Add support for the openSUSE Leap distributions

Add support for the openSUSE Leap distributions. The security rules
are similar to the RedHat and Ubuntu ones. We also replace
ansible_os_family with ansible_pkg_mgr since the former does not
return consistent results across different SUSE distributions especially
on older Ansible versions.

Change-Id: I20ffe17039bb641aad70d8123f0b7e7417a42cba

README.md

@@ -13,6 +13,8 @@ to systems running the following distributions:
 * Ubuntu 14.04 *(deprecated)*
 * Ubuntu 16.04
 * Red Hat Enterprise Linux 7
+* openSUSE Leap 42.2 and 42.3
+* SUSE Linux Enterprise 12 (*experimental*)
 
 For more details, review the
 [ansible-hardening documentation](http://docs.openstack.org/developer/ansible-hardening/).

doc/metadata/rhel7/V-71855.rst

@@ -4,8 +4,8 @@ status: implemented
 tag: packages
 ---
 
-Ansible tasks will check the ``rpm -Va`` output (on CentOS and RHEL) or the
-output of ``debsums`` (on Ubuntu) to see if any files installed from packages
+Ansible tasks will check the ``rpm -Va`` output (on CentOS, RHEL, openSUSE and SLE) or
+the output of ``debsums`` (on Ubuntu) to see if any files installed from packages
 have been altered. The tasks will print a list of files that have changed
 since their package was installed.
 

doc/metadata/rhel7/V-71921.rst

@@ -4,9 +4,9 @@ status: implemented
 tag: accounts
 ---
 
-The default password storage mechanism for Ubuntu 16.04, CentOS 7, and Red Hat
-Enterprise Linux 7 is ``SHA512`` and the tasks in the security role ensure that
-the default is maintained.
+The default password storage mechanism for Ubuntu 16.04, CentOS 7, openSUSE Leap,
+SUSE Linux Enterprise 12 and Red Hat Enterprise Linux 7 is ``SHA512`` and the tasks
+in the security role ensure that the default is maintained.
 
 Deployers can configure a different password storage mechanism by setting the
 following Ansible variable:

doc/metadata/rhel7/V-71923.rst

@@ -8,7 +8,8 @@ The role ensures that ``crypt_style`` is set to ``sha512`` in
 ``/etc/libuser.conf``, which is the default for CentOS 7 and Red Hat Enterprise
 Linux 7.
 
-Ubuntu does not use ``libuser``, so this change is not applicable.
+Ubuntu, openSUSE and SUSE Linux Enterprise 12 do not use ``libuser``, so this change
+is not applicable.
 
 Deployers can opt out of this change by setting the following Ansible variable:
 

doc/metadata/rhel7/V-71937.rst

@@ -10,6 +10,7 @@ from one of the PAM configuration files:
 
 * CentOS or RHEL: removes ``nullok`` from ``/etc/pam.d/system-auth``
 * Ubuntu: removes ``nullok_secure`` from ``/etc/pam.d/common-auth``
+* openSUSE Leap or SLE: remove ``nullok`` from ``/etc/pam.d/common-auth`` and ``/etc/pam.d/common-password``
 
 Deployers can opt-out of this change by setting the following Ansible variable:
 

doc/metadata/rhel7/V-71945.rst

@@ -40,5 +40,5 @@ Ansible variables:
 
 .. note::
 
-    Ubuntu does not provide ``pam_faillock``. This change is only applied to
-    CentOS 7 or Red Hat Enterprise Linux 7 systems.
+    Ubuntu, openSUSE Leap and SUSE Linux Enterprise 12 do not provide ``pam_faillock``.
+    This change is only applied to CentOS 7 or Red Hat Enterprise Linux 7 systems.

doc/metadata/rhel7/V-71969.rst

@@ -9,6 +9,7 @@ installed. The package name differs between Linux distributions:
 
 * CentOS: ``ypserv``
 * Ubuntu: ``nis``
+* openSUSE Leap: ``ypserv``
 
 Deployers can opt-out of this change by setting the following Ansible variable:
 

doc/metadata/rhel7/V-71977.rst

@@ -12,6 +12,11 @@ On CentOS 7 systems, the tasks set the ``gpgcheck`` option to ``1`` in the
 ``/etc/yum.conf`` file. This enables GPG checks for all packages installed
 with ``yum``.
 
+On openSUSE Leap systems, the tasks set the ``gpgcheck`` option to ``1`` in the
+``/etc/zypp/zypp.conf`` file. This enables GPG checks for all packages installed
+with ``zypper``.
+
 Setting ``security_enable_gpgcheck_packages`` to ``no`` will skip the
 ``AllowUnauthenticated`` string check on Ubuntu and it will set ``gpgcheck=0``
-in ``/etc/yum.conf`` on CentOS systems.
+in ``/etc/yum.conf`` or ``/etc/zypp/zypp.conf`` on CentOS and openSUSE Leap systems
+respectively.

doc/metadata/rhel7/V-71979.rst

@@ -12,6 +12,11 @@ On CentOS 7 systems, the tasks set the ``localpkg_gpgcheck`` option to ``1`` in
 the ``/etc/yum.conf`` file. This enables GPG checks for all packages installed
 locally with ``yum``.
 
+On openSUSE Leap systems, the tasks set the ``gpgcheck`` option to ``1`` in the
+``/etc/zypp/zypp.conf`` file. This enables GPG checks for all packages installed
+with ``zypper``.
+
 Setting ``security_enable_gpgcheck_packages_local`` to ``no`` will skip the
 ``no-debsig`` adjustment on Ubuntu and it will set ``local_gpgcheck=0`` in
-``/etc/yum.conf`` on CentOS systems.
+``/etc/yum.conf`` on CentOS systems. Similarly, on openSUSE Leap systems, it will set
+``gpgcheck=0`` in ``/etc/zypp/zypp.conf``.

doc/metadata/rhel7/V-71989.rst

@@ -7,8 +7,8 @@ tag: lsm
 The tasks in the security role enable the appropriate Linux Security Module
 (LSM) for the operating system.
 
-For Ubuntu systems, AppArmor is installed and enabled. This change takes
-effect immediately.
+For Ubuntu, openSUSE and SUSE Linux Enterprise 12 systems, AppArmor is installed and
+enabled. This change takes effect immediately.
 
 For CentOS or Red Hat Enterprise Linux systems, SELinux is enabled (in
 enforcing mode) and its user tools are automatically installed. If SELinux is

doc/metadata/rhel7/V-71991.rst

@@ -5,8 +5,8 @@ tag: misc
 ---
 
 The SELinux targeted policy is enabled on CentOS 7 and Red Hat systems.
-AppArmor only has one set of policies, so this change has no effect on Ubuntu
-systems running AppArmor.
+AppArmor only has one set of policies, so this change has no effect on Ubuntu,
+openSUSE Leap and SUSE systems running AppArmor.
 
 For more information on this change and how to opt out, refer to
 :ref:`stig-V-71989`.

doc/metadata/rhel7/V-71995.rst

@@ -1,6 +1,6 @@
 ---
 id: V-71995
-status: opt-in - Ubuntu only
+status: opt-in - Ubuntu and SUSE only
 tag: accounts
 ---
 
@@ -21,8 +21,9 @@ Ansible variable:
 
 .. note::
 
-    Ubuntu uses ``pam_umask`` and it uses the default umask provided by the
-    ``UMASK`` line in ``/etc/login.defs``. The default setting on Ubuntu
+    Ubuntu, openSUSE Leap and SUSE Linux Enterpsise 12 use ``pam_umask`` and it uses
+    the default umask provided by the ``UMASK`` line in ``/etc/login.defs``.
+    The default setting on Ubuntu, openSUSE Leap and SUSE Linux Enterprise 12
     systems is ``022``. This allows the user's group and other users on the
     system to read and execute files, but they cannot write to them.
 

doc/metadata/rhel7/V-71997.rst

@@ -6,7 +6,7 @@ tag: packages
 
 The STIG requires that the current release of the operating system is still
 supported and is actively receiving security updates. Deployers are urged to
-stay current with the latest releases from Ubuntu, CentOS and Red Hat.
+stay current with the latest releases from Ubuntu, SUSE, CentOS and Red Hat.
 
 The following links provide more details on end of life (EOL) dates for the
 distributions supported by this role:
@@ -14,3 +14,5 @@ distributions supported by this role:
 * `Ubuntu releases <https://wiki.ubuntu.com/Releases>`_
 * `CentOS EOL dates <https://wiki.centos.org/FAQ/General#head-fe8a0be91ee3e7dea812e8694491e1dde5b75e6d>`_
 * `Red Hat Enterprise Linux Life Cycle <https://access.redhat.com/support/policy/updates/errata>`_
+* `openSUSE EOL dates <https://en.opensuse.org/Lifetime>`_
+* `SUSE Linux Enterprise <https://www.suse.com/support/policy/>`_

doc/metadata/rhel7/V-71999.rst

@@ -17,4 +17,5 @@ Ansible variable:
 
 When enabled, the tasks install and configure ``yum-cron`` on CentOS and Red
 Hat Enterprise Linux.  On Ubuntu systems, the ``unattended-upgrades`` package
-is installed and configured.
+is installed and configured. On openSUSE Leap and SUSE Linux Enterprise systems,
+a daily cronjob is installed.

doc/metadata/rhel7/V-72013.rst

@@ -16,6 +16,6 @@ Deployers can opt out of this change by setting the following Ansible variable:
 
 .. note::
 
-    On CentOS 7 and Red Hat Enterprise Linux 7 systems, home directories are
-    always created with new users by default. Home directories are not created
-    by default on Ubuntu systems.
+    On CentOS 7, Red Hat Enterprise Linux 7 systems, openSUSE Leap and SUSE
+    Linux Enterprise 12, home directories are always created with new users by default.
+    Home directories are not created by default on Ubuntu systems.

doc/metadata/rhel7/V-72039.rst

@@ -15,5 +15,5 @@ labels are applied for the class of device.
 
     This change applies only to CentOS or Red Hat Enterprise Linux systems
     since they rely on SELinux as their default Linux Security Module (LSM).
-    Ubuntu systems use AppArmor, which uses policy files rather than labels
-    applied to individual files.
+    Ubuntu, openSUSE Leap and SUSE Linux Enterprise systems use AppArmor, which
+    uses policy files rather than labels applied to individual files.

doc/metadata/rhel7/V-72051.rst

@@ -4,12 +4,15 @@ status: exception - manual intervention
 tag: misc
 ---
 
-Ubuntu, CentOS and Red Hat Enterprise Linux already capture the logs from cron.
+Ubuntu, CentOS, Red Hat Enterprise Linux, openSUSE Leap and SUSE Linux
+Enterprise already capture the logs from cron.
 
 Ubuntu systems collect cron job logs into the main syslog file
 (``/var/log/syslog``) rather than separate them into their own log file.
 CentOS and Red Hat Enterprise Linux systems collect cron logs in
 ``/var/log/cron``.
+openSUSE Leap and SUSE Linux Enterprise collect cron job in
+``/var/log/messages``.
 
 Deployers should not need to adjust these configurations unless a specific
 environment requires it. The tasks in the security role do not make changes to

doc/metadata/rhel7/V-72053.rst

@@ -6,4 +6,5 @@ tag: file_perms
 
 The tasks in the security role check for the existence of ``/etc/cron.allow``
 and set both the user and group ownership to ``root``. This is the default on
-Ubuntu, CentOS, and Red Hat Enterprise Linux systems already.
+Ubuntu, CentOS, Red Hat Enterprise Linux systems, openSUSE Leap and SUSE Linux
+Enterprise 12 already.

doc/metadata/rhel7/V-72067.rst

@@ -1,11 +1,11 @@
 ---
 id: V-72067
-status: implemented - red hat only
+status: implemented - red hat and suse only
 tag: misc
 ---
 
-The tasks in the Ansible role install the ``dracut-fips`` and
-``dracut-fips-aesni`` packages and check to see if FIPS is enabled on the
+The tasks in the Ansible role install the ``dracut-fips`` (RHEL and SLE) and
+``dracut-fips-aesni`` (RHEL) packages and check to see if FIPS is enabled on the
 system. If it is not enabled, a warning message is printed in the Ansible
 output.
 
@@ -18,6 +18,6 @@ the bootloader configuration and regenerating the initramfs.
 
 .. note::
 
-    This change only applies to CentOS and Red Hat Enterprise Linux. Ubuntu
-    does not use dracut by default and the process for enabling the FIPS
-    functionality at boot time is more complex.
+    This change only applies to CentOS, Red Hat Enterprise Linux, openSUSE Leap
+    and SUSE Linux Enterprise. Ubuntu does not use dracut by default and the process
+    for enabling the FIPS functionality at boot time is more complex.

doc/metadata/rhel7/V-72069.rst

@@ -12,3 +12,7 @@ However, Ubuntu lacks the rules that include ACL and extended attribute checks.
 The tasks in the security role will add a small configuration block at the end
 of the AIDE configuration file to meet the requirements of this STIG, as well
 as V-72071.
+
+openSUSE Leap and SUSE Linux Enterprise 12 also lack a rule to check ACLs and
+extended attributes. The default configuration file is adjusted to include those
+as well.

doc/metadata/rhel7/V-72071.rst

@@ -12,3 +12,7 @@ However, Ubuntu lacks the rules that include ACL and extended attribute checks.
 The tasks in the security role will add a small configuration block at the end
 of the AIDE configuration file to meet the requirements of this STIG, as well
 as V-72069.
+
+openSUSE Leap and SUSE Linux Enterprise 12 also lack a rule to check ACLs and
+extended attributes. The default configuration file is adjusted to include those
+as well.

doc/metadata/rhel7/V-72073.rst

@@ -4,9 +4,9 @@ status: implemented
 tag: aide
 ---
 
-The default AIDE configuration in CentOS 7 and Red Hat Enterprise Linux 7
-already uses SHA512 to validate file contents and directories. No changes are
-required on these systems.
+The default AIDE configuration in CentOS 7, Red Hat Enterprise Linux 7,
+openSUSE Leap and SUSE Linux Enterprise 12 already uses SHA512 to validate
+file contents and directories. No changes are required on these systems.
 
 The tasks in the security role add a rule to end of the AIDE configuration on
 Ubuntu systems that uses SHA512 for validation.

doc/metadata/rhel7/V-72077.rst

@@ -9,6 +9,7 @@ installed. The package name differs between Linux distributions:
 
 * CentOS: ``telnet-server``
 * Ubuntu: ``telnetd``
+* openSUSE Leap: ``telnet-server``
 
 Deployers can opt-out of this change by setting the following Ansible variable:
 

doc/metadata/rhel7/V-72181.rst

@@ -15,4 +15,5 @@ Deployers can opt-out of this change by setting an Ansible variable:
 
 .. note::
 
-    No action is taken on Ubuntu 16.04 because ``pt_chown`` is not available.
+    No action is taken on Ubuntu 16.04, openSUSE Leap and SUSE Linux Enterprise
+    because ``pt_chown`` is not available.

doc/metadata/rhel7/V-72215.rst

@@ -4,8 +4,9 @@ status: implemented
 tag: misc
 ---
 
-By default, CentOS 7 and Red Hat Enterprise Linux 7 check for virus database
-updates 12 times a day. Ubuntu servers have a default of 24 checks per day.
+By default, CentOS 7, Red Hat Enterprise Linux 7, openSUSE Leap and SUSE Linux
+Enterprise 12 check for virus database updates 12 times a day. Ubuntu servers
+have a default of 24 checks per day.
 
 The tasks in the security role do not adjust these defaults as they are more
 secure than the STIG's requirement.

doc/metadata/rhel7/V-72225.rst

@@ -5,8 +5,9 @@ tag: sshd
 ---
 
 The tasks in the security role deploy a standard notice and consent banner into
-``/etc/motd`` on each server. Ubuntu, CentOS and Red Hat Enterprise Linux
-display this banner after each successful login via ssh or the console.
+``/etc/motd`` on each server. Ubuntu, CentOS, Red Hat Enterprise Linux,
+openSUSE Leap and SUSE Linux Enterprise display this banner after each successful
+login via ssh or the console.
 
 Deployers can choose a different destination for the banner by setting the
 following Ansible variable:

doc/metadata/rhel7/V-72233.rst

@@ -9,3 +9,4 @@ role installs the following packages:
 
 * CentOS: ``openssh-clients``, ``openssh-server``
 * Ubuntu: ``openssh-client``, ``openssh-server``
+* openSUSE Leap: ``openssh``

doc/metadata/rhel7/V-72269.rst

@@ -7,8 +7,8 @@ tag: misc
 The tasks in the security role make the following changes on each host:
 
 * The ``chrony`` package is installed.
-* The service (``chronyd`` on Red Hat and CentOS, ``chrony`` on Ubuntu) is
-  started and enabled at boot time.
+* The service (``chronyd`` on Red Hat, CentOS, SLE and openSUSE Leap,
+  ``chrony`` on Ubuntu) is started and enabled at boot time.
 * A configuration file template is deployed that includes ``maxpoll 10`` on
   each server line.
 

doc/metadata/rhel7/V-72273.rst

@@ -19,5 +19,5 @@ Deployers can opt in for this change by setting the following Ansible variable:
 
     Deployers must pre-configure ``firewalld`` or copy over a working XML file
     in ``/etc/firewalld/zones/`` from another server. The default firewalld
-    restrictions on Ubuntu, CentOS and Red Hat Enterprise Linux are highly
-    restrictive.
+    restrictions on Ubuntu, CentOS, Red Hat Enterprise Linux and openSUSE Leap
+    are highly restrictive.

doc/metadata/rhel7/V-72275.rst

@@ -11,4 +11,4 @@ disruptive in some environments.
 
 Deployers should review their PAM configurations and add ``pam_lastlogin`` to
 ``/etc/pam.d/postlogin`` on CentOS and Red Hat Enterprise Linux or to
-``/etc/pam.d/login`` on Ubuntu.
+``/etc/pam.d/login`` on Ubuntu, openSUSE Leap and SUSE Linux Enterprise.

doc/metadata/rhel7/V-72301.rst

@@ -9,6 +9,7 @@ installed. The package name differs between Linux distributions:
 
 * CentOS: ``tftp-server``
 * Ubuntu: ``tftpd``
+* openSUSE Leap: ``tftp``
 
 Deployers can opt-out of this change by setting the following Ansible variable:
 

doc/metadata/rhel7/V-72307.rst

@@ -9,6 +9,7 @@ installed. The package name differs between Linux distributions:
 
 * CentOS: ``xorg-x11-server-Xorg``
 * Ubuntu: ``xorg-xserver``
+* openSUSE Leap: ``xorg-x11-server``
 
 Deployers can opt-out of this change by setting the following Ansible variable:
 

doc/source/controls-rhel7.rst

@@ -56,8 +56,8 @@ Controls are divided into groups based on the following properties:
 
 Although the STIG is specific to Red Hat Enterprise Linux 7, it also applies to
 CentOS 7 systems. In addition, almost all of the controls are easily translated
-for Ubuntu 16.04. Any deviations during translation are noted within the
-documentation below.
+for Ubuntu 16.04, openSUSE Leap and SUSE Linux Enterprise 12. Any deviations
+during translation are noted within the documentation below.
 
 .. toctree::
    :maxdepth: 2

doc/source/faq.rst

@@ -47,6 +47,8 @@ servers running the following Linux distributions:
 * Ubuntu 16.04
 * CentOS 7
 * Red Hat Enterprise Linux 7
+* openSUSE Leap 42.2 and 42.3
+* SUSE Linux Enterprise 12 (experimental)
 
 The OpenStack gating system tests the role against each of these distributions
 regularly except for Red Hat Enterprise Linux 7, since it is a non-free

doc/source/index.rst

@@ -92,6 +92,8 @@ Pike
   * Ubuntu 16.04 Xenial
   * CentOS 7
   * Red Hat Enterprise Linux 7 *(partial automated test coverage)*
+  * openSUSE Leap 42.2 and 42.3
+  * SUSE Linux Enterprise 12 (*experimental*)
 
 * **Documentation:**
 

files/zypper-autoupdates

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+/usr/bin/zypper -n dup -l

meta/main.yml

@@ -13,6 +13,11 @@ galaxy_info:
     versions:
     - trusty
     - xenial
+  - name: opensuse
+    versions:
+    - 42.1
+    - 42.2
+    - 42.3
   categories:
   - cloud
   - security

tasks/rhel7stig/aide.yml

@@ -15,9 +15,12 @@
 
 - name: Verify that AIDE configuration directory exists
   stat:
-    path: /etc/aide/aide.conf.d
+    path: "{{ item }}"
   register: aide_conf
   check_mode: no
+  with_items:
+    - /etc/aide/aide.conf.d
+    - /etc/aide.conf
   tags:
     - always
 
@@ -25,7 +28,7 @@
   template:
     src: ZZ_aide_exclusions.j2
     dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions
-  when: aide_conf.stat.exists | bool
+  when: aide_conf.results[0].stat.exists | bool
   tags:
     - medium
     - aide
@@ -34,7 +37,7 @@
 # NOTE(mhayden): CentOS/RHEL already provide a very strict AIDE configuration
 # that meets the requirements of V-72069 and V-72071. That config
 # is borrowed for Ubuntu 16.04 here.
-- name: Configure AIDE to verify additional properties
+- name: Configure AIDE to verify additional properties (Ubuntu)
   blockinfile:
     dest: "/etc/aide/aide.conf"
     insertbefore: EOF
@@ -54,7 +57,7 @@
       /bin    NORMAL
       /sbin   NORMAL
   when:
-    - aide_conf.stat.exists | bool
+    - aide_conf.results[0].stat.exists | bool
     - ansible_os_family | lower == 'debian'
   tags:
     - low
@@ -63,6 +66,24 @@
     - V-72071
     - V-72073
 
+# NOTE(hwoarang): Add acl and xattrs on SUSE to meet V-72069 and V-72071.
+- name: Configure AIDE to verify additional properties (SUSE)
+  lineinfile:
+    dest: "/etc/aide.conf"
+    regexp: '(^Binlib.*= )'
+    line: '\1p+i+n+u+g+s+b+m+c+sha256+sha512+acl+xattrs'
+    state: present
+    backrefs: yes
+  when:
+    - aide_conf.results[1].stat.exists | bool
+    - ansible_pkg_mgr == 'zypper'
+  tags:
+    - low
+    - aide
+    - V-72069
+    - V-72071
+    - V-72073
+
 - name: Check to see if AIDE database is already in place
   stat:
     path: "{{ aide_database_file }}"
@@ -72,12 +93,14 @@
     - always
 
 - name: Initialize AIDE (this will take a few minutes)
-  # NOTE(hwoarang): aideinit is an Ubuntu wrapper.
+  # NOTE(hwoarang): aideinit is an Ubuntu wrapper. An alternative
+  # would be to use aideinit || aide -i but that will possibly mask
+  # genuine aideinit failures.
   shell: "if test -x /usr/sbin/aideinit; then aideinit; else aide -i; fi"
   changed_when: false
   register: aide_init
   when:
-    - aide_conf.stat.exists | bool
+    - aide_conf.results[0].stat.exists | bool or aide_conf.results[1].stat.exists | bool
     - not aide_database.stat.exists | bool
     - security_rhel7_initialize_aide | bool
   tags:
@@ -85,21 +108,21 @@
     - aide
     - V-71973
 
-# NOTE(mhayden): This is only needed for CentOS 7 and RHEL 7 since Ubuntu
+# NOTE(mhayden): This is only needed for CentOS 7, RHEL 7 and SUSE since Ubuntu
 # copies the new AIDE database into place automatically with its AIDE wrapper
 # script.
 - name: Move AIDE database into place
-  command: "mv /var/lib/aide/aide.db.new.gz {{ aide_database_file }}"
+  command: "mv {{ aide_database_out_file }} {{ aide_database_file }}"
   changed_when: false
   when:
     - aide_init | changed
-    - ansible_os_family | lower == 'redhat'
+    - ansible_pkg_mgr in ['yum', 'zypper']
   tags:
     - medium
     - aide
     - V-71973
 
-# NOTE(mhayden): This is only needed for CentOS 7 and RHEL 7 since the AIDE
+# NOTE(mhayden): This is only needed for CentOS 7, RHEL 7 and SUSE since the AIDE
 # package doesn't come with a cron job file. Ubuntu packages a cron job for
 # AIDE checks already.
 - name: Create AIDE cron job
@@ -110,7 +133,7 @@
     special_time: daily
     job: "aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root"
   when:
-    - ansible_os_family | lower == 'redhat'
+    - ansible_pkg_mgr in ['yum', 'zypper']
   tags:
     - medium
     - aide

tasks/rhel7stig/auth.yml

@@ -65,6 +65,25 @@
     - high
     - V-71937
 
+- name: Prevent users with blank or null passwords from authenticating (SUSE)
+  lineinfile:
+    dest: "{{ item }}"
+    state: present
+    regexp: "^(.*required.*)nullok(.*)$"
+    line: '\1\2'
+    backup: yes
+    backrefs: yes
+  with_items:
+    - "{{ pam_auth_file }}"
+    - "{{ pam_password_file }}"
+  when:
+    - ansible_pkg_mgr == 'zypper'
+    - security_disallow_blank_password_login | bool
+  tags:
+    - auth
+    - high
+    - V-71937
+
 - name: Lock accounts after three failed login attempts a 15 minute period
   blockinfile:
     dest: "{{ pam_password_file }}"
@@ -73,7 +92,7 @@
     insertbefore: EOF
     block: "{{ lookup('template', 'pam_faillock.j2') }}"
   when:
-    - ansible_os_family | lower == 'redhat'
+    - ansible_pkg_mgr in ['yum', 'zypper']
     - security_pam_faillock_enable | bool
   tags:
     - auth

tasks/rhel7stig/file_perms.yml

@@ -21,7 +21,7 @@
   changed_when: False
   when:
     - not check_mode | bool
-    - ansible_os_family | lower == 'redhat'
+    - ansible_pkg_mgr in ['yum', 'zypper']
     - security_reset_perm_ownership | bool
   tags:
     - file_perms
@@ -38,7 +38,7 @@
     - "{{ rpmverify_package_list.stdout_lines | default([]) }}"
   when:
     - not check_mode | bool
-    - ansible_os_family | lower == 'redhat'
+    - ansible_pkg_mgr in ['yum', 'zypper']
     - rpmverify_package_list is defined
     - rpmverify_package_list.stdout_lines | length > 0
   async: 300

tasks/rhel7stig/kernel.yml

@@ -76,7 +76,7 @@
   failed_when: False
   check_mode: no
   when:
-    - ansible_os_family | lower == 'redhat'
+    - ansible_pkg_mgr in ['yum', 'zypper']
   tags:
     - always
 
@@ -86,7 +86,7 @@
       FIPS is not enabled at boot time on this server.
       The STIG requires FIPS to be enabled at boot time.
   when:
-    - ansible_os_family | lower == 'redhat'
+    - ansible_pkg_mgr in ['yum', 'zypper']
     - fips_check is defined
     - fips_check.stdout != '1'
   tags:

tasks/rhel7stig/lsm.yml

@@ -19,7 +19,7 @@
   changed_when: False
   check_mode: no
   when:
-    - ansible_os_family == "Debian"
+    - ansible_pkg_mgr in ['apt', 'zypper']
   tags:
     - high
     - V-71989
@@ -30,7 +30,7 @@
     state: started
     enabled: yes
   when:
-    - ansible_os_family == "Debian"
+    - ansible_pkg_mgr in ['apt', 'zypper']
     - security_rhel7_enable_linux_security_module | bool
     - not check_mode
     - '"AppArmor disabled by boot time parameter" not in dmesg_apparmor_output.stdout'

tasks/rhel7stig/main.yml

@@ -44,7 +44,7 @@
   poll: 0
   when:
     - not check_mode | bool
-    - ansible_os_family | lower == 'redhat'
+    - ansible_os_family | lower in ['redhat', 'suse']
   tags:
     - always
     - skip_ansible_lint

tasks/rhel7stig/packages.yml

@@ -34,7 +34,7 @@
     - V-72301
     - V-72307
 
-- name: V-71987 - Clean requirements/dependencies when removing packages (rpm)
+- name: V-71987 - Clean requirements/dependencies when removing packages (RedHat)
   lineinfile:
     dest: "{{ pkg_mgr_config }}"
     regexp: "^(#)?clean_requirements_on_remove"
@@ -48,6 +48,20 @@
     - packages
     - V-71987
 
+- name: V-71987 - Clean requirements/dependencies when removing packages (SUSE)
+  lineinfile:
+    dest: "{{ pkg_mgr_config }}"
+    regexp: '^(#)?\s*solver\.cleandepsOnRemove'
+    line: 'solver.cleandepsOnRemove = true'
+    state: present
+  when:
+    - security_package_clean_on_remove | bool
+    - ansible_pkg_mgr == 'zypper'
+  tags:
+    - low
+    - packages
+    - V-71987
+
 - name: V-71987 - Clean requirements/dependencies when removing packages (dpkg)
   lineinfile:
     dest: /etc/apt/apt.conf.d/security-autoremove
@@ -143,3 +157,15 @@
     - packages
     - cat2
     - V-71999
+
+- name: Enable automatic package updates (SUSE)
+  copy:
+    src: zypper-autoupdates
+    dest: /etc/cron.daily/zypper-autoupdates
+  when:
+    - ansible_pkg_mgr == 'zypper'
+    - security_rhel7_automatic_package_updates | bool
+  tags:
+    - packages
+    - cat2
+    - V-71999

tasks/rhel7stig/zypper.yml

@@ -0,0 +1,79 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+# Copyright 2017, SUSE LINUX GmbH.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Ensure RPM verification task has finished
+  async_status:
+    jid: "{{ rpmverify_task.ansible_job_id }}"
+  failed_when: False
+  changed_when: False
+  register: job_result
+  until: job_result.finished
+  retries: 30
+  when:
+    - not rpmverify_task | skipped
+
+- name: V-71855 - Get files with invalid checksums (rpm)
+  shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'"
+  register: invalid_checksum_files
+  changed_when: False
+  when:
+    - not check_mode | bool
+    - ansible_pkg_mgr == 'zypper'
+  tags:
+    - rpm
+    - high
+    - V-71855
+
+- name: V-71855 - The cryptographic hash of system files and commands must match vendor values (rpm)
+  debug:
+    msg: |
+      The following files have checksums that differ from the checksum provided
+      with their package. Each of these should be verified manually to ensure
+      they have not been modified by an unauthorized user.
+
+      {% for filename in invalid_checksum_files.stdout_lines %}
+        {{ filename }}
+      {% endfor %}
+  when:
+    - not check_mode | bool
+    - ansible_pkg_mgr == 'zypper'
+    - invalid_checksum_files is defined
+    - invalid_checksum_files.stdout is defined
+  tags:
+    - rpm
+    - high
+    - V-71855
+
+- name: Determine all SUSE repositories
+  shell: ls /etc/zypp/repos.d/*.repo
+  changed_when: false
+  register: all_zypper_repositories
+
+- name: V-71977 - Require digital signatures for all packages and repositories
+  lineinfile:
+    dest: "{{ item }}"
+    regexp: '^(#)?\s*gpgcheck'
+    line: "gpgcheck=1"
+    state: present
+  with_items:
+    - "{{ all_zypper_repositories.stdout_lines | default([]) }}"
+    - "{{ pkg_mgr_config }}"
+  tags:
+    - rpm
+    - high
+    - V-71977
+    - V-71979
+    - V-71981

vars/debian.yml

@@ -33,6 +33,7 @@ grub_conf_file_efi: /boot/efi/EFI/ubuntu/grub.cfg
 grub_defaults_file: /etc/default/grub
 aide_cron_job_path: /etc/cron.daily/aide
 aide_database_file: /var/lib/aide/aide.db
+aide_database_out_file: /var/lib/aide/aide.db.new
 chrony_conf_file: /etc/chrony/chrony.conf
 daemon_init_params_file: /etc/init.d/rc
 

vars/redhat.yml

@@ -29,6 +29,7 @@ grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' '
 grub_defaults_file: /etc/sysconfig/grub
 aide_cron_job_path: /etc/cron.d/aide
 aide_database_file: /var/lib/aide/aide.db.gz
+aide_database_out_file: /var/lib/aide/aide.db.new.gz
 chrony_conf_file: /etc/chrony.conf
 daemon_init_params_file: /etc/init.d/functions
 pkg_mgr_config: "{{ (ansible_pkg_mgr == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}"

vars/suse.yml

@@ -0,0 +1,102 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+# Copyright 2017, SUSE LINUX GmbH
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Variables for openSUSE
+#
+# For more details, see 'vars/main.yml'.
+
+# Configuration file paths
+pam_auth_file: /etc/pam.d/common-auth
+pam_password_file: /etc/pam.d/common-password
+pam_postlogin_file: /etc/pam.d/login
+vsftpd_conf_file: /etc/vsftpd.conf
+grub_conf_file: /boot/grub2/grub.cfg
+# NOTE(hwoarang) SUSE seems to be using the ID field from /etc/os-release to
+# create the EFI distro directory. Since this information is not available on
+# Ansible, we have to improvise a bit...
+grub_conf_file_efi: "{% set os_id = ansible_distribution.split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg"
+grub_defaults_file: /etc/default/grub
+aide_cron_job_path: /etc/cron.daily/aide
+aide_database_file: /var/lib/aide/aide.db
+aide_database_out_file: /var/lib/aide/aide.db.new
+chrony_conf_file: /etc/chrony.conf
+daemon_init_params_file: /etc/rc.status
+pkg_mgr_config: /etc/zypp/zypp.conf
+
+# Service names
+cron_service: crond
+ssh_service: sshd
+chrony_service: chronyd
+clamav_service: 'clamd'
+
+# Commands
+grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"
+ssh_keysign_path: /usr/lib/ssh
+
+# Other configuration
+security_interactive_user_minimum_uid: 1000
+
+# RHEL 7 STIG: Packages to add/remove
+stig_packages_rhel7:
+  - packages:
+      - audit-audispd-plugins
+      - audit
+      - aide
+      - dracut-fips
+      - openssh
+      - screen
+    state: "{{ security_package_state }}"
+    enabled: True
+  - packages:
+      - apparmor-parser
+      - apparmor-profiles
+      - apparmor-utils
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_rhel7_enable_linux_security_module }}"
+  - packages:
+      - chrony
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_rhel7_enable_chrony }}"
+  - packages:
+      - clamav
+      - clamav-database
+      - monitoring-plugins-clamav
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_enable_virus_scanner }}"
+  - packages:
+      - firewalld
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_enable_firewalld }}"
+  - packages:
+      - rsh-server
+    state: absent
+    enabled: "{{ security_rhel7_remove_rsh_server }}"
+  - packages:
+      - telnet-server
+    state: absent
+    enabled: "{{ security_rhel7_remove_telnet_server }}"
+  - packages:
+      - tftp
+    state: absent
+    enabled: "{{ security_rhel7_remove_tftp_server }}"
+  - packages:
+      - xorg-x11-server
+    state: absent
+    enabled: "{{ security_rhel7_remove_xorg }}"
+  - packages:
+      - ypserv
+    state: absent
+    enabled: "{{ security_rhel7_remove_ypserv }}"