96 lines
3.0 KiB
YAML
96 lines
3.0 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Notes for V-38476 ###########################################################
|
|
#
|
|
# These GPG keys are valid as of Ubuntu 14.04 in late 2015, but they could
|
|
# change or additional keys may be added in the future.
|
|
#
|
|
- name: Gather current GPG keys for apt (for V-38476)
|
|
command: apt-key list
|
|
register: v38476_result
|
|
changed_when: "v38476_result.rc != 0"
|
|
always_run: True
|
|
|
|
- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
|
|
fail:
|
|
msg: "FAILED: Missing Ubuntu 14.04 Archive signing keys"
|
|
when: "'437D05B5' not in v38476_result.stdout or 'C0B21F32' not in v38476_result.stdout"
|
|
tags:
|
|
- apt
|
|
- cat1
|
|
- V-38476
|
|
|
|
# Notes for V-38462 ###########################################################
|
|
#
|
|
# Ubuntu checks packages against GPG signatures by default. It can be turned
|
|
# off for all package installations by a setting in /etc/apt/apt.conf.d and we
|
|
# search for that here. Users can pass an argument on the apt command line
|
|
# to bypass the checks as well, but that's outside the scope of this check
|
|
# and remediation.
|
|
#
|
|
- name: Search for AllowUnauthenticated in /etc/apt/apt.conf.d/ (for V-38462)
|
|
command: grep -r AllowUnauthenticated /etc/apt/apt.conf.d/
|
|
register: v38462_result
|
|
changed_when: False
|
|
failed_when: False
|
|
always_run: True
|
|
tags:
|
|
- auth
|
|
- cat1
|
|
- V-38462
|
|
|
|
- name: V-38462 - Package management tool must verify authenticity of packages
|
|
fail:
|
|
msg: "FAILED: Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified."
|
|
when: "v38462_result.rc == 0"
|
|
tags:
|
|
- auth
|
|
- cat1
|
|
- V-38462
|
|
|
|
- name: Install unattended-upgrades package (for V-38481)
|
|
apt:
|
|
name: unattended-upgrades
|
|
state: present
|
|
when: unattended_upgrades_enabled | bool
|
|
tags:
|
|
- apt
|
|
- cat2
|
|
- V-38481
|
|
|
|
- name: V-38481 - System security patches and updates must be installed and up-to-date
|
|
copy:
|
|
src: 20auto-upgrades
|
|
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
|
when: unattended_upgrades_enabled | bool
|
|
tags:
|
|
- apt
|
|
- cat2
|
|
- V-38481
|
|
|
|
- name: Enable unattended upgrades notifications (for V-38481)
|
|
lineinfile:
|
|
dest: /etc/apt/apt.conf.d/50unattended-upgrades
|
|
regexp: '^(\/\/)?Unattended-Upgrade::Mail "root";'
|
|
line: 'Unattended-Upgrade::Mail "root";'
|
|
when:
|
|
- unattended_upgrades_enabled | bool
|
|
- unattended_upgrades_notifications | bool
|
|
tags:
|
|
- apt
|
|
- cat2
|
|
- V-38481
|