Add support for the openSUSE Leap distributions
Add support for the openSUSE Leap distributions. The security rules are similar to the RedHat and Ubuntu ones. We also replace ansible_os_family with ansible_pkg_mgr since the former does not return consistent results across different SUSE distributions especially on older Ansible versions. Change-Id: I20ffe17039bb641aad70d8123f0b7e7417a42cba
This commit is contained in:
parent
93d05c5024
commit
f422da8599
@ -13,6 +13,8 @@ to systems running the following distributions:
|
||||
* Ubuntu 14.04 *(deprecated)*
|
||||
* Ubuntu 16.04
|
||||
* Red Hat Enterprise Linux 7
|
||||
* openSUSE Leap 42.2 and 42.3
|
||||
* SUSE Linux Enterprise 12 (*experimental*)
|
||||
|
||||
For more details, review the
|
||||
[ansible-hardening documentation](http://docs.openstack.org/developer/ansible-hardening/).
|
||||
|
@ -4,8 +4,8 @@ status: implemented
|
||||
tag: packages
|
||||
---
|
||||
|
||||
Ansible tasks will check the ``rpm -Va`` output (on CentOS and RHEL) or the
|
||||
output of ``debsums`` (on Ubuntu) to see if any files installed from packages
|
||||
Ansible tasks will check the ``rpm -Va`` output (on CentOS, RHEL, openSUSE and SLE) or
|
||||
the output of ``debsums`` (on Ubuntu) to see if any files installed from packages
|
||||
have been altered. The tasks will print a list of files that have changed
|
||||
since their package was installed.
|
||||
|
||||
|
@ -4,9 +4,9 @@ status: implemented
|
||||
tag: accounts
|
||||
---
|
||||
|
||||
The default password storage mechanism for Ubuntu 16.04, CentOS 7, and Red Hat
|
||||
Enterprise Linux 7 is ``SHA512`` and the tasks in the security role ensure that
|
||||
the default is maintained.
|
||||
The default password storage mechanism for Ubuntu 16.04, CentOS 7, openSUSE Leap,
|
||||
SUSE Linux Enterprise 12 and Red Hat Enterprise Linux 7 is ``SHA512`` and the tasks
|
||||
in the security role ensure that the default is maintained.
|
||||
|
||||
Deployers can configure a different password storage mechanism by setting the
|
||||
following Ansible variable:
|
||||
|
@ -8,7 +8,8 @@ The role ensures that ``crypt_style`` is set to ``sha512`` in
|
||||
``/etc/libuser.conf``, which is the default for CentOS 7 and Red Hat Enterprise
|
||||
Linux 7.
|
||||
|
||||
Ubuntu does not use ``libuser``, so this change is not applicable.
|
||||
Ubuntu, openSUSE and SUSE Linux Enterprise 12 do not use ``libuser``, so this change
|
||||
is not applicable.
|
||||
|
||||
Deployers can opt out of this change by setting the following Ansible variable:
|
||||
|
||||
|
@ -10,6 +10,7 @@ from one of the PAM configuration files:
|
||||
|
||||
* CentOS or RHEL: removes ``nullok`` from ``/etc/pam.d/system-auth``
|
||||
* Ubuntu: removes ``nullok_secure`` from ``/etc/pam.d/common-auth``
|
||||
* openSUSE Leap or SLE: remove ``nullok`` from ``/etc/pam.d/common-auth`` and ``/etc/pam.d/common-password``
|
||||
|
||||
Deployers can opt-out of this change by setting the following Ansible variable:
|
||||
|
||||
|
@ -40,5 +40,5 @@ Ansible variables:
|
||||
|
||||
.. note::
|
||||
|
||||
Ubuntu does not provide ``pam_faillock``. This change is only applied to
|
||||
CentOS 7 or Red Hat Enterprise Linux 7 systems.
|
||||
Ubuntu, openSUSE Leap and SUSE Linux Enterprise 12 do not provide ``pam_faillock``.
|
||||
This change is only applied to CentOS 7 or Red Hat Enterprise Linux 7 systems.
|
||||
|
@ -9,6 +9,7 @@ installed. The package name differs between Linux distributions:
|
||||
|
||||
* CentOS: ``ypserv``
|
||||
* Ubuntu: ``nis``
|
||||
* openSUSE Leap: ``ypserv``
|
||||
|
||||
Deployers can opt-out of this change by setting the following Ansible variable:
|
||||
|
||||
|
@ -12,6 +12,11 @@ On CentOS 7 systems, the tasks set the ``gpgcheck`` option to ``1`` in the
|
||||
``/etc/yum.conf`` file. This enables GPG checks for all packages installed
|
||||
with ``yum``.
|
||||
|
||||
On openSUSE Leap systems, the tasks set the ``gpgcheck`` option to ``1`` in the
|
||||
``/etc/zypp/zypp.conf`` file. This enables GPG checks for all packages installed
|
||||
with ``zypper``.
|
||||
|
||||
Setting ``security_enable_gpgcheck_packages`` to ``no`` will skip the
|
||||
``AllowUnauthenticated`` string check on Ubuntu and it will set ``gpgcheck=0``
|
||||
in ``/etc/yum.conf`` on CentOS systems.
|
||||
in ``/etc/yum.conf`` or ``/etc/zypp/zypp.conf`` on CentOS and openSUSE Leap systems
|
||||
respectively.
|
||||
|
@ -12,6 +12,11 @@ On CentOS 7 systems, the tasks set the ``localpkg_gpgcheck`` option to ``1`` in
|
||||
the ``/etc/yum.conf`` file. This enables GPG checks for all packages installed
|
||||
locally with ``yum``.
|
||||
|
||||
On openSUSE Leap systems, the tasks set the ``gpgcheck`` option to ``1`` in the
|
||||
``/etc/zypp/zypp.conf`` file. This enables GPG checks for all packages installed
|
||||
with ``zypper``.
|
||||
|
||||
Setting ``security_enable_gpgcheck_packages_local`` to ``no`` will skip the
|
||||
``no-debsig`` adjustment on Ubuntu and it will set ``local_gpgcheck=0`` in
|
||||
``/etc/yum.conf`` on CentOS systems.
|
||||
``/etc/yum.conf`` on CentOS systems. Similarly, on openSUSE Leap systems, it will set
|
||||
``gpgcheck=0`` in ``/etc/zypp/zypp.conf``.
|
||||
|
@ -7,8 +7,8 @@ tag: lsm
|
||||
The tasks in the security role enable the appropriate Linux Security Module
|
||||
(LSM) for the operating system.
|
||||
|
||||
For Ubuntu systems, AppArmor is installed and enabled. This change takes
|
||||
effect immediately.
|
||||
For Ubuntu, openSUSE and SUSE Linux Enterprise 12 systems, AppArmor is installed and
|
||||
enabled. This change takes effect immediately.
|
||||
|
||||
For CentOS or Red Hat Enterprise Linux systems, SELinux is enabled (in
|
||||
enforcing mode) and its user tools are automatically installed. If SELinux is
|
||||
|
@ -5,8 +5,8 @@ tag: misc
|
||||
---
|
||||
|
||||
The SELinux targeted policy is enabled on CentOS 7 and Red Hat systems.
|
||||
AppArmor only has one set of policies, so this change has no effect on Ubuntu
|
||||
systems running AppArmor.
|
||||
AppArmor only has one set of policies, so this change has no effect on Ubuntu,
|
||||
openSUSE Leap and SUSE systems running AppArmor.
|
||||
|
||||
For more information on this change and how to opt out, refer to
|
||||
:ref:`stig-V-71989`.
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
id: V-71995
|
||||
status: opt-in - Ubuntu only
|
||||
status: opt-in - Ubuntu and SUSE only
|
||||
tag: accounts
|
||||
---
|
||||
|
||||
@ -21,8 +21,9 @@ Ansible variable:
|
||||
|
||||
.. note::
|
||||
|
||||
Ubuntu uses ``pam_umask`` and it uses the default umask provided by the
|
||||
``UMASK`` line in ``/etc/login.defs``. The default setting on Ubuntu
|
||||
Ubuntu, openSUSE Leap and SUSE Linux Enterpsise 12 use ``pam_umask`` and it uses
|
||||
the default umask provided by the ``UMASK`` line in ``/etc/login.defs``.
|
||||
The default setting on Ubuntu, openSUSE Leap and SUSE Linux Enterprise 12
|
||||
systems is ``022``. This allows the user's group and other users on the
|
||||
system to read and execute files, but they cannot write to them.
|
||||
|
||||
|
@ -6,7 +6,7 @@ tag: packages
|
||||
|
||||
The STIG requires that the current release of the operating system is still
|
||||
supported and is actively receiving security updates. Deployers are urged to
|
||||
stay current with the latest releases from Ubuntu, CentOS and Red Hat.
|
||||
stay current with the latest releases from Ubuntu, SUSE, CentOS and Red Hat.
|
||||
|
||||
The following links provide more details on end of life (EOL) dates for the
|
||||
distributions supported by this role:
|
||||
@ -14,3 +14,5 @@ distributions supported by this role:
|
||||
* `Ubuntu releases <https://wiki.ubuntu.com/Releases>`_
|
||||
* `CentOS EOL dates <https://wiki.centos.org/FAQ/General#head-fe8a0be91ee3e7dea812e8694491e1dde5b75e6d>`_
|
||||
* `Red Hat Enterprise Linux Life Cycle <https://access.redhat.com/support/policy/updates/errata>`_
|
||||
* `openSUSE EOL dates <https://en.opensuse.org/Lifetime>`_
|
||||
* `SUSE Linux Enterprise <https://www.suse.com/support/policy/>`_
|
||||
|
@ -17,4 +17,5 @@ Ansible variable:
|
||||
|
||||
When enabled, the tasks install and configure ``yum-cron`` on CentOS and Red
|
||||
Hat Enterprise Linux. On Ubuntu systems, the ``unattended-upgrades`` package
|
||||
is installed and configured.
|
||||
is installed and configured. On openSUSE Leap and SUSE Linux Enterprise systems,
|
||||
a daily cronjob is installed.
|
||||
|
@ -16,6 +16,6 @@ Deployers can opt out of this change by setting the following Ansible variable:
|
||||
|
||||
.. note::
|
||||
|
||||
On CentOS 7 and Red Hat Enterprise Linux 7 systems, home directories are
|
||||
always created with new users by default. Home directories are not created
|
||||
by default on Ubuntu systems.
|
||||
On CentOS 7, Red Hat Enterprise Linux 7 systems, openSUSE Leap and SUSE
|
||||
Linux Enterprise 12, home directories are always created with new users by default.
|
||||
Home directories are not created by default on Ubuntu systems.
|
||||
|
@ -15,5 +15,5 @@ labels are applied for the class of device.
|
||||
|
||||
This change applies only to CentOS or Red Hat Enterprise Linux systems
|
||||
since they rely on SELinux as their default Linux Security Module (LSM).
|
||||
Ubuntu systems use AppArmor, which uses policy files rather than labels
|
||||
applied to individual files.
|
||||
Ubuntu, openSUSE Leap and SUSE Linux Enterprise systems use AppArmor, which
|
||||
uses policy files rather than labels applied to individual files.
|
||||
|
@ -4,12 +4,15 @@ status: exception - manual intervention
|
||||
tag: misc
|
||||
---
|
||||
|
||||
Ubuntu, CentOS and Red Hat Enterprise Linux already capture the logs from cron.
|
||||
Ubuntu, CentOS, Red Hat Enterprise Linux, openSUSE Leap and SUSE Linux
|
||||
Enterprise already capture the logs from cron.
|
||||
|
||||
Ubuntu systems collect cron job logs into the main syslog file
|
||||
(``/var/log/syslog``) rather than separate them into their own log file.
|
||||
CentOS and Red Hat Enterprise Linux systems collect cron logs in
|
||||
``/var/log/cron``.
|
||||
openSUSE Leap and SUSE Linux Enterprise collect cron job in
|
||||
``/var/log/messages``.
|
||||
|
||||
Deployers should not need to adjust these configurations unless a specific
|
||||
environment requires it. The tasks in the security role do not make changes to
|
||||
|
@ -6,4 +6,5 @@ tag: file_perms
|
||||
|
||||
The tasks in the security role check for the existence of ``/etc/cron.allow``
|
||||
and set both the user and group ownership to ``root``. This is the default on
|
||||
Ubuntu, CentOS, and Red Hat Enterprise Linux systems already.
|
||||
Ubuntu, CentOS, Red Hat Enterprise Linux systems, openSUSE Leap and SUSE Linux
|
||||
Enterprise 12 already.
|
||||
|
@ -1,11 +1,11 @@
|
||||
---
|
||||
id: V-72067
|
||||
status: implemented - red hat only
|
||||
status: implemented - red hat and suse only
|
||||
tag: misc
|
||||
---
|
||||
|
||||
The tasks in the Ansible role install the ``dracut-fips`` and
|
||||
``dracut-fips-aesni`` packages and check to see if FIPS is enabled on the
|
||||
The tasks in the Ansible role install the ``dracut-fips`` (RHEL and SLE) and
|
||||
``dracut-fips-aesni`` (RHEL) packages and check to see if FIPS is enabled on the
|
||||
system. If it is not enabled, a warning message is printed in the Ansible
|
||||
output.
|
||||
|
||||
@ -18,6 +18,6 @@ the bootloader configuration and regenerating the initramfs.
|
||||
|
||||
.. note::
|
||||
|
||||
This change only applies to CentOS and Red Hat Enterprise Linux. Ubuntu
|
||||
does not use dracut by default and the process for enabling the FIPS
|
||||
functionality at boot time is more complex.
|
||||
This change only applies to CentOS, Red Hat Enterprise Linux, openSUSE Leap
|
||||
and SUSE Linux Enterprise. Ubuntu does not use dracut by default and the process
|
||||
for enabling the FIPS functionality at boot time is more complex.
|
||||
|
@ -12,3 +12,7 @@ However, Ubuntu lacks the rules that include ACL and extended attribute checks.
|
||||
The tasks in the security role will add a small configuration block at the end
|
||||
of the AIDE configuration file to meet the requirements of this STIG, as well
|
||||
as V-72071.
|
||||
|
||||
openSUSE Leap and SUSE Linux Enterprise 12 also lack a rule to check ACLs and
|
||||
extended attributes. The default configuration file is adjusted to include those
|
||||
as well.
|
||||
|
@ -12,3 +12,7 @@ However, Ubuntu lacks the rules that include ACL and extended attribute checks.
|
||||
The tasks in the security role will add a small configuration block at the end
|
||||
of the AIDE configuration file to meet the requirements of this STIG, as well
|
||||
as V-72069.
|
||||
|
||||
openSUSE Leap and SUSE Linux Enterprise 12 also lack a rule to check ACLs and
|
||||
extended attributes. The default configuration file is adjusted to include those
|
||||
as well.
|
||||
|
@ -4,9 +4,9 @@ status: implemented
|
||||
tag: aide
|
||||
---
|
||||
|
||||
The default AIDE configuration in CentOS 7 and Red Hat Enterprise Linux 7
|
||||
already uses SHA512 to validate file contents and directories. No changes are
|
||||
required on these systems.
|
||||
The default AIDE configuration in CentOS 7, Red Hat Enterprise Linux 7,
|
||||
openSUSE Leap and SUSE Linux Enterprise 12 already uses SHA512 to validate
|
||||
file contents and directories. No changes are required on these systems.
|
||||
|
||||
The tasks in the security role add a rule to end of the AIDE configuration on
|
||||
Ubuntu systems that uses SHA512 for validation.
|
||||
|
@ -9,6 +9,7 @@ installed. The package name differs between Linux distributions:
|
||||
|
||||
* CentOS: ``telnet-server``
|
||||
* Ubuntu: ``telnetd``
|
||||
* openSUSE Leap: ``telnet-server``
|
||||
|
||||
Deployers can opt-out of this change by setting the following Ansible variable:
|
||||
|
||||
|
@ -15,4 +15,5 @@ Deployers can opt-out of this change by setting an Ansible variable:
|
||||
|
||||
.. note::
|
||||
|
||||
No action is taken on Ubuntu 16.04 because ``pt_chown`` is not available.
|
||||
No action is taken on Ubuntu 16.04, openSUSE Leap and SUSE Linux Enterprise
|
||||
because ``pt_chown`` is not available.
|
||||
|
@ -4,8 +4,9 @@ status: implemented
|
||||
tag: misc
|
||||
---
|
||||
|
||||
By default, CentOS 7 and Red Hat Enterprise Linux 7 check for virus database
|
||||
updates 12 times a day. Ubuntu servers have a default of 24 checks per day.
|
||||
By default, CentOS 7, Red Hat Enterprise Linux 7, openSUSE Leap and SUSE Linux
|
||||
Enterprise 12 check for virus database updates 12 times a day. Ubuntu servers
|
||||
have a default of 24 checks per day.
|
||||
|
||||
The tasks in the security role do not adjust these defaults as they are more
|
||||
secure than the STIG's requirement.
|
||||
|
@ -5,8 +5,9 @@ tag: sshd
|
||||
---
|
||||
|
||||
The tasks in the security role deploy a standard notice and consent banner into
|
||||
``/etc/motd`` on each server. Ubuntu, CentOS and Red Hat Enterprise Linux
|
||||
display this banner after each successful login via ssh or the console.
|
||||
``/etc/motd`` on each server. Ubuntu, CentOS, Red Hat Enterprise Linux,
|
||||
openSUSE Leap and SUSE Linux Enterprise display this banner after each successful
|
||||
login via ssh or the console.
|
||||
|
||||
Deployers can choose a different destination for the banner by setting the
|
||||
following Ansible variable:
|
||||
|
@ -9,3 +9,4 @@ role installs the following packages:
|
||||
|
||||
* CentOS: ``openssh-clients``, ``openssh-server``
|
||||
* Ubuntu: ``openssh-client``, ``openssh-server``
|
||||
* openSUSE Leap: ``openssh``
|
||||
|
@ -7,8 +7,8 @@ tag: misc
|
||||
The tasks in the security role make the following changes on each host:
|
||||
|
||||
* The ``chrony`` package is installed.
|
||||
* The service (``chronyd`` on Red Hat and CentOS, ``chrony`` on Ubuntu) is
|
||||
started and enabled at boot time.
|
||||
* The service (``chronyd`` on Red Hat, CentOS, SLE and openSUSE Leap,
|
||||
``chrony`` on Ubuntu) is started and enabled at boot time.
|
||||
* A configuration file template is deployed that includes ``maxpoll 10`` on
|
||||
each server line.
|
||||
|
||||
|
@ -19,5 +19,5 @@ Deployers can opt in for this change by setting the following Ansible variable:
|
||||
|
||||
Deployers must pre-configure ``firewalld`` or copy over a working XML file
|
||||
in ``/etc/firewalld/zones/`` from another server. The default firewalld
|
||||
restrictions on Ubuntu, CentOS and Red Hat Enterprise Linux are highly
|
||||
restrictive.
|
||||
restrictions on Ubuntu, CentOS, Red Hat Enterprise Linux and openSUSE Leap
|
||||
are highly restrictive.
|
||||
|
@ -11,4 +11,4 @@ disruptive in some environments.
|
||||
|
||||
Deployers should review their PAM configurations and add ``pam_lastlogin`` to
|
||||
``/etc/pam.d/postlogin`` on CentOS and Red Hat Enterprise Linux or to
|
||||
``/etc/pam.d/login`` on Ubuntu.
|
||||
``/etc/pam.d/login`` on Ubuntu, openSUSE Leap and SUSE Linux Enterprise.
|
||||
|
@ -9,6 +9,7 @@ installed. The package name differs between Linux distributions:
|
||||
|
||||
* CentOS: ``tftp-server``
|
||||
* Ubuntu: ``tftpd``
|
||||
* openSUSE Leap: ``tftp``
|
||||
|
||||
Deployers can opt-out of this change by setting the following Ansible variable:
|
||||
|
||||
|
@ -9,6 +9,7 @@ installed. The package name differs between Linux distributions:
|
||||
|
||||
* CentOS: ``xorg-x11-server-Xorg``
|
||||
* Ubuntu: ``xorg-xserver``
|
||||
* openSUSE Leap: ``xorg-x11-server``
|
||||
|
||||
Deployers can opt-out of this change by setting the following Ansible variable:
|
||||
|
||||
|
@ -56,8 +56,8 @@ Controls are divided into groups based on the following properties:
|
||||
|
||||
Although the STIG is specific to Red Hat Enterprise Linux 7, it also applies to
|
||||
CentOS 7 systems. In addition, almost all of the controls are easily translated
|
||||
for Ubuntu 16.04. Any deviations during translation are noted within the
|
||||
documentation below.
|
||||
for Ubuntu 16.04, openSUSE Leap and SUSE Linux Enterprise 12. Any deviations
|
||||
during translation are noted within the documentation below.
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 2
|
||||
|
@ -47,6 +47,8 @@ servers running the following Linux distributions:
|
||||
* Ubuntu 16.04
|
||||
* CentOS 7
|
||||
* Red Hat Enterprise Linux 7
|
||||
* openSUSE Leap 42.2 and 42.3
|
||||
* SUSE Linux Enterprise 12 (experimental)
|
||||
|
||||
The OpenStack gating system tests the role against each of these distributions
|
||||
regularly except for Red Hat Enterprise Linux 7, since it is a non-free
|
||||
|
@ -92,6 +92,8 @@ Pike
|
||||
* Ubuntu 16.04 Xenial
|
||||
* CentOS 7
|
||||
* Red Hat Enterprise Linux 7 *(partial automated test coverage)*
|
||||
* openSUSE Leap 42.2 and 42.3
|
||||
* SUSE Linux Enterprise 12 (*experimental*)
|
||||
|
||||
* **Documentation:**
|
||||
|
||||
|
3
files/zypper-autoupdates
Executable file
3
files/zypper-autoupdates
Executable file
@ -0,0 +1,3 @@
|
||||
#!/bin/bash
|
||||
|
||||
/usr/bin/zypper -n dup -l
|
@ -13,6 +13,11 @@ galaxy_info:
|
||||
versions:
|
||||
- trusty
|
||||
- xenial
|
||||
- name: opensuse
|
||||
versions:
|
||||
- 42.1
|
||||
- 42.2
|
||||
- 42.3
|
||||
categories:
|
||||
- cloud
|
||||
- security
|
||||
|
@ -15,9 +15,12 @@
|
||||
|
||||
- name: Verify that AIDE configuration directory exists
|
||||
stat:
|
||||
path: /etc/aide/aide.conf.d
|
||||
path: "{{ item }}"
|
||||
register: aide_conf
|
||||
check_mode: no
|
||||
with_items:
|
||||
- /etc/aide/aide.conf.d
|
||||
- /etc/aide.conf
|
||||
tags:
|
||||
- always
|
||||
|
||||
@ -25,7 +28,7 @@
|
||||
template:
|
||||
src: ZZ_aide_exclusions.j2
|
||||
dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions
|
||||
when: aide_conf.stat.exists | bool
|
||||
when: aide_conf.results[0].stat.exists | bool
|
||||
tags:
|
||||
- medium
|
||||
- aide
|
||||
@ -34,7 +37,7 @@
|
||||
# NOTE(mhayden): CentOS/RHEL already provide a very strict AIDE configuration
|
||||
# that meets the requirements of V-72069 and V-72071. That config
|
||||
# is borrowed for Ubuntu 16.04 here.
|
||||
- name: Configure AIDE to verify additional properties
|
||||
- name: Configure AIDE to verify additional properties (Ubuntu)
|
||||
blockinfile:
|
||||
dest: "/etc/aide/aide.conf"
|
||||
insertbefore: EOF
|
||||
@ -54,7 +57,7 @@
|
||||
/bin NORMAL
|
||||
/sbin NORMAL
|
||||
when:
|
||||
- aide_conf.stat.exists | bool
|
||||
- aide_conf.results[0].stat.exists | bool
|
||||
- ansible_os_family | lower == 'debian'
|
||||
tags:
|
||||
- low
|
||||
@ -63,6 +66,24 @@
|
||||
- V-72071
|
||||
- V-72073
|
||||
|
||||
# NOTE(hwoarang): Add acl and xattrs on SUSE to meet V-72069 and V-72071.
|
||||
- name: Configure AIDE to verify additional properties (SUSE)
|
||||
lineinfile:
|
||||
dest: "/etc/aide.conf"
|
||||
regexp: '(^Binlib.*= )'
|
||||
line: '\1p+i+n+u+g+s+b+m+c+sha256+sha512+acl+xattrs'
|
||||
state: present
|
||||
backrefs: yes
|
||||
when:
|
||||
- aide_conf.results[1].stat.exists | bool
|
||||
- ansible_pkg_mgr == 'zypper'
|
||||
tags:
|
||||
- low
|
||||
- aide
|
||||
- V-72069
|
||||
- V-72071
|
||||
- V-72073
|
||||
|
||||
- name: Check to see if AIDE database is already in place
|
||||
stat:
|
||||
path: "{{ aide_database_file }}"
|
||||
@ -72,12 +93,14 @@
|
||||
- always
|
||||
|
||||
- name: Initialize AIDE (this will take a few minutes)
|
||||
# NOTE(hwoarang): aideinit is an Ubuntu wrapper.
|
||||
# NOTE(hwoarang): aideinit is an Ubuntu wrapper. An alternative
|
||||
# would be to use aideinit || aide -i but that will possibly mask
|
||||
# genuine aideinit failures.
|
||||
shell: "if test -x /usr/sbin/aideinit; then aideinit; else aide -i; fi"
|
||||
changed_when: false
|
||||
register: aide_init
|
||||
when:
|
||||
- aide_conf.stat.exists | bool
|
||||
- aide_conf.results[0].stat.exists | bool or aide_conf.results[1].stat.exists | bool
|
||||
- not aide_database.stat.exists | bool
|
||||
- security_rhel7_initialize_aide | bool
|
||||
tags:
|
||||
@ -85,21 +108,21 @@
|
||||
- aide
|
||||
- V-71973
|
||||
|
||||
# NOTE(mhayden): This is only needed for CentOS 7 and RHEL 7 since Ubuntu
|
||||
# NOTE(mhayden): This is only needed for CentOS 7, RHEL 7 and SUSE since Ubuntu
|
||||
# copies the new AIDE database into place automatically with its AIDE wrapper
|
||||
# script.
|
||||
- name: Move AIDE database into place
|
||||
command: "mv /var/lib/aide/aide.db.new.gz {{ aide_database_file }}"
|
||||
command: "mv {{ aide_database_out_file }} {{ aide_database_file }}"
|
||||
changed_when: false
|
||||
when:
|
||||
- aide_init | changed
|
||||
- ansible_os_family | lower == 'redhat'
|
||||
- ansible_pkg_mgr in ['yum', 'zypper']
|
||||
tags:
|
||||
- medium
|
||||
- aide
|
||||
- V-71973
|
||||
|
||||
# NOTE(mhayden): This is only needed for CentOS 7 and RHEL 7 since the AIDE
|
||||
# NOTE(mhayden): This is only needed for CentOS 7, RHEL 7 and SUSE since the AIDE
|
||||
# package doesn't come with a cron job file. Ubuntu packages a cron job for
|
||||
# AIDE checks already.
|
||||
- name: Create AIDE cron job
|
||||
@ -110,7 +133,7 @@
|
||||
special_time: daily
|
||||
job: "aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root"
|
||||
when:
|
||||
- ansible_os_family | lower == 'redhat'
|
||||
- ansible_pkg_mgr in ['yum', 'zypper']
|
||||
tags:
|
||||
- medium
|
||||
- aide
|
||||
|
@ -65,6 +65,25 @@
|
||||
- high
|
||||
- V-71937
|
||||
|
||||
- name: Prevent users with blank or null passwords from authenticating (SUSE)
|
||||
lineinfile:
|
||||
dest: "{{ item }}"
|
||||
state: present
|
||||
regexp: "^(.*required.*)nullok(.*)$"
|
||||
line: '\1\2'
|
||||
backup: yes
|
||||
backrefs: yes
|
||||
with_items:
|
||||
- "{{ pam_auth_file }}"
|
||||
- "{{ pam_password_file }}"
|
||||
when:
|
||||
- ansible_pkg_mgr == 'zypper'
|
||||
- security_disallow_blank_password_login | bool
|
||||
tags:
|
||||
- auth
|
||||
- high
|
||||
- V-71937
|
||||
|
||||
- name: Lock accounts after three failed login attempts a 15 minute period
|
||||
blockinfile:
|
||||
dest: "{{ pam_password_file }}"
|
||||
@ -73,7 +92,7 @@
|
||||
insertbefore: EOF
|
||||
block: "{{ lookup('template', 'pam_faillock.j2') }}"
|
||||
when:
|
||||
- ansible_os_family | lower == 'redhat'
|
||||
- ansible_pkg_mgr in ['yum', 'zypper']
|
||||
- security_pam_faillock_enable | bool
|
||||
tags:
|
||||
- auth
|
||||
|
@ -21,7 +21,7 @@
|
||||
changed_when: False
|
||||
when:
|
||||
- not check_mode | bool
|
||||
- ansible_os_family | lower == 'redhat'
|
||||
- ansible_pkg_mgr in ['yum', 'zypper']
|
||||
- security_reset_perm_ownership | bool
|
||||
tags:
|
||||
- file_perms
|
||||
@ -38,7 +38,7 @@
|
||||
- "{{ rpmverify_package_list.stdout_lines | default([]) }}"
|
||||
when:
|
||||
- not check_mode | bool
|
||||
- ansible_os_family | lower == 'redhat'
|
||||
- ansible_pkg_mgr in ['yum', 'zypper']
|
||||
- rpmverify_package_list is defined
|
||||
- rpmverify_package_list.stdout_lines | length > 0
|
||||
async: 300
|
||||
|
@ -76,7 +76,7 @@
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
when:
|
||||
- ansible_os_family | lower == 'redhat'
|
||||
- ansible_pkg_mgr in ['yum', 'zypper']
|
||||
tags:
|
||||
- always
|
||||
|
||||
@ -86,7 +86,7 @@
|
||||
FIPS is not enabled at boot time on this server.
|
||||
The STIG requires FIPS to be enabled at boot time.
|
||||
when:
|
||||
- ansible_os_family | lower == 'redhat'
|
||||
- ansible_pkg_mgr in ['yum', 'zypper']
|
||||
- fips_check is defined
|
||||
- fips_check.stdout != '1'
|
||||
tags:
|
||||
|
@ -19,7 +19,7 @@
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
when:
|
||||
- ansible_os_family == "Debian"
|
||||
- ansible_pkg_mgr in ['apt', 'zypper']
|
||||
tags:
|
||||
- high
|
||||
- V-71989
|
||||
@ -30,7 +30,7 @@
|
||||
state: started
|
||||
enabled: yes
|
||||
when:
|
||||
- ansible_os_family == "Debian"
|
||||
- ansible_pkg_mgr in ['apt', 'zypper']
|
||||
- security_rhel7_enable_linux_security_module | bool
|
||||
- not check_mode
|
||||
- '"AppArmor disabled by boot time parameter" not in dmesg_apparmor_output.stdout'
|
||||
|
@ -44,7 +44,7 @@
|
||||
poll: 0
|
||||
when:
|
||||
- not check_mode | bool
|
||||
- ansible_os_family | lower == 'redhat'
|
||||
- ansible_os_family | lower in ['redhat', 'suse']
|
||||
tags:
|
||||
- always
|
||||
- skip_ansible_lint
|
||||
|
@ -34,7 +34,7 @@
|
||||
- V-72301
|
||||
- V-72307
|
||||
|
||||
- name: V-71987 - Clean requirements/dependencies when removing packages (rpm)
|
||||
- name: V-71987 - Clean requirements/dependencies when removing packages (RedHat)
|
||||
lineinfile:
|
||||
dest: "{{ pkg_mgr_config }}"
|
||||
regexp: "^(#)?clean_requirements_on_remove"
|
||||
@ -48,6 +48,20 @@
|
||||
- packages
|
||||
- V-71987
|
||||
|
||||
- name: V-71987 - Clean requirements/dependencies when removing packages (SUSE)
|
||||
lineinfile:
|
||||
dest: "{{ pkg_mgr_config }}"
|
||||
regexp: '^(#)?\s*solver\.cleandepsOnRemove'
|
||||
line: 'solver.cleandepsOnRemove = true'
|
||||
state: present
|
||||
when:
|
||||
- security_package_clean_on_remove | bool
|
||||
- ansible_pkg_mgr == 'zypper'
|
||||
tags:
|
||||
- low
|
||||
- packages
|
||||
- V-71987
|
||||
|
||||
- name: V-71987 - Clean requirements/dependencies when removing packages (dpkg)
|
||||
lineinfile:
|
||||
dest: /etc/apt/apt.conf.d/security-autoremove
|
||||
@ -143,3 +157,15 @@
|
||||
- packages
|
||||
- cat2
|
||||
- V-71999
|
||||
|
||||
- name: Enable automatic package updates (SUSE)
|
||||
copy:
|
||||
src: zypper-autoupdates
|
||||
dest: /etc/cron.daily/zypper-autoupdates
|
||||
when:
|
||||
- ansible_pkg_mgr == 'zypper'
|
||||
- security_rhel7_automatic_package_updates | bool
|
||||
tags:
|
||||
- packages
|
||||
- cat2
|
||||
- V-71999
|
||||
|
79
tasks/rhel7stig/zypper.yml
Normal file
79
tasks/rhel7stig/zypper.yml
Normal file
@ -0,0 +1,79 @@
|
||||
---
|
||||
# Copyright 2016, Rackspace US, Inc.
|
||||
# Copyright 2017, SUSE LINUX GmbH.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Ensure RPM verification task has finished
|
||||
async_status:
|
||||
jid: "{{ rpmverify_task.ansible_job_id }}"
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
register: job_result
|
||||
until: job_result.finished
|
||||
retries: 30
|
||||
when:
|
||||
- not rpmverify_task | skipped
|
||||
|
||||
- name: V-71855 - Get files with invalid checksums (rpm)
|
||||
shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'"
|
||||
register: invalid_checksum_files
|
||||
changed_when: False
|
||||
when:
|
||||
- not check_mode | bool
|
||||
- ansible_pkg_mgr == 'zypper'
|
||||
tags:
|
||||
- rpm
|
||||
- high
|
||||
- V-71855
|
||||
|
||||
- name: V-71855 - The cryptographic hash of system files and commands must match vendor values (rpm)
|
||||
debug:
|
||||
msg: |
|
||||
The following files have checksums that differ from the checksum provided
|
||||
with their package. Each of these should be verified manually to ensure
|
||||
they have not been modified by an unauthorized user.
|
||||
|
||||
{% for filename in invalid_checksum_files.stdout_lines %}
|
||||
{{ filename }}
|
||||
{% endfor %}
|
||||
when:
|
||||
- not check_mode | bool
|
||||
- ansible_pkg_mgr == 'zypper'
|
||||
- invalid_checksum_files is defined
|
||||
- invalid_checksum_files.stdout is defined
|
||||
tags:
|
||||
- rpm
|
||||
- high
|
||||
- V-71855
|
||||
|
||||
- name: Determine all SUSE repositories
|
||||
shell: ls /etc/zypp/repos.d/*.repo
|
||||
changed_when: false
|
||||
register: all_zypper_repositories
|
||||
|
||||
- name: V-71977 - Require digital signatures for all packages and repositories
|
||||
lineinfile:
|
||||
dest: "{{ item }}"
|
||||
regexp: '^(#)?\s*gpgcheck'
|
||||
line: "gpgcheck=1"
|
||||
state: present
|
||||
with_items:
|
||||
- "{{ all_zypper_repositories.stdout_lines | default([]) }}"
|
||||
- "{{ pkg_mgr_config }}"
|
||||
tags:
|
||||
- rpm
|
||||
- high
|
||||
- V-71977
|
||||
- V-71979
|
||||
- V-71981
|
@ -33,6 +33,7 @@ grub_conf_file_efi: /boot/efi/EFI/ubuntu/grub.cfg
|
||||
grub_defaults_file: /etc/default/grub
|
||||
aide_cron_job_path: /etc/cron.daily/aide
|
||||
aide_database_file: /var/lib/aide/aide.db
|
||||
aide_database_out_file: /var/lib/aide/aide.db.new
|
||||
chrony_conf_file: /etc/chrony/chrony.conf
|
||||
daemon_init_params_file: /etc/init.d/rc
|
||||
|
||||
|
@ -29,6 +29,7 @@ grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' '
|
||||
grub_defaults_file: /etc/sysconfig/grub
|
||||
aide_cron_job_path: /etc/cron.d/aide
|
||||
aide_database_file: /var/lib/aide/aide.db.gz
|
||||
aide_database_out_file: /var/lib/aide/aide.db.new.gz
|
||||
chrony_conf_file: /etc/chrony.conf
|
||||
daemon_init_params_file: /etc/init.d/functions
|
||||
pkg_mgr_config: "{{ (ansible_pkg_mgr == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}"
|
||||
|
102
vars/suse.yml
Normal file
102
vars/suse.yml
Normal file
@ -0,0 +1,102 @@
|
||||
---
|
||||
# Copyright 2016, Rackspace US, Inc.
|
||||
# Copyright 2017, SUSE LINUX GmbH
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
## Variables for openSUSE
|
||||
#
|
||||
# For more details, see 'vars/main.yml'.
|
||||
|
||||
# Configuration file paths
|
||||
pam_auth_file: /etc/pam.d/common-auth
|
||||
pam_password_file: /etc/pam.d/common-password
|
||||
pam_postlogin_file: /etc/pam.d/login
|
||||
vsftpd_conf_file: /etc/vsftpd.conf
|
||||
grub_conf_file: /boot/grub2/grub.cfg
|
||||
# NOTE(hwoarang) SUSE seems to be using the ID field from /etc/os-release to
|
||||
# create the EFI distro directory. Since this information is not available on
|
||||
# Ansible, we have to improvise a bit...
|
||||
grub_conf_file_efi: "{% set os_id = ansible_distribution.split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg"
|
||||
grub_defaults_file: /etc/default/grub
|
||||
aide_cron_job_path: /etc/cron.daily/aide
|
||||
aide_database_file: /var/lib/aide/aide.db
|
||||
aide_database_out_file: /var/lib/aide/aide.db.new
|
||||
chrony_conf_file: /etc/chrony.conf
|
||||
daemon_init_params_file: /etc/rc.status
|
||||
pkg_mgr_config: /etc/zypp/zypp.conf
|
||||
|
||||
# Service names
|
||||
cron_service: crond
|
||||
ssh_service: sshd
|
||||
chrony_service: chronyd
|
||||
clamav_service: 'clamd'
|
||||
|
||||
# Commands
|
||||
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"
|
||||
ssh_keysign_path: /usr/lib/ssh
|
||||
|
||||
# Other configuration
|
||||
security_interactive_user_minimum_uid: 1000
|
||||
|
||||
# RHEL 7 STIG: Packages to add/remove
|
||||
stig_packages_rhel7:
|
||||
- packages:
|
||||
- audit-audispd-plugins
|
||||
- audit
|
||||
- aide
|
||||
- dracut-fips
|
||||
- openssh
|
||||
- screen
|
||||
state: "{{ security_package_state }}"
|
||||
enabled: True
|
||||
- packages:
|
||||
- apparmor-parser
|
||||
- apparmor-profiles
|
||||
- apparmor-utils
|
||||
state: "{{ security_package_state }}"
|
||||
enabled: "{{ security_rhel7_enable_linux_security_module }}"
|
||||
- packages:
|
||||
- chrony
|
||||
state: "{{ security_package_state }}"
|
||||
enabled: "{{ security_rhel7_enable_chrony }}"
|
||||
- packages:
|
||||
- clamav
|
||||
- clamav-database
|
||||
- monitoring-plugins-clamav
|
||||
state: "{{ security_package_state }}"
|
||||
enabled: "{{ security_enable_virus_scanner }}"
|
||||
- packages:
|
||||
- firewalld
|
||||
state: "{{ security_package_state }}"
|
||||
enabled: "{{ security_enable_firewalld }}"
|
||||
- packages:
|
||||
- rsh-server
|
||||
state: absent
|
||||
enabled: "{{ security_rhel7_remove_rsh_server }}"
|
||||
- packages:
|
||||
- telnet-server
|
||||
state: absent
|
||||
enabled: "{{ security_rhel7_remove_telnet_server }}"
|
||||
- packages:
|
||||
- tftp
|
||||
state: absent
|
||||
enabled: "{{ security_rhel7_remove_tftp_server }}"
|
||||
- packages:
|
||||
- xorg-x11-server
|
||||
state: absent
|
||||
enabled: "{{ security_rhel7_remove_xorg }}"
|
||||
- packages:
|
||||
- ypserv
|
||||
state: absent
|
||||
enabled: "{{ security_rhel7_remove_ypserv }}"
|
Loading…
x
Reference in New Issue
Block a user