--- # Copyright 2015, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. #TODO(evrardjp): Replace the next 2 tasks by a standard apt with cache #when https://github.com/ansible/ansible-modules-core/pull/1517 is merged #in 1.9.x or we move to 2.0 (if tested working) - name: Check apt last update file stat: path: /var/cache/apt register: apt_cache_stat tags: - auditd-apt-packages - name: Update apt if needed apt: update_cache: yes when: "ansible_date_time.epoch|float - apt_cache_stat.stat.mtime > {{cache_timeout}}" tags: - auditd-apt-packages # Notes for V-38476 ########################################################### # # These GPG keys are valid as of Ubuntu 14.04 in late 2015, but they could # change or additional keys may be added in the future. # - name: Gather current GPG keys for apt (for V-38476) command: apt-key list register: v38476_result changed_when: "v38476_result.rc != 0" always_run: True - name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. fail: msg: "Missing Ubuntu Archive signing keys" when: "'437D05B5' not in v38476_result.stdout or 'C0B21F32' not in v38476_result.stdout" tags: - package - cat1 - V-38476 # Notes for V-38462 ########################################################### # # Ubuntu checks packages against GPG signatures by default. It can be turned # off for all package installations by a setting in /etc/apt/apt.conf.d and we # search for that here. Users can pass an argument on the apt command line # to bypass the checks as well, but that's outside the scope of this check # and remediation. # - name: Search for AllowUnauthenticated in /etc/apt/apt.conf.d/ (for V-38462) command: grep -r AllowUnauthenticated /etc/apt/apt.conf.d/ register: v38462_result changed_when: False failed_when: False always_run: True tags: - package - cat1 - V-38462 - name: V-38462 - Package management tool must verify authenticity of packages fail: msg: "Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified." when: "v38462_result.rc == 0" tags: - package - cat1 - V-38462 - name: Install unattended-upgrades package (for V-38481) apt: name: unattended-upgrades state: "{{ security_package_state }}" when: security_unattended_upgrades_enabled | bool tags: - package - cat2 - V-38481 - name: V-38481 - System security patches and updates must be installed and up-to-date copy: src: 20auto-upgrades dest: /etc/apt/apt.conf.d/20auto-upgrades when: security_unattended_upgrades_enabled | bool tags: - package - cat2 - V-38481 - name: Enable unattended upgrades notifications (for V-38481) lineinfile: dest: /etc/apt/apt.conf.d/50unattended-upgrades regexp: '^(\/\/)?Unattended-Upgrade::Mail "root";' line: 'Unattended-Upgrade::Mail "root";' create: yes when: - security_unattended_upgrades_enabled | bool - security_unattended_upgrades_notifications | bool tags: - package - cat2 - V-38481 - name: Add or remove packages based on STIG requirements apt: name: | {%- set pkg_list = [] %} {%- for package_dict in item[1] %} {%- if pkg_list.extend(package_dict.packages) %}{% endif %} {%- endfor %} {{ pkg_list }} state: "{{ item[0] }}" with_items: - "{{ stig_packages | selectattr('enabled') | groupby('state') }}" tags: - cat1 - auth - package - services - V-38439 # install: aide, aide-common - V-38620 # install: chrony - V-38624 # install: logrotate - V-38631 # install: auditd_pkg - V-38632 # install: auditd_pkg - V-38637 # install: debsums - V-38669 # install: postfix - V-51337 # install: apparmor - V-38583 # remove: xinetd - V-38587 # remove: telnet-server - V-38591 # remove: rsh-server - V-38603 # remove: ypserv - V-38606 # remove: tftp-server - V-38627 # remove: openldap-servers - V-38671 # remove: sendmail