diff --git a/doc/metadata/rhel7/V-71903.rst b/doc/metadata/rhel7/V-71903.rst index b02da8a9..a482ef4c 100644 --- a/doc/metadata/rhel7/V-71903.rst +++ b/doc/metadata/rhel7/V-71903.rst @@ -1,7 +1,7 @@ --- id: V-71903 status: opt-in -tag: auth +tag: accounts --- The password quality requirements from the STIG are examples of good security diff --git a/doc/metadata/rhel7/V-71905.rst b/doc/metadata/rhel7/V-71905.rst index a1d9d0f3..d81063a4 100644 --- a/doc/metadata/rhel7/V-71905.rst +++ b/doc/metadata/rhel7/V-71905.rst @@ -1,7 +1,7 @@ --- id: V-71905 status: opt-in -tag: auth +tag: accounts --- The password quality requirements from the STIG are examples of good security diff --git a/doc/metadata/rhel7/V-71907.rst b/doc/metadata/rhel7/V-71907.rst index e5dec7f0..faff2586 100644 --- a/doc/metadata/rhel7/V-71907.rst +++ b/doc/metadata/rhel7/V-71907.rst @@ -1,7 +1,7 @@ --- id: V-71907 status: opt-in -tag: auth +tag: accounts --- The password quality requirements from the STIG are examples of good security diff --git a/doc/metadata/rhel7/V-71909.rst b/doc/metadata/rhel7/V-71909.rst index ca2d3509..0edacfd1 100644 --- a/doc/metadata/rhel7/V-71909.rst +++ b/doc/metadata/rhel7/V-71909.rst @@ -1,7 +1,7 @@ --- id: V-71909 status: opt-in -tag: auth +tag: accounts --- The password quality requirements from the STIG are examples of good security diff --git a/doc/metadata/rhel7/V-71911.rst b/doc/metadata/rhel7/V-71911.rst index 7ee48ed2..c74eb450 100644 --- a/doc/metadata/rhel7/V-71911.rst +++ b/doc/metadata/rhel7/V-71911.rst @@ -1,7 +1,7 @@ --- id: V-71911 status: opt-in -tag: auth +tag: accounts --- The password quality requirements from the STIG are examples of good security diff --git a/doc/metadata/rhel7/V-71913.rst b/doc/metadata/rhel7/V-71913.rst index f139562c..15374818 100644 --- a/doc/metadata/rhel7/V-71913.rst +++ b/doc/metadata/rhel7/V-71913.rst @@ -1,7 +1,7 @@ --- id: V-71913 status: opt-in -tag: auth +tag: accounts --- The password quality requirements from the STIG are examples of good security diff --git a/doc/metadata/rhel7/V-71915.rst b/doc/metadata/rhel7/V-71915.rst index 57d60d5a..b021e4d2 100644 --- a/doc/metadata/rhel7/V-71915.rst +++ b/doc/metadata/rhel7/V-71915.rst @@ -1,7 +1,7 @@ --- id: V-71915 status: opt-in -tag: auth +tag: accounts --- The password quality requirements from the STIG are examples of good security diff --git a/doc/metadata/rhel7/V-71917.rst b/doc/metadata/rhel7/V-71917.rst index af0bb97b..da792c87 100644 --- a/doc/metadata/rhel7/V-71917.rst +++ b/doc/metadata/rhel7/V-71917.rst @@ -1,7 +1,7 @@ --- id: V-71917 status: opt-in -tag: auth +tag: accounts --- The password quality requirements from the STIG are examples of good security diff --git a/doc/metadata/rhel7/V-71919.rst b/doc/metadata/rhel7/V-71919.rst index 6399a7df..87c21146 100644 --- a/doc/metadata/rhel7/V-71919.rst +++ b/doc/metadata/rhel7/V-71919.rst @@ -1,7 +1,7 @@ --- id: V-71919 status: implemented -tag: implemented +tag: accounts --- The PAM configuration file for password storage is checked to ensure that diff --git a/doc/metadata/rhel7/V-71921.rst b/doc/metadata/rhel7/V-71921.rst index 790ae0a3..b3a5be3f 100644 --- a/doc/metadata/rhel7/V-71921.rst +++ b/doc/metadata/rhel7/V-71921.rst @@ -1,7 +1,7 @@ --- id: V-71921 status: implemented -tag: auth +tag: accounts --- The default password storage mechanism for Ubuntu 16.04, CentOS 7, and Red Hat diff --git a/doc/metadata/rhel7/V-71923.rst b/doc/metadata/rhel7/V-71923.rst index 8698b1c3..50ac2f7a 100644 --- a/doc/metadata/rhel7/V-71923.rst +++ b/doc/metadata/rhel7/V-71923.rst @@ -1,7 +1,7 @@ --- id: V-71923 status: implemented - red hat only -tag: misc +tag: accounts --- The role ensures that ``crypt_style`` is set to ``sha512`` in diff --git a/doc/metadata/rhel7/V-71925.rst b/doc/metadata/rhel7/V-71925.rst index 63771e3c..04961530 100644 --- a/doc/metadata/rhel7/V-71925.rst +++ b/doc/metadata/rhel7/V-71925.rst @@ -1,7 +1,7 @@ --- id: V-71925 status: opt-in -tag: auth +tag: accounts --- Although the STIG requires that all passwords have a minimum lifetime set, this diff --git a/doc/metadata/rhel7/V-71927.rst b/doc/metadata/rhel7/V-71927.rst index 93b563c7..87bf56a9 100644 --- a/doc/metadata/rhel7/V-71927.rst +++ b/doc/metadata/rhel7/V-71927.rst @@ -1,7 +1,7 @@ --- id: V-71927 status: implemented -tag: auth +tag: accounts --- The tasks in the security role search for accounts with a minimum lifetime diff --git a/doc/metadata/rhel7/V-71929.rst b/doc/metadata/rhel7/V-71929.rst index c3280a0e..67854df5 100644 --- a/doc/metadata/rhel7/V-71929.rst +++ b/doc/metadata/rhel7/V-71929.rst @@ -1,7 +1,7 @@ --- id: V-71929 status: opt-in -tag: auth +tag: accounts --- Although the STIG requires that all passwords have a maximum lifetime set, this diff --git a/doc/metadata/rhel7/V-71931.rst b/doc/metadata/rhel7/V-71931.rst index 4b91df29..10e6a434 100644 --- a/doc/metadata/rhel7/V-71931.rst +++ b/doc/metadata/rhel7/V-71931.rst @@ -1,7 +1,7 @@ --- id: V-71931 status: implemented -tag: auth +tag: accounts --- If any users have a maximum password age on their current password set to a diff --git a/doc/metadata/rhel7/V-71933.rst b/doc/metadata/rhel7/V-71933.rst index 39e384cb..3c41b3b2 100644 --- a/doc/metadata/rhel7/V-71933.rst +++ b/doc/metadata/rhel7/V-71933.rst @@ -1,7 +1,7 @@ --- id: V-71933 status: opt-in -tag: auth +tag: accounts --- Although the STIG requires that five passwords are remembered to prevent re- diff --git a/doc/metadata/rhel7/V-71935.rst b/doc/metadata/rhel7/V-71935.rst index df2a3d13..b894a25a 100644 --- a/doc/metadata/rhel7/V-71935.rst +++ b/doc/metadata/rhel7/V-71935.rst @@ -1,7 +1,7 @@ --- id: V-71935 status: opt-in -tag: auth +tag: accounts --- Although the STIG requires that passwords have a minimum length of 15 diff --git a/doc/metadata/rhel7/V-71941.rst b/doc/metadata/rhel7/V-71941.rst index 0a783cf5..258154cb 100644 --- a/doc/metadata/rhel7/V-71941.rst +++ b/doc/metadata/rhel7/V-71941.rst @@ -1,7 +1,7 @@ --- id: V-71941 status: opt-in -tag: auth +tag: accounts --- The STIG requires that user accounts are disabled when their password expires. diff --git a/doc/metadata/rhel7/V-71951.rst b/doc/metadata/rhel7/V-71951.rst index 37ef24d1..6cc48939 100644 --- a/doc/metadata/rhel7/V-71951.rst +++ b/doc/metadata/rhel7/V-71951.rst @@ -1,7 +1,7 @@ --- id: V-71951 status: implemented -tag: auth +tag: accounts --- The tasks in the Ansible role set a four second delay between failed login diff --git a/doc/metadata/rhel7/V-71995.rst b/doc/metadata/rhel7/V-71995.rst index 19becf76..4b733065 100644 --- a/doc/metadata/rhel7/V-71995.rst +++ b/doc/metadata/rhel7/V-71995.rst @@ -1,7 +1,7 @@ --- id: V-71995 status: opt-in - Ubuntu only -tag: auth +tag: accounts --- The STIG requires that the umask for all authenticated users is ``077``. This diff --git a/doc/metadata/rhel7/V-72003.rst b/doc/metadata/rhel7/V-72003.rst index 5c7a42f3..9c9e7add 100644 --- a/doc/metadata/rhel7/V-72003.rst +++ b/doc/metadata/rhel7/V-72003.rst @@ -1,7 +1,7 @@ --- id: V-72003 status: implemented -tag: auth +tag: accounts --- If any users are found with invalid GIDs, those users are printed in the diff --git a/doc/metadata/rhel7/V-72005.rst b/doc/metadata/rhel7/V-72005.rst index eeaf55ed..089041ae 100644 --- a/doc/metadata/rhel7/V-72005.rst +++ b/doc/metadata/rhel7/V-72005.rst @@ -1,7 +1,7 @@ --- id: V-72005 status: implemented -tag: auth +tag: accounts --- If an account with UID 0 other than ``root`` exists on the system, the playbook diff --git a/doc/metadata/rhel7/V-72011.rst b/doc/metadata/rhel7/V-72011.rst index 987742ea..4b2d75db 100644 --- a/doc/metadata/rhel7/V-72011.rst +++ b/doc/metadata/rhel7/V-72011.rst @@ -1,7 +1,7 @@ --- id: V-72011 status: implemented -tag: auth +tag: accounts --- The usernames of all users without home directories assigned are provided in diff --git a/doc/metadata/rhel7/V-72013.rst b/doc/metadata/rhel7/V-72013.rst index 8adcf084..e570351f 100644 --- a/doc/metadata/rhel7/V-72013.rst +++ b/doc/metadata/rhel7/V-72013.rst @@ -1,7 +1,7 @@ --- id: V-72013 status: implemented -tag: auth +tag: accounts --- The ``CREATE_HOME`` variable is set to ``yes`` by the tasks in the security diff --git a/doc/metadata/rhel7/V-72015.rst b/doc/metadata/rhel7/V-72015.rst index 40046b8d..5b51048a 100644 --- a/doc/metadata/rhel7/V-72015.rst +++ b/doc/metadata/rhel7/V-72015.rst @@ -1,7 +1,7 @@ --- id: V-72015 status: implemented -tag: auth +tag: accounts --- Each interactive user on the system is checked to verify that their assigned diff --git a/doc/metadata/rhel7/V-73159.rst b/doc/metadata/rhel7/V-73159.rst index 6fe9712d..8749554c 100644 --- a/doc/metadata/rhel7/V-73159.rst +++ b/doc/metadata/rhel7/V-73159.rst @@ -1,7 +1,7 @@ --- id: V-73159 status: opt-in -tag: auth +tag: accounts --- The security role can require new or changed passwords to follow the pwquality diff --git a/tasks/rhel7stig/accounts.yml b/tasks/rhel7stig/accounts.yml new file mode 100644 index 00000000..73baf6c5 --- /dev/null +++ b/tasks/rhel7stig/accounts.yml @@ -0,0 +1,255 @@ +--- +# Copyright 2017, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Check if /etc/security/pwquality.conf exists + stat: + path: /etc/security/pwquality.conf + check_mode: no + register: pwquality_config_check + tags: + - always + +- name: Set password quality requirements + blockinfile: + dest: /etc/security/pwquality.conf + backup: yes + insertbefore: EOF + marker: "# {mark} Added by openstack-ansible-security role" + state: present + block: "{{ lookup('template', 'pwquality.conf.j2') }}" + when: + - pwquality_config_check.stat.exists + tags: + - accounts + - medium + - V-71903 + - V-71905 + - V-71907 + - V-71909 + - V-71911 + - V-71913 + - V-71915 + - V-71917 + - V-71935 + +- name: Check for SHA512 password storage in PAM + command: "grep pam_unix.so {{ pam_password_file }}" + register: password_sha512_check + changed_when: False + check_mode: no + tags: + - always + +- name: Print warning if PAM is not using SHA512 for password storage + debug: + msg: > + PAM is not using SHA512 for password storage. This is a security issue. + when: + - password_sha512_check is defined + - "'sha512' not in password_sha512_check.stdout" + tags: + - accounts + - medium + - V-71919 + +- name: Ensure libuser is storing passwords using SHA512 + ini_file: + dest: /etc/libuser.conf + section: defaults + option: crypt_style + value: sha512 + backup: yes + when: + - security_libuser_crypt_style_sha512 | bool + - ansible_os_family | lower == 'redhat' + tags: + - accounts + - medium + - V-71923 + +- name: Get all user accounts with a password lifetime limit under 24 hours + shell: "awk -F: '$4 < 1 {print $1}' /etc/shadow" + check_mode: no + changed_when: False + register: password_lifetime_check + tags: + - accounts + - medium + - V-71927 + - skip_ansible_lint + +- name: Print warning about accounts with password lifetimes under 24 hours + debug: + msg: | + Accounts were found with a minimum password lifetime limit under 24 hours: + {{ password_lifetime_check.stdout_lines | join(', ') }} + when: + - password_lifetime_check.stdout_lines is defined + tags: + - accounts + - medium + - V-71927 + +- name: Print warning for accounts with a password lifetime over 60 days + debug: + msg: | + The following user accounts have an existing password with a lifetime of + greater than 60 days: + {%- for user in user_list.users %} + {% if user['shadow']['max_days'] > 60 %} + {{ user['name'] }} has an expiration of {{ user['shadow']['max_days'] }} days + {% endif %} + {% endfor %} + tags: + - accounts + - medium + - V-71931 + +- name: Ensure that users cannot reuse one of their last 5 passwords + lineinfile: + dest: "{{ pam_password_file }}" + regexp: '^(password\s+[a-z0-9\=\[\] ]+\s+pam_unix\.so.+?)\s+(?:remember=\d+)?$' + line: '\1 remember={{ security_password_remember_password }}' + backrefs: yes + state: present + when: + - security_password_remember_password is defined + tags: + - accounts + - medium + - V-71933 + +- name: Ensure accounts are disabled if the password expires + lineinfile: + dest: /etc/default/useradd + regexp: '^[#\s]*INACTIVE' + line: 'INACTIVE=0' + when: + - security_disable_account_if_password_expires | bool + tags: + - accounts + - medium + - V-71941 + +- name: Apply shadow-utils configurations + lineinfile: + dest: /etc/login.defs + regexp: "^{{ item.parameter }}" + line: "{{ item.parameter }} {{ item.value }}" + state: present + when: + - item.value != '' + - item.ansible_os_family == 'all' or item.ansible_os_family == ansible_os_family + with_items: "{{ shadow_utils_rhel7 }}" + tags: + - accounts + - medium + - V-71921 + - V-71925 + - V-71929 + - V-71951 + - V-71995 + - V-72013 + +- name: Print warning for groups in /etc/passwd that are not in /etc/group + debug: + msg: > + The following users have GIDs in /etc/passwd that do not exist in /etc/group: + {{ user_list.users | selectattr('group', 'equalto', False) | map(attribute='name') | join(', ') }} + when: + - user_list is defined + - user_list.users | selectattr('group', 'equalto', False) | list | length > 0 + tags: + - accounts + - low + - V-72003 + +- name: Get all accounts with UID 0 + shell: "awk -F: '$3 == 0 {print $1}' /etc/passwd" + changed_when: False + check_mode: no + register: root_user_check + tags: + - accounts + - high + - V-72005 + - skip_ansible_lint + +- name: Print warnings for non-root users with UID 0 + fail: + msg: | + Only the 'root' user should have UID 0. Other users were found: + {{ root_user_check.stdout_lines | join(', ') }}" + when: + - root_user_check.stdout != 'root' + tags: + - accounts + - high + - V-72005 + +- name: Print warning for local interactive users without a home directory assigned + debug: + msg: | + The following users do not have a home directory assigned: + {{ user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | join(', ') }} + when: + - user_list is defined + - user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | list | length > 0 + tags: + - accounts + - medium + - V-72011 + +- name: Check each user to see if its home directory exists on the filesystem + stat: + path: "{{ item['dir'] }}" + when: + - item['dir'] != '' + with_items: "{{ user_list.users }}" + register: home_directory_checks + tags: + - accounts + - medium + - V-72015 + +- name: Print warning for users with an assigned home directory that does not exist + debug: + msg: | + These users have a home directory assigned, but the directory does not exist: + {% for check in home_directory_checks.results %} + {% if not check.stat.exists %} + {{ check.item.name }} ({{ check.item.dir }} does not exist) + {% endif %} + {% endfor %} + when: + - home_directory_checks.results | selectattr('stat.exists', 'sameas', false) | list | length > 0 + tags: + - accounts + - medium + - V-72015 + +- name: Use pwquality when passwords are changed or created + lineinfile: + dest: /etc/pam.d/passwd + line: "password required pam_pwquality.so retry=3" + state: present + when: + - security_enable_pwquality_password_set | bool + tags: + - accounts + - medium + - V-73159 + + diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml index 1a9d4f0e..c24b2e88 100644 --- a/tasks/rhel7stig/auth.yml +++ b/tasks/rhel7stig/auth.yml @@ -13,96 +13,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Get a list of users on the system to use throughout the auth tasks - action: get_users - register: user_list - check_mode: no - tags: - - always - -- name: Check if /etc/security/pwquality.conf exists - stat: - path: /etc/security/pwquality.conf - check_mode: no - register: pwquality_config_check - tags: - - always - -- name: Set password quality requirements - blockinfile: - dest: /etc/security/pwquality.conf - backup: yes - insertbefore: EOF - marker: "# {mark} Added by openstack-ansible-security role" - state: present - block: "{{ lookup('template', 'pwquality.conf.j2') }}" - when: - - pwquality_config_check.stat.exists - tags: - - auth - - medium - - V-71903 - - V-71905 - - V-71907 - - V-71909 - - V-71911 - - V-71913 - - V-71915 - - V-71917 - - V-71935 - -- name: Use pwquality when passwords are changed or created - lineinfile: - dest: /etc/pam.d/passwd - line: "password required pam_pwquality.so retry=3" - state: present - when: - - security_enable_pwquality_password_set | bool - tags: - - auth - - medium - - V-73159 - -- name: Check for SHA512 password storage in PAM - command: "grep pam_unix.so {{ pam_password_file }}" - register: password_sha512_check - changed_when: False - check_mode: no - tags: - - always - -- name: V-71919 - The PAM system service must be configured to store only encrypted representations of passwords. - debug: - msg: > - PAM is not using SHA512 for password storage. This is a security issue. - when: - - password_sha512_check is defined - - "'sha512' not in password_sha512_check.stdout" - tags: - - auth - - medium - - V-71919 - -- name: Configure shadow-utils configuration - lineinfile: - dest: /etc/login.defs - regexp: "^{{ item.parameter }}" - line: "{{ item.parameter }} {{ item.value }}" - state: present - when: - - item.value != '' - - item.ansible_os_family == 'all' or item.ansible_os_family == ansible_os_family - with_items: "{{ shadow_utils_rhel7 }}" - tags: - - auth - - medium - - V-71921 - - V-71925 - - V-71929 - - V-71951 - - V-71995 - - V-72013 - # NOTE(mhayden): pam_faildelay expects the `delay` parameter to be in # microseconds. - name: Set pam_faildelay configuration on Ubuntu @@ -120,74 +30,7 @@ - medium - V-71951 -- name: V-71923 - User and group account administration utilities must be configured to store only encrypted representations of passwords. - ini_file: - dest: /etc/libuser.conf - section: defaults - option: crypt_style - value: sha512 - backup: yes - when: - - security_libuser_crypt_style_sha512 | bool - - ansible_os_family | lower == 'redhat' - tags: - - auth - - medium - - V-71923 - -- name: Get all user accounts with a password lifetime limit under 24 hours - shell: "awk -F: '$4 < 1 {print $1}' /etc/shadow" - check_mode: no - changed_when: False - register: password_lifetime_check - tags: - - auth - - medium - - V-71927 - - skip_ansible_lint - -- name: V-71927 - Passwords must be restricted to a 24 hours/1 day minimum lifetime. - debug: - msg: | - Accounts were found with a minimum password lifetime limit under 24 hours: - {{ password_lifetime_check.stdout_lines | join(', ') }} - when: - - password_lifetime_check.stdout_lines is defined - tags: - - auth - - medium - - V-71927 - -- name: V-71933 - Passwords must be prohibited from reuse for a minimum of five generations. - lineinfile: - dest: "{{ pam_password_file }}" - regexp: '^(password\s+[a-z0-9\=\[\] ]+\s+pam_unix\.so.+?)\s+(?:remember=\d+)?$' - line: '\1 remember={{ security_password_remember_password }}' - backrefs: yes - state: present - when: - - security_password_remember_password is defined - tags: - - auth - - medium - - V-71933 - -- name: V-71931 - Existing passwords must be restricted to a 60-day maximum lifetime. - debug: - msg: | - The following user accounts have an existing password with a lifetime of - greater than 60 days: - {%- for user in user_list.users %} - {% if user['shadow']['max_days'] > 60 %} - {{ user['name'] }} has an expiration of {{ user['shadow']['max_days'] }} days - {% endif %} - {% endfor %} - tags: - - auth - - medium - - V-71931 - -- name: V-71937 - The system must not have accounts configured with blank or null passwords +- name: Prevent users with blank or null passwords from authenticating (Debian/Ubuntu) lineinfile: dest: "{{ pam_auth_file }}" state: present @@ -203,7 +46,7 @@ - high - V-71937 -- name: V-71937 - The system must not have accounts configured with blank or null passwords +- name: Prevent users with blank or null passwords from authenticating (Red Hat) lineinfile: dest: "{{ pam_auth_file }}" state: present @@ -222,18 +65,6 @@ - high - V-71937 -- name: V-71941 - The operating system must disable account identifiers if the password expires. - lineinfile: - dest: /etc/default/useradd - regexp: '^[#\s]*INACTIVE' - line: 'INACTIVE=0' - when: - - security_disable_account_if_password_expires | bool - tags: - - auth - - medium - - V-71941 - - name: V-71945 - If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked. blockinfile: dest: pam_password_file @@ -333,83 +164,6 @@ - V-71961 - V-71963 -- name: Get all accounts with UID 0 - shell: "awk -F: '$3 == 0 {print $1}' /etc/passwd" - changed_when: False - check_mode: no - register: root_user_check - tags: - - auth - - high - - V-72005 - - skip_ansible_lint - -- name: Check for groups in /etc/passwd that are not in /etc/group - debug: - msg: > - The following users have GIDs in /etc/passwd that do not exist in /etc/group: - {{ user_list.users | selectattr('group', 'equalto', False) | map(attribute='name') | join(', ') }} - when: - - user_list is defined - - user_list.users | selectattr('group', 'equalto', False) | list | length > 0 - tags: - - auth - - low - - V-72003 - -- name: V-72005 - The root account must be the only account having unrestricted access to the system - fail: - msg: | - Only the 'root' user should have UID 0. Other users were found: - {{ root_user_check.stdout_lines | join(', ') }}" - when: - - root_user_check.stdout != 'root' - tags: - - auth - - high - - V-72005 - -- name: V-72011 - All local interactive users must have a home directory assigned in the /etc/passwd file. - debug: - msg: | - The following users do not have a home directory assigned: - {{ user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | join(', ') }} - when: - - user_list is defined - - user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | list | length > 0 - tags: - - auth - - medium - - V-72011 - -- name: Check each user to see if its home directory exists on the filesystem - stat: - path: "{{ item['dir'] }}" - when: - - item['dir'] != '' - with_items: "{{ user_list.users }}" - register: home_directory_checks - tags: - - auth - - medium - - V-72015 - -- name: V-72015 - All local interactive user home directories defined in the /etc/passwd file must exist. - debug: - msg: | - These users have a home directory assigned, but the directory does not exist: - {% for check in home_directory_checks.results %} - {% if not check.stat.exists %} - {{ check.item.name }} ({{ check.item.dir }} does not exist) - {% endif %} - {% endfor %} - when: - - home_directory_checks.results | selectattr('stat.exists', 'sameas', false) | list | length > 0 - tags: - - auth - - medium - - V-72015 - - name: V-72217 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types. blockinfile: dest: /etc/security/limits.d/openstack-ansible-security-maxlogins.conf diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml index 90e14fbd..2f18253f 100644 --- a/tasks/rhel7stig/main.yml +++ b/tasks/rhel7stig/main.yml @@ -49,6 +49,13 @@ - always - skip_ansible_lint +- name: Get a list of users on the system to use throughout the auth tasks + action: get_users + register: user_list + check_mode: no + tags: + - always + # Package installations and removals must come first so that configuration # changes can be made later. - include: packages.yml @@ -65,6 +72,7 @@ # each file are tagged with the same name (for example, tasks in `auth.yml` # are tagged with `auth`). Also, the tag name matches up with the "STIG # Controls by Tag" section of the role documentation. +- include: accounts.yml - include: aide.yml - include: auditd.yml - include: auth.yml