auditd_conf.stat.exists | bool notify: - restart auditd @@ -91,7 +91,7 @@ lineinfile: dest: /etc/audit/auditd.conf regexp: "^(#)?num_logs =" - line: "num_logs = {{ num_logs }}" + line: "num_logs = {{ security_num_logs }}" when: auditd_conf.stat.exists | bool notify: - restart auditd @@ -155,7 +155,7 @@ lineinfile: dest: /etc/audit/auditd.conf regexp: "^(#)?disk_error_action" - line: "disk_error_action = {{ disk_error_action }}" + line: "disk_error_action = {{ security_disk_error_action }}" when: auditd_conf.stat.exists | bool notify: - restart auditd @@ -168,7 +168,7 @@ lineinfile: dest: /etc/audit/auditd.conf regexp: "^(#)?disk_full_action" - line: "disk_full_action = {{ disk_full_action }}" + line: "disk_full_action = {{ security_disk_full_action }}" when: auditd_conf.stat.exists | bool notify: - restart auditd @@ -181,7 +181,7 @@ lineinfile: dest: /etc/audit/auditd.conf regexp: "^(#)?space_left" - line: "space_left = {{ space_left }}" + line: "space_left = {{ security_space_left }}" when: auditd_conf.stat.exists | bool notify: - restart auditd @@ -194,7 +194,7 @@ lineinfile: dest: /etc/audit/auditd.conf regexp: "^(#)?space_left_action" - line: "space_left_action = {{ space_left_action }}" + line: "space_left_action = {{ security_space_left_action }}" when: auditd_conf.stat.exists | bool notify: - restart auditd @@ -207,7 +207,7 @@ lineinfile: dest: /etc/audit/auditd.conf regexp: "^(#)?action_mail_acct" - line: "action_mail_acct = {{ action_mail_acct }}" + line: "action_mail_acct = {{ security_action_mail_acct }}" when: auditd_conf.stat.exists | bool notify: - restart auditd @@ -280,7 +280,7 @@ lineinfile: dest: /etc/audit/auditd.conf regexp: "^(#)?admin_space_left_action" - line: "admin_space_left_action = {{ admin_space_left_action }}" + line: "admin_space_left_action = {{ security_admin_space_left_action }}" when: auditd_conf.stat.exists | bool notify: - restart auditd diff --git a/tasks/auth.yml b/tasks/auth.yml index e721131c..a6618ccc 100644 --- a/tasks/auth.yml +++ b/tasks/auth.yml @@ -17,8 +17,8 @@ lineinfile: dest: /etc/login.defs regexp: "^(#)?PASS_MIN_LEN" - line: "PASS_MIN_LEN {{ password_minimum_length }}" - when: password_minimum_length is defined + line: "PASS_MIN_LEN {{ security_password_minimum_length }}" + when: security_password_minimum_length is defined tags: - auth - cat2 @@ -28,8 +28,8 @@ lineinfile: dest: /etc/login.defs regexp: "^(#)?PASS_MIN_DAYS" - line: "PASS_MIN_DAYS {{ password_minimum_days }}" - when: password_minimum_days is defined + line: "PASS_MIN_DAYS {{ security_password_minimum_days }}" + when: security_password_minimum_days is defined tags: - auth - cat2 @@ -39,8 +39,8 @@ lineinfile: dest: /etc/login.defs regexp: "^(#)?PASS_MAX_DAYS" - line: "PASS_MAX_DAYS {{ password_maximum_days }}" - when: password_maximum_days is defined + line: "PASS_MAX_DAYS {{ security_password_maximum_days }}" + when: security_password_maximum_days is defined tags: - auth - cat2 @@ -50,8 +50,8 @@ lineinfile: dest: /etc/login.defs regexp: "^(#)?PASS_WARN_DAYS" - line: "PASS_WARN_DAYS {{ password_warn_age }}" - when: password_warn_age is defined + line: "PASS_WARN_DAYS {{ security_password_warn_age }}" + when: security_password_warn_age is defined tags: - auth - cat3 @@ -110,7 +110,7 @@ line: '\1\2' backup: yes backrefs: yes - when: pam_remove_nullok | bool + when: security_pam_remove_nullok | bool tags: - auth - cat1 @@ -171,7 +171,7 @@ apt: name: fail2ban state: present - when: install_fail2ban | bool + when: security_install_fail2ban | bool tags: - auth - cat2 @@ -183,7 +183,7 @@ template: src: jail.local.j2 dest: /etc/fail2ban/jail.d/jail.local - when: install_fail2ban | bool + when: security_install_fail2ban | bool notify: - restart fail2ban tags: @@ -363,8 +363,8 @@ lineinfile: dest: /etc/default_useradd regexp: "^(#)?INACTIVE" - line: "INACTIVE {{ inactive_account_lock_days }}" - when: inactive_account_lock_days is defined + line: "INACTIVE {{ security_inactive_account_lock_days }}" + when: security_inactive_account_lock_days is defined tags: - auth - cat3 @@ -404,7 +404,7 @@ - name: Comment out sudoers lines with NOPASSWD present (for V-58901) shell: "sed -e '/NOPASSWD/ s/^#*/#/' -i {{ item }}" with_items: v58901_result.stdout_lines - when: sudoers_remove_nopasswd | bool + when: security_sudoers_remove_nopasswd | bool tags: - auth - cat2 @@ -415,7 +415,7 @@ - name: Comment out sudoers lines with !authenticate present (for V-58901) shell: "sed -e '/!authenticate/ s/^#*/#/' -i {{ item }}" with_items: v58901_result.stdout_lines - when: sudoers_remove_authenticate | bool + when: security_sudoers_remove_authenticate | bool tags: - auth - cat2 diff --git a/tasks/file_perms.yml b/tasks/file_perms.yml index f9e8ca2a..d62c432b 100644 --- a/tasks/file_perms.yml +++ b/tasks/file_perms.yml @@ -126,8 +126,8 @@ lineinfile: dest: /etc/init.d/rc regexp: "^umask " - line: "umask {{ umask_daemons_init }}" - when: umask_daemons_init is defined + line: "umask {{ security_umask_daemons_init }}" + when: security_umask_daemons_init is defined tags: - file_perms - cat3 @@ -138,8 +138,8 @@ lineinfile: dest: /etc/login.defs regexp: "^UMASK" - line: "UMASK {{ umask_login_defs }}" - when: umask_login_defs is defined + line: "UMASK {{ security_umask_login_defs }}" + when: security_umask_login_defs is defined tags: - file_perms - cat3 @@ -152,7 +152,7 @@ register: v38649_result changed_when: False failed_when: False - when: umask_csh is defined + when: security_umask_csh is defined tags: - file_perms - cat3 @@ -162,9 +162,9 @@ lineinfile: dest: /etc/csh.cshrc regexp: "^(#)?umask" - line: "umask {{ umask_csh }}" + line: "umask {{ security_umask_csh }}" create: yes - when: umask_csh is defined and v38649_result.rc == 0 + when: security_umask_csh is defined and v38649_result.rc == 0 tags: - file_perms - cat3 @@ -174,8 +174,8 @@ lineinfile: dest: /etc/bash.bashrc regexp: "^(#)?umask" - line: "umask {{ umask_bash }}" - when: umask_bash is defined + line: "umask {{ security_umask_bash }}" + when: security_umask_bash is defined tags: - file_perms - cat3 diff --git a/tasks/kernel.yml b/tasks/kernel.yml index fcf45d1c..d58fde06 100644 --- a/tasks/kernel.yml +++ b/tasks/kernel.yml @@ -158,7 +158,7 @@ with_items: - net.ipv6.conf.all.disable_ipv6 - net.ipv6.conf.default.disable_ipv6 - when: disable_ipv6 | bool + when: security_disable_ipv6 | bool tags: - kernel - cat2 diff --git a/tasks/mail.yml b/tasks/mail.yml index 83f8df31..6c814fe0 100644 --- a/tasks/mail.yml +++ b/tasks/mail.yml @@ -38,20 +38,20 @@ dest: /etc/postfix/main.cf regexp: "^(#)?mynetworks" line: "mynetworks = 127.0.0.0/8" - when: disable_ipv6 | bool + when: security_disable_ipv6 | bool tags: - mail - cat3 - V-38669 -# Be sure to set root_forward_email so that this task is executed. See the -# documentation for more details. +# Be sure to set security_root_forward_email so that this task is executed. See +# the documentation for more details. - name: V-38446 - Mail system must forward root's email lineinfile: dest: /etc/aliases regexp: "^root" - line: "root: {{ root_forward_email }}" - when: root_forward_email is defined + line: "root: {{ security_root_forward_email }}" + when: security_root_forward_email is defined notify: - rehash aliases tags: @@ -71,7 +71,7 @@ lineinfile: dest: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" - line: "inet_interfaces = {{ postfix_inet_interfaces }}" + line: "inet_interfaces = {{ security_postfix_inet_interfaces }}" when: postfix_main_cf.stat.exists | bool notify: - restart postfix diff --git a/tasks/misc.yml b/tasks/misc.yml index a34836de..e60176e2 100644 --- a/tasks/misc.yml +++ b/tasks/misc.yml @@ -204,7 +204,7 @@ dest: /etc/security/limits.d/V-38675-coredump.conf line: "* hard core 0" create: yes - when: disable_core_dumps is defined + when: security_disable_core_dumps is defined tags: - cat3 - V-38675 @@ -212,9 +212,9 @@ - name: V-38684 - Maximum simultaneous logins per user lineinfile: dest: /etc/security/limits.d/V-38684-maxlogins.conf - line: "* hard maxlogins {{ max_simultaneous_logins }}" + line: "* hard maxlogins {{ security_max_simultaneous_logins }}" create: yes - when: max_simultaneous_logins is defined + when: security_max_simultaneous_logins is defined tags: - cat3 - V-38684 diff --git a/tasks/sshd.yml b/tasks/sshd.yml index a0c30025..3d21417a 100644 --- a/tasks/sshd.yml +++ b/tasks/sshd.yml @@ -128,7 +128,7 @@ state: present dest: /etc/ssh/sshd_config regexp: '^(#)?ClientAliveInterval' - line: 'ClientAliveInterval {{ ssh_client_alive_interval }}' + line: 'ClientAliveInterval {{ security_ssh_client_alive_interval }}' insertafter: "^# openstack-ansible-security configurations" validate: '/usr/sbin/sshd -T -f %s' notify: @@ -143,7 +143,7 @@ state: present dest: /etc/ssh/sshd_config regexp: '^(#)?ClientAliveCountMax' - line: 'ClientAliveCountMax {{ ssh_client_alive_count_max }}' + line: 'ClientAliveCountMax {{ security_ssh_client_alive_count_max }}' insertafter: "^# openstack-ansible-security configurations" validate: '/usr/sbin/sshd -T -f %s' notify: @@ -173,7 +173,7 @@ state: present dest: /etc/ssh/sshd_config regexp: '^(#)?PermitRootLogin' - line: 'PermitRootLogin {{ ssh_permit_root_login }}' + line: 'PermitRootLogin {{ security_ssh_permit_root_login }}' insertafter: "^# openstack-ansible-security configurations" validate: '/usr/sbin/sshd -T -f %s' notify: diff --git a/templates/ZZ_aide_exclusions.j2 b/templates/ZZ_aide_exclusions.j2 index d41f8432..ad6c4b59 100644 --- a/templates/ZZ_aide_exclusions.j2 +++ b/templates/ZZ_aide_exclusions.j2 @@ -2,6 +2,6 @@ # These excluded paths prevent AIDE from wandering into directories where it # shouldn't be hashing/monitoring files. -{% for dir in aide_exclude_dirs %} +{% for dir in security_aide_exclude_dirs %} !{{ dir }} {% endfor %} diff --git a/templates/chrony.conf.j2 b/templates/chrony.conf.j2 index d9d11518..d8042cc7 100644 --- a/templates/chrony.conf.j2 +++ b/templates/chrony.conf.j2 @@ -17,7 +17,7 @@ # fails they will be discarded. Thus under some circumstances it is # better to use IP numbers than host names. -{% for ntp_server in ntp_servers %} +{% for ntp_server in security_ntp_servers %} server {{ ntp_server }} offline minpoll 8 {% endfor %} @@ -62,7 +62,7 @@ local stratum 10 # Allow computers on the unrouted nets to use the server. -{% for subnet in allowed_ntp_subnets %} +{% for subnet in security_allowed_ntp_subnets %} allow {{ subnet }} {% endfor %} diff --git a/templates/jail.local.j2 b/templates/jail.local.j2 index 5d9f2c77..e9a3f025 100644 --- a/templates/jail.local.j2 +++ b/templates/jail.local.j2 @@ -2,4 +2,4 @@ [DEFAULT] # "bantime" is the number of seconds that a host is banned. -bantime = {{ fail2ban_bantime }} +bantime = {{ security_fail2ban_bantime }} diff --git a/tests/test.yml b/tests/test.yml index fd96783d..a7b6dd6c 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -42,5 +42,5 @@ roles: - role: "{{ rolename }}" vars: - unattended_upgrades_enabled: true - unattended_upgrades_notifications: true + security_unattended_upgrades_enabled: true + security_unattended_upgrades_notifications: true