openstack
/
openstack-ansible-security
Code Issues Proposed changes
openstack-ansible-security/tasks/rpm.yml

131 lines
3.6 KiB
YAML
Raw Permalink Blame History

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Check if CentOS 7 GPG keys are installed (for V-38476)
command: rpm -qi gpg-pubkey-f4a80eb5-53a7ff4b
register: v38476_result
changed_when: v38476_result | failed
failed_when: False
always_run: True
when:
- ansible_distribution == 'CentOS'
tags:
- package
- cat1
- V-38476
- skip_ansible_lint
- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. (CentOS)
fail:
msg: "Missing CentOS 7 GPG keys"
when:
- ansible_distribution == 'CentOS'
- v38476_result | failed
tags:
- package
- cat1
- V-38476
- name: Check if Red Hat Enterprise Linux 7 GPG keys are installed (for V-38476)
command: "rpm -qi {{ item }}"
register: v38476_result
changed_when: v38476_result | failed
failed_when: False
always_run: True
with_items:
- gpg-pubkey-fd431d51-4ae0493b
- gpg-pubkey-2fa658e0-45700c69
when:
- ansible_distribution == 'RedHat'
tags:
- package
- cat1
- V-38476
- skip_ansible_lint
- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. (Red Hat Enteprise Linux)
fail:
msg: "Missing Red Hat Enterprise Linux 7 GPG keys"
when:
- ansible_distribution == 'RedHat'
- v38476_result | failed
tags:
- package
- cat1
- V-38476
- name: Search for yum repositories with GPG checks disabled
command: grep -r "gpgcheck=0" /etc/yum.repos.d/
register: v38462_result
changed_when: False
failed_when: False
always_run: True
tags:
- package
- cat1
- V-38462
- name: V-38462 - Package management tool must verify authenticity of packages
fail:
msg: "Ensure all repo files in /etc/yum.repos.d/ have 'gpgcheck=1' set."
when: "v38462_result.rc == 0"
tags:
- package
- cat1
- V-38462
- name: V-38481 - System security patches and updates must be installed and up-to-date
lineinfile:
dest: /etc/yum/yum-cron.conf
regexp: "^apply_updates"
line: "apply_updates = yes"
state: present
when: security_unattended_upgrades_enabled | bool
tags:
- package
- cat2
- V-38481
- name: Add or remove packages based on STIG requirements
yum:
name: |
{%- set pkg_list = [] %}
{%- for package_dict in item[1] %}
{%- if pkg_list.extend(package_dict.packages) %}{% endif %}
{%- endfor %}
{{ pkg_list }}
state: "{{ item[0] }}"
with_items:
- "{{ stig_packages | selectattr('enabled') | groupby('state') }}"
tags:
- cat1
- auth
- services
- V-38439 # install: aide, aide-common
- V-38481 # install: yum-cron
- V-38620 # install: chrony
- V-38624 # install: logrotate
- V-38631 # install: auditd_pkg
- V-38632 # install: auditd_pkg
- V-38669 # install: postfix
- V-51337 # install: SELinux
- V-38583 # remove: xinetd
- V-38587 # remove: telnet-server
- V-38591 # remove: rsh-server
- V-38603 # remove: ypserv
- V-38606 # remove: tftp-server
- V-38627 # remove: openldap-servers
- V-38671 # remove: sendmail
View Git Blame Copy Permalink