--- # Copyright 2015, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - name: Generate list of services_installed shell: "find /etc/init.d/ -printf '%f\n'" register: sysv_services_installed changed_when: false always_run: True tags: - services - cat1 - cat2 - cat3 - name: Generate a list of systemd service unit files shell: "systemctl list-units --type=service --no-legend | awk '{print $1}'" register: systemd_services_installed changed_when: false always_run: True tags: - services - cat1 - cat2 - cat3 - name: Register which services are installed depending on platform set_fact: services_installed: "{{ (systemd_running | bool) | ternary (systemd_services_installed, sysv_services_installed)}}" - name: V-38437 - Automated file system mounting tools must be disabled service: name: autofs state: stopped enabled: no when: - security_disable_autofs | bool - "'autofs' in services_installed.stdout" tags: - services - cat3 - V-38437 - name: V-38640 - The abrt service must be disabled service: name: abrtd state: stopped enabled: no when: - security_disable_abrtd | bool - "'abrtd' in services_installed.stdout" tags: - services - cat3 - V-38640 - name: V-38641 - The atd service must be disabled service: name: atd state: stopped enabled: no when: - security_disable_atd | bool - "'atd' in services_installed.stdout" tags: - services - cat3 - V-38641 - name: V-38648 - The qpidd service must be disabled service: name: qpidd state: stopped enabled: no when: - security_disable_qpidd | bool - "'qpidd' in services_installed.stdout" tags: - services - cat3 - V-38648 - name: V-38691 - The bluetooth service must be disabled service: name: bluetooth state: stopped enabled: no when: - security_disable_bluetooth | bool - "'bluetooth' in services_installed.stdout" tags: - services - cat2 - V-38691 - name: V-38582 - xinetd must be disabled if not in use service: name: xinetd state: stopped enabled: no when: - security_disable_xinetd | bool - "'xinetd' in services_installed.stdout" tags: - services - cat2 - V-38582 - name: V-38584 - xinetd must be uninstalled if not in use (apt) apt: name: xinetd state: absent when: - ansible_pkg_mgr == 'apt' - security_remove_xinetd | bool tags: - services - cat3 - V-38584 - name: V-38584 - xinetd must be uninstalled if not in use (yum) yum: name: xinetd state: absent when: - ansible_pkg_mgr == 'yum' - security_remove_xinetd | bool tags: - services - cat3 - V-38584 # Ubuntu's equivalent of Red Hat's ypserv package is 'nis' - name: V-38603 - Remove ypserv package with apt apt: name: "{{ ypserv_pkg }}" state: absent when: - ansible_pkg_mgr == 'apt' - security_remove_ypserv | bool tags: - services - cat2 - V-38603 - name: V-38603 - Remove ypserv package with yum yum: name: "{{ ypserv_pkg }}" state: absent when: - ansible_pkg_mgr == 'yum' - security_remove_ypserv | bool tags: - services - cat2 - V-38603 - name: V-38605 - The cron service must be running service: name: "{{ cron_service }}" state: started enabled: yes tags: - services - cat2 - V-38605 - name: V-38606 - The tftp-server package must not be installed unless required (apt) apt: name: "{{ tftp_pkg }}" state: absent when: - ansible_pkg_mgr == 'apt' - security_remove_tftp_server | bool tags: - services - cat2 - V-38606 - name: V-38606 - The tftp-server package must not be installed unless required (yum) yum: name: "{{ tftp_pkg }}" state: absent when: - ansible_pkg_mgr == 'yum' - security_remove_tftp_server | bool tags: - services - cat2 - V-38606 - name: V-38618 - avahi must be disabled service: name: avahi-daemon state: stopped enabled: no when: - security_disable_avahi | bool - "'avahi' in services_installed.stdout" tags: - services - cat3 - V-38618 - name: V-38627 - Remove LDAP servers unless required (apt) apt: name: "{{ ldap_server_pkg }}" state: absent when: - ansible_pkg_mgr == 'apt' - security_remove_ldap_server | bool tags: - services - cat3 - V-38627 - name: V-38627 - Remove LDAP servers unless required (yum) yum: name: "{{ ldap_server_pkg }}" state: absent when: - ansible_pkg_mgr == 'yum' - security_remove_ldap_server | bool tags: - services - cat3 - V-38627 - name: V-38650 - rdisc must be disabled service: name: rdisc state: stopped enabled: no when: - security_disable_rdisc | bool - "'rdisc' in services_installed.stdout" tags: - services - cat3 - V-38650 - name: V-38671 - Remove sendmail with apt apt: name: sendmail state: absent when: - ansible_pkg_mgr == 'apt' - security_remove_sendmail | bool tags: - services - cat2 - V-38671 - name: V-38671 - Remove sendmail with yum yum: name: sendmail state: absent when: - ansible_pkg_mgr == 'yum' - security_remove_sendmail | bool tags: - services - cat2 - V-38671 - name: V-38672 - netconsole must be disabled service: name: netconsole state: stopped enabled: no when: - security_disable_netconsole | bool - "'netconsole' in services_installed.stdout" tags: - services - cat3 - V-38672 - name: V-38676 - The X windows package must not be installed (apt) apt: name: "{{ xserver_pkg }}" state: absent when: - ansible_pkg_mgr == 'apt' - security_remove_xorg | bool tags: - services - cat3 - V-38676 - name: V-38676 - The X windows package must not be installed (yum) yum: name: "{{ xserver_pkg }}" state: absent when: - ansible_pkg_mgr == 'yum' - security_remove_xorg | bool tags: - services - cat3 - V-38676