291 lines
7.3 KiB
YAML
291 lines
7.3 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
#TODO(evrardjp): Replace the next 2 tasks by a standard apt with cache
|
|
#when https://github.com/ansible/ansible-modules-core/pull/1517 is merged
|
|
#in 1.9.x or we move to 2.0 (if tested working)
|
|
- name: Check apt last update file
|
|
stat:
|
|
path: /var/cache/apt
|
|
register: apt_cache_stat
|
|
tags:
|
|
- auditd-apt-packages
|
|
|
|
- name: Update apt if needed
|
|
apt:
|
|
update_cache: yes
|
|
when: "ansible_date_time.epoch|float - apt_cache_stat.stat.mtime > {{cache_timeout}}"
|
|
tags:
|
|
- auditd-apt-packages
|
|
|
|
- name: V-38631/38632 - The operating system must produce audit records (install auditd)
|
|
apt:
|
|
name: auditd
|
|
state: present
|
|
tags:
|
|
- auditd
|
|
- cat2
|
|
- V-38632
|
|
- V-38631
|
|
|
|
- name: V-38631/38632 - The operating system must produce audit records (start auditd)
|
|
service:
|
|
name: auditd
|
|
state: started
|
|
enabled: true
|
|
when: not check_mode
|
|
tags:
|
|
- auditd
|
|
- cat2
|
|
- V-38632
|
|
- V-38631
|
|
|
|
- name: Verify that auditd.conf exists
|
|
stat:
|
|
path: /etc/audit/auditd.conf
|
|
register: auditd_conf
|
|
always_run: true
|
|
tags:
|
|
- auditd
|
|
- always
|
|
|
|
- name: V-38633 - The system must set a maximum audit log file size
|
|
lineinfile:
|
|
dest: /etc/audit/auditd.conf
|
|
regexp: "^(#)?max_log_file ="
|
|
line: "max_log_file = {{ max_log_file }}"
|
|
when: auditd_conf.stat.exists | bool
|
|
notify:
|
|
- restart auditd
|
|
tags:
|
|
- auditd
|
|
- cat2
|
|
- V-38633
|
|
|
|
- name: V-38634 - The system must rotate audit log files that reach the max file size
|
|
lineinfile:
|
|
dest: /etc/audit/auditd.conf
|
|
regexp: "^(#)?max_log_file_action ="
|
|
line: "max_log_file_action = {{ max_log_file_action }}"
|
|
when: auditd_conf.stat.exists | bool
|
|
notify:
|
|
- restart auditd
|
|
tags:
|
|
- auditd
|
|
- cat2
|
|
- V-38634
|
|
|
|
- name: V-38636 - The system must retain enough rotated audit logs to cover the required log retention period.
|
|
lineinfile:
|
|
dest: /etc/audit/auditd.conf
|
|
regexp: "^(#)?num_logs ="
|
|
line: "num_logs = {{ num_logs }}"
|
|
when: auditd_conf.stat.exists | bool
|
|
notify:
|
|
- restart auditd
|
|
tags:
|
|
- auditd
|
|
- cat2
|
|
- V-38636
|
|
|
|
- name: Ensure debsums package is installed (for V-38637)
|
|
apt:
|
|
name: debsums
|
|
state: present
|
|
tags:
|
|
- auditd
|
|
- cat2
|
|
- V-38637
|
|
|
|
# The debsums command returns 0 if the files haven't been altered but it
|
|
# returns 2 otherwise. We also will check to see if auditd has been installed
|
|
# and fail if it's not installed.
|
|
- name: Checking auditd package contents for alterations with debsums (for V-38637)
|
|
shell: debsums auditd -c
|
|
register: v38637_result
|
|
changed_when: False
|
|
failed_when: "'not installed' in v38637_result.stdout"
|
|
tags:
|
|
- auditd
|
|
- cat2
|
|
- V-38637
|
|
|
|
- name: V-38637 - Contents of auditd package must be verified
|
|
fail:
|
|
msg: "FAILED: Could not verify that files from auditd package are unaltered"
|
|
when: not check_mode and v38637_result.rc == 2
|
|
tags:
|
|
- auditd
|
|
- cat2
|
|
- V-38637
|
|
|
|
- name: Verify that auditd log directory exists (for V-38445)
|
|
stat:
|
|
path: /var/log/audit/
|
|
register: auditd_log_dir
|
|
always_run: True
|
|
tags:
|
|
- auditd
|
|
- always
|
|
|
|
- name: V-38445 - Audit log files must be group-owned by root
|
|
file:
|
|
dest: /var/log/audit/
|
|
group: root
|
|
recurse: true
|
|
when: auditd_log_dir.stat.exists | bool
|
|
tags:
|
|
- auditd
|
|
- cat2
|
|
- V-38445
|
|
|
|
- name: V-38464 - The audit system must take action for disk errors
|
|
lineinfile:
|
|
dest: /etc/audit/auditd.conf
|
|
regexp: "^(#)?disk_error_action"
|
|
line: "disk_error_action = {{ disk_error_action }}"
|
|
when: auditd_conf.stat.exists | bool
|
|
notify:
|
|
- restart auditd
|
|
tags:
|
|
- auditd
|
|
- cat2
|
|
- V-38464
|
|
|
|
- name: V-38468 - The audit system must take action when the disk is full
|
|
lineinfile:
|
|
dest: /etc/audit/auditd.conf
|
|
regexp: "^(#)?disk_full_action"
|
|
line: "disk_full_action = {{ disk_full_action }}"
|
|
when: auditd_conf.stat.exists | bool
|
|
notify:
|
|
- restart auditd
|
|
tags:
|
|
- auditd
|
|
- cat2
|
|
- V-38468
|
|
|
|
- name: V-38678 - Lower limit of available disk space when auditd triggers space_left_action
|
|
lineinfile:
|
|
dest: /etc/audit/auditd.conf
|
|
regexp: "^(#)?space_left"
|
|
line: "space_left = {{ space_left }}"
|
|
when: auditd_conf.stat.exists | bool
|
|
notify:
|
|
- restart auditd
|
|
tags:
|
|
- auditd
|
|
- cat2
|
|
- V-38678
|
|
|
|
- name: V-38470 - The audit system must take action when the disk is almost full
|
|
lineinfile:
|
|
dest: /etc/audit/auditd.conf
|
|
regexp: "^(#)?space_left_action"
|
|
line: "space_left_action = {{ space_left_action }}"
|
|
when: auditd_conf.stat.exists | bool
|
|
notify:
|
|
- restart auditd
|
|
tags:
|
|
- auditd
|
|
- cat2
|
|
- V-38470
|
|
|
|
- name: V-38680 - Audit system must send email notifications when storage capacity is low
|
|
lineinfile:
|
|
dest: /etc/audit/auditd.conf
|
|
regexp: "^(#)?action_mail_acct"
|
|
line: "action_mail_acct = {{ action_mail_acct }}"
|
|
when: auditd_conf.stat.exists | bool
|
|
notify:
|
|
- restart auditd
|
|
tags:
|
|
- auditd
|
|
- cat2
|
|
- V-38680
|
|
|
|
- name: V-38495 - Audit log files must be owned by root
|
|
file:
|
|
dest: /var/log/audit/
|
|
owner: root
|
|
recurse: true
|
|
when: auditd_log_dir.stat.exists | bool
|
|
tags:
|
|
- auditd
|
|
- cat2
|
|
- V-38495
|
|
|
|
# TODO: Ansible 2.0 offers the find module and that will allow this task to
|
|
# avoid using the shell module to get a list of logs. This task should be
|
|
# adjusted to use the find module when Ansible 2.0 is fully released.
|
|
- name: Get a list of audit logs in the auditd directory (for V-38498)
|
|
shell: ls /var/log/audit/
|
|
register: v38498_result
|
|
changed_when: false
|
|
tags:
|
|
- auditd
|
|
- cat2
|
|
- V-38498
|
|
|
|
# Ubuntu 14.04 sets these to 0400 by default, so we will stick with that since
|
|
# it exceeds the STIG's requirements.
|
|
- name: V-38498 - Audit log files must have mode 0640 or less
|
|
file:
|
|
dest: "/var/log/audit/{{ item }}"
|
|
mode: 0400
|
|
with_items: v38498_result.stdout_lines
|
|
when: v_38498_result is defined
|
|
tags:
|
|
- auditd
|
|
- cat2
|
|
- V-38498
|
|
|
|
- name: Auditd rules (includes several STIGs)
|
|
template:
|
|
src: osas-auditd.j2
|
|
dest: /etc/audit/rules.d/osas-auditd.rules
|
|
notify:
|
|
- generate auditd rules
|
|
tags:
|
|
- auditd
|
|
- cat3
|
|
|
|
- name: V-38471 - Forward auditd records to syslog
|
|
lineinfile:
|
|
dest: /etc/audisp/plugins.d/syslog.conf
|
|
regexp: "^(#)?active"
|
|
line: "active = yes"
|
|
state: present
|
|
when: auditd_conf.stat.exists | bool
|
|
notify:
|
|
- restart auditd
|
|
tags:
|
|
- auditd
|
|
- cat3
|
|
- V-38471
|
|
|
|
- name: V-54381 - The audit system must switch to single user mode when disk space is low
|
|
lineinfile:
|
|
dest: /etc/audit/auditd.conf
|
|
regexp: "^(#)?admin_space_left_action"
|
|
line: "admin_space_left_action = {{ admin_space_left_action }}"
|
|
when: auditd_conf.stat.exists | bool
|
|
notify:
|
|
- restart auditd
|
|
tags:
|
|
- auditd
|
|
- cat2
|
|
- V-54381
|