146 lines
4.5 KiB
YAML
146 lines
4.5 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
#TODO(evrardjp): Replace the next 2 tasks by a standard apt with cache
|
|
#when https://github.com/ansible/ansible-modules-core/pull/1517 is merged
|
|
#in 1.9.x or we move to 2.0 (if tested working)
|
|
- name: Check apt last update file
|
|
stat:
|
|
path: /var/cache/apt
|
|
register: apt_cache_stat
|
|
tags:
|
|
- auditd-apt-packages
|
|
|
|
- name: Update apt if needed
|
|
apt:
|
|
update_cache: yes
|
|
when: "ansible_date_time.epoch|float - apt_cache_stat.stat.mtime > {{cache_timeout}}"
|
|
tags:
|
|
- auditd-apt-packages
|
|
|
|
# Notes for V-38476 ###########################################################
|
|
#
|
|
# These GPG keys are valid as of Ubuntu 14.04 in late 2015, but they could
|
|
# change or additional keys may be added in the future.
|
|
#
|
|
- name: Gather current GPG keys for apt (for V-38476)
|
|
command: apt-key list
|
|
register: v38476_result
|
|
changed_when: "v38476_result.rc != 0"
|
|
always_run: True
|
|
|
|
- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
|
|
fail:
|
|
msg: "Missing Ubuntu Archive signing keys"
|
|
when: "'437D05B5' not in v38476_result.stdout or 'C0B21F32' not in v38476_result.stdout"
|
|
tags:
|
|
- package
|
|
- cat1
|
|
- V-38476
|
|
|
|
# Notes for V-38462 ###########################################################
|
|
#
|
|
# Ubuntu checks packages against GPG signatures by default. It can be turned
|
|
# off for all package installations by a setting in /etc/apt/apt.conf.d and we
|
|
# search for that here. Users can pass an argument on the apt command line
|
|
# to bypass the checks as well, but that's outside the scope of this check
|
|
# and remediation.
|
|
#
|
|
- name: Search for AllowUnauthenticated in /etc/apt/apt.conf.d/ (for V-38462)
|
|
command: grep -r AllowUnauthenticated /etc/apt/apt.conf.d/
|
|
register: v38462_result
|
|
changed_when: False
|
|
failed_when: False
|
|
always_run: True
|
|
tags:
|
|
- package
|
|
- cat1
|
|
- V-38462
|
|
|
|
- name: V-38462 - Package management tool must verify authenticity of packages
|
|
fail:
|
|
msg: "Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified."
|
|
when: "v38462_result.rc == 0"
|
|
tags:
|
|
- package
|
|
- cat1
|
|
- V-38462
|
|
|
|
- name: Install unattended-upgrades package (for V-38481)
|
|
apt:
|
|
name: unattended-upgrades
|
|
state: "{{ security_package_state }}"
|
|
when: security_unattended_upgrades_enabled | bool
|
|
tags:
|
|
- package
|
|
- cat2
|
|
- V-38481
|
|
|
|
- name: V-38481 - System security patches and updates must be installed and up-to-date
|
|
copy:
|
|
src: 20auto-upgrades
|
|
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
|
when: security_unattended_upgrades_enabled | bool
|
|
tags:
|
|
- package
|
|
- cat2
|
|
- V-38481
|
|
|
|
- name: Enable unattended upgrades notifications (for V-38481)
|
|
lineinfile:
|
|
dest: /etc/apt/apt.conf.d/50unattended-upgrades
|
|
regexp: '^(\/\/)?Unattended-Upgrade::Mail "root";'
|
|
line: 'Unattended-Upgrade::Mail "root";'
|
|
create: yes
|
|
when:
|
|
- security_unattended_upgrades_enabled | bool
|
|
- security_unattended_upgrades_notifications | bool
|
|
tags:
|
|
- package
|
|
- cat2
|
|
- V-38481
|
|
|
|
- name: Add or remove packages based on STIG requirements
|
|
apt:
|
|
name: |
|
|
{%- set pkg_list = [] %}
|
|
{%- for package_dict in item[1] %}
|
|
{%- if pkg_list.extend(package_dict.packages) %}{% endif %}
|
|
{%- endfor %}
|
|
{{ pkg_list }}
|
|
state: "{{ item[0] }}"
|
|
with_items:
|
|
- "{{ stig_packages | selectattr('enabled') | groupby('state') }}"
|
|
tags:
|
|
- cat1
|
|
- auth
|
|
- package
|
|
- services
|
|
- V-38439 # install: aide, aide-common
|
|
- V-38620 # install: chrony
|
|
- V-38624 # install: logrotate
|
|
- V-38631 # install: auditd_pkg
|
|
- V-38632 # install: auditd_pkg
|
|
- V-38637 # install: debsums
|
|
- V-38669 # install: postfix
|
|
- V-51337 # install: apparmor
|
|
- V-38583 # remove: xinetd
|
|
- V-38587 # remove: telnet-server
|
|
- V-38591 # remove: rsh-server
|
|
- V-38603 # remove: ypserv
|
|
- V-38606 # remove: tftp-server
|
|
- V-38627 # remove: openldap-servers
|
|
- V-38671 # remove: sendmail
|