openstack
/
openstack-ansible-security
Code Issues Proposed changes
openstack-ansible-security/tasks/services.yml

287 lines
6.0 KiB
YAML
Raw Blame History

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Generate list of services_installed
shell: "find /etc/init.d/ -printf '%f\n'"
register: sysv_services_installed
changed_when: false
always_run: True
tags:
- services
- cat1
- cat2
- cat3
- name: Generate a list of systemd service unit files
shell: "systemctl list-units --type=service --no-legend | awk '{print $1}'"
register: systemd_services_installed
changed_when: false
always_run: True
tags:
- services
- cat1
- cat2
- cat3
- name: Register which services are installed depending on platform
set_fact:
services_installed: "{{ (systemd_running | bool) | ternary (systemd_services_installed, sysv_services_installed)}}"
- name: V-38437 - Automated file system mounting tools must be disabled
service:
name: autofs
state: stopped
enabled: no
when:
- security_disable_autofs | bool
- "'autofs' in services_installed.stdout"
tags:
- services
- cat3
- V-38437
- name: V-38640 - The abrt service must be disabled
service:
name: abrtd
state: stopped
enabled: no
when:
- security_disable_abrtd | bool
- "'abrtd' in services_installed.stdout"
tags:
- services
- cat3
- V-38640
- name: V-38641 - The atd service must be disabled
service:
name: atd
state: stopped
enabled: no
when:
- security_disable_atd | bool
- "'atd' in services_installed.stdout"
tags:
- services
- cat3
- V-38641
- name: V-38648 - The qpidd service must be disabled
service:
name: qpidd
state: stopped
enabled: no
when:
- security_disable_qpidd | bool
- "'qpidd' in services_installed.stdout"
tags:
- services
- cat3
- V-38648
- name: V-38691 - The bluetooth service must be disabled
service:
name: bluetooth
state: stopped
enabled: no
when:
- security_disable_bluetooth | bool
- "'bluetooth' in services_installed.stdout"
tags:
- services
- cat2
- V-38691
- name: V-38582 - xinetd must be disabled if not in use
service:
name: xinetd
state: stopped
enabled: no
when:
- security_disable_xinetd | bool
- "'xinetd' in services_installed.stdout"
tags:
- services
- cat2
- V-38582
- name: V-38584 - xinetd must be uninstalled if not in use (apt)
apt:
name: xinetd
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_xinetd | bool
tags:
- services
- cat3
- V-38584
- name: V-38584 - xinetd must be uninstalled if not in use (yum)
yum:
name: xinetd
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_xinetd | bool
tags:
- services
- cat3
- V-38584
# Ubuntu's equivalent of Red Hat's ypserv package is 'nis'
- name: V-38603 - Remove ypserv package with apt
apt:
name: "{{ ypserv_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_ypserv | bool
tags:
- services
- cat2
- V-38603
- name: V-38603 - Remove ypserv package with yum
yum:
name: "{{ ypserv_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_ypserv | bool
tags:
- services
- cat2
- V-38603
- name: V-38605 - The cron service must be running
service:
name: "{{ cron_service }}"
state: started
enabled: yes
tags:
- services
- cat2
- V-38605
- name: V-38606 - The tftp-server package must not be installed unless required (apt)
apt:
name: "{{ tftp_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_tftp_server | bool
tags:
- services
- cat2
- V-38606
- name: V-38606 - The tftp-server package must not be installed unless required (yum)
yum:
name: "{{ tftp_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_tftp_server | bool
tags:
- services
- cat2
- V-38606
- name: V-38618 - avahi must be disabled
service:
name: avahi-daemon
state: stopped
enabled: no
when:
- security_disable_avahi | bool
- "'avahi' in services_installed.stdout"
tags:
- services
- cat3
- V-38618
- name: V-38627 - Remove LDAP servers unless required (apt)
apt:
name: "{{ ldap_server_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_ldap_server | bool
tags:
- services
- cat3
- V-38627
- name: V-38627 - Remove LDAP servers unless required (yum)
yum:
name: "{{ ldap_server_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_ldap_server | bool
tags:
- services
- cat3
- V-38627
- name: V-38671 - Remove sendmail with apt
apt:
name: sendmail
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_sendmail | bool
tags:
- services
- cat2
- V-38671
- name: V-38671 - Remove sendmail with yum
yum:
name: sendmail
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_sendmail | bool
tags:
- services
- cat2
- V-38671
- name: V-38676 - The X windows package must not be installed (apt)
apt:
name: "{{ xserver_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_xorg | bool
tags:
- services
- cat3
- V-38676
- name: V-38676 - The X windows package must not be installed (yum)
yum:
name: "{{ xserver_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_xorg | bool
tags:
- services
- cat3
- V-38676
View Git Blame Copy Permalink