--- # Copyright 2015, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - name: V-38489 - Install AIDE (with apt) apt: name: "{{ item }}" state: present with_items: - aide - aide-common when: ansible_pkg_mgr == 'apt' tags: - cat2 - V-38489 - name: V-38489 - Install AIDE (with yum) yum: name: aide state: present when: ansible_pkg_mgr == 'yum' tags: - cat2 - V-38489 - name: Verify that AIDE configuration directory exists stat: path: /etc/aide/aide.conf.d register: aide_conf always_run: true tags: - always - name: V-38489 - Exclude certain directories from AIDE and initialize DB template: src: ZZ_aide_exclusions.j2 dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions when: aide_conf.stat.exists | bool notify: - initialize AIDE tags: - cat2 - V-38489 - name: Check for AIDE cron job (for V-38670) stat: path: /etc/cron.daily/aide register: v38670_result changed_when: False tags: - cat2 - V-38670 - name: V-38670 - System must detect unauthorized changes to software and information fail: msg: "AIDE cron job is missing" when: - not check_mode - v38670_result.stat.exists == False tags: - cat2 - V-38670 - name: Search for .netrc files (for V-38619) shell: find /root /home -xdev -name .netrc | wc -l register: v38619_result changed_when: False always_run: True tags: - cat2 - V-38619 - name: V-38619 - There must be no .netrc files on the system fail: msg: ".netrc files found -- they must be removed" when: v38619_result.stdout != '0' tags: - cat2 - V-38619 - name: V-38620 - Synchronize system clock (installing chrony with apt) apt: name: chrony state: present when: ansible_pkg_mgr == 'apt' tags: - cat2 - V-38620 - name: V-38620 - Synchronize system clock (installing chrony with yum) yum: name: chrony state: present when: ansible_pkg_mgr == 'yum' tags: - cat2 - V-38620 - name: V-38620 - Synchronize system clock (enable chrony) service: name: "{{ chrony_service }}" state: started enabled: yes when: not check_mode tags: - cat2 - V-38620 - name: Check for chrony.conf stat: path: /etc/chrony/chrony.conf register: chrony_conf tags: - always - V-38620 - name: V-38620 - Synchronize system clock (configuration file) template: src: chrony.conf.j2 dest: /etc/chrony/chrony.conf when: chrony_conf.stat.exists | bool notify: - restart chrony tags: - cat2 - V-38620 # The STIG only requires that logrotate is installed and configured in cron. # The openstack-ansible project will configure logs to be rotated weekly and # compressed with each run. We won't change the interval here, but we will # ensure that logrotate is installed (to meet the STIG requirement). - name: V-38624 - System logs must be rotated daily (install logrotate with apt) apt: name: logrotate state: present when: ansible_pkg_mgr == 'apt' tags: - cat3 - V-38624 - name: V-38624 - System logs must be rotated daily (install logrotate with yum) yum: name: logrotate state: present when: ansible_pkg_mgr == 'yum' tags: - cat3 - V-38624 - name: Check for logrotate cron job (for V-38624) stat: path: /etc/cron.daily/logrotate register: v38624_result tags: - cat3 - V-38624 - name: V-38624 - System logs must be rotated daily (verify cron job) fail: msg: "Cron job for logrotate is missing" when: - not check_mode - not v38624_result.stat.exists | bool tags: - cat3 - V-38624 - name: Check if samba is installed (for V-38656) stat: path: /etc/samba/smb.conf register: v38656_result changed_when: false tags: - cat3 - V-38656 - name: V-38656 - System must use SMB client signing lineinfile: dest: /etc/samba/smb.conf regexp: "^(;)?client signing" line: "client signing = mandatory" insertafter: "############ Misc ############" when: v38656_result.stat.exists | bool notify: - restart samba tags: - cat3 - V-38656 - name: Check if SNMP daemon is installed using dpkg (for V-38660) shell: "dpkg --status snmpd | grep \"^Status:.*ok installed\"" register: v38660_snmpd_apt changed_when: False failed_when: False always_run: True when: ansible_pkg_mgr == 'apt' tags: - cat2 - V-38660 - name: Check if SNMP daemon is installed using rpm (for V-38660) shell: "rpm -qi net-snmp" register: v38660_snmpd_rpm changed_when: False failed_when: False always_run: True when: ansible_pkg_mgr == 'yum' tags: - cat2 - V-38660 - skip_ansible_lint - name: Set fact for SNMP being installed set_fact: snmpd_installed: True when: | (v38660_snmpd_apt.rc is defined and v38660_snmpd_apt.rc == 0) or (v38660_snmpd_rpm.rc is defined and v38660_snmpd_rpm.rc == 0) # We shouldn't get any output from this grep since it looks for configuration # lines for the SNMP v1 and v2c protocols. - name: Check for insecure SNMP protocols (for V-38660) shell: "egrep 'v1|v2c|com2sec|community' /etc/snmp/snmpd.conf | grep -v '^\\s*#'" register: v38660_result changed_when: False failed_when: False always_run: True when: - snmpd_installed is defined - snmpd_installed | bool tags: - cat2 - V-38660 - name: V-38660 - The snmpd service must only use SNMPv3 or newer fail: msg: "Insecure SNMP configuration found -- use SNMPv3 only" when: - not check_mode - snmpd_installed is defined - snmpd_installed | bool - v38660_result.rc == 0 tags: - cat2 - V-38660 - name: V-38675 - Process core dump must be disabled lineinfile: dest: /etc/security/limits.d/V-38675-coredump.conf line: "* hard core 0" create: yes when: security_disable_core_dumps is defined tags: - cat3 - V-38675 - name: V-38684 - Maximum simultaneous logins per user lineinfile: dest: /etc/security/limits.d/V-38684-maxlogins.conf line: "* hard maxlogins {{ security_max_simultaneous_logins }}" create: yes when: security_max_simultaneous_logins is defined tags: - cat3 - V-38684 - name: Check if vsftpd installed using dpkg (for V-38599 and V-38702) shell: "dpkg --status vsftpd | grep \"^Status:.*ok installed\"" register: v38599_vsftpd_apt changed_when: False failed_when: False always_run: True when: ansible_pkg_mgr == 'apt' tags: - cat2 - cat3 - V-38599 - V-38702 - name: Check if vsftpd installed using rpm (for V-38599 and V-38702) shell: "rpm -qi vsftpd" register: v38599_vsftpd_rpm changed_when: False failed_when: False always_run: True when: ansible_pkg_mgr == 'yum' tags: - cat2 - cat3 - V-38599 - V-38702 - skip_ansible_lint - name: Set fact for vsftpd being installed set_fact: vsftpd_installed: True when: | (v38599_vsftpd_apt.rc is defined and v38599_vsftpd_apt.rc == 0) or (v38599_vsftpd_rpm.rc is defined and v38599_vsftpd_rpm.rc == 0) - name: Copy login banner (for V-38599) copy: src: login_banner.txt dest: /etc/issue.net when: - vsftpd_installed is defined - vsftpd_installed | bool notify: - restart vsftpd tags: - cat2 - V-38599 - name: V-38599 - Set warning banner for FTPS/FTP logins lineinfile: dest: "{{ vsftpd_conf_file }}" regexp: "^(#)?banner_file" line: "banner_file=/etc/issue.net" when: - vsftpd_installed is defined - vsftpd_installed | bool notify: - restart vsftpd tags: - cat2 - V-38599 - name: V-38702 - Enable xferlog lineinfile: dest: "{{ vsftpd_conf_file }}" regexp: "^(#)?xferlog_enable" line: "xferlog_enable=YES" when: - vsftpd_installed is defined - vsftpd_installed | bool notify: - restart vsftpd tags: - cat3 - V-38702 - name: V-38702 - Disable xferlog_std_format lineinfile: dest: "{{ vsftpd_conf_file }}" regexp: "^(#)?xferlog_std_format" line: "xferlog_std_format=NO" when: - vsftpd_installed is defined - vsftpd_installed | bool notify: - restart vsftpd tags: - cat3 - V-38702 - name: V-38702 - Enable log_ftp_protocol lineinfile: dest: "{{ vsftpd_conf_file }}" regexp: "^(#)?log_ftp_protocol" line: "log_ftp_protocol=YES" when: - vsftpd_installed is defined - vsftpd_installed | bool notify: - restart vsftpd tags: - cat3 - V-38702 - name: V-38674 - X Windows must not be enabled (upstart) lineinfile: dest: /etc/init/rc-sysinit.conf regexp: "^env DEFAULT_RUNLEVEL" line: "env DEFAULT_RUNLEVEL=2" when: - security_disable_x_windows | bool - not systemd_running | bool tags: - cat2 - V-38674 - name: V-38674 - X Windows must not be enabled (systemd) shell: "systemctl set-default multi-user.target" register: systemctl_default_target changed_when: "'Created symlink' in systemctl_default_target.stdout" when: - security_disable_x_windows | bool - systemd_running | bool tags: - cat2 - V-38674 - name: Check for unlabeled device files (for V-51379) shell: "find /dev -context '*unlabeled_t*'" register: v51379_unlabeled_devices always_run: True when: - ansible_os_family == 'RedHat' tags: - cat1 - V-51379 - name: V-51379 - All device files must be monitored by the Linux Security Module fail: msg: "Devices were found without SELinux labels: {{ v51379_unlabeled_devices.stdout_lines | join(', ') }}" when: - ansible_os_family == 'RedHat' - v51379_unlabeled_devices.stdout is defined - v51379_unlabeled_devices.stdout | length > 0 tags: - cat1 - V-51379