openstack/ansible-hardening
Code Issues Proposed changes
088884c731
ansible-hardening/tasks/apt.yml
Christian Berendt 09a60bf13c Remove "FAILED" from custom fail messages 
When failing with a custom message using the fail module the string
"FAILED" is already included in the output of Ansible. Adding "FAILED"
to the message itself is redundant.

This also fixes an inaccurrate fail message for an task of V-38476.

Change-Id: I10b8c6e2e661119fbdeb07a440a735b771e1e691
2016-05-27 20:43:38 +02:00

113 lines
3.5 KiB
YAML
Raw Blame History

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#TODO(evrardjp): Replace the next 2 tasks by a standard apt with cache
#when https://github.com/ansible/ansible-modules-core/pull/1517 is merged
#in 1.9.x or we move to 2.0 (if tested working)
- name: Check apt last update file
stat:
path: /var/cache/apt
register: apt_cache_stat
tags:
- auditd-apt-packages
- name: Update apt if needed
apt:
update_cache: yes
when: "ansible_date_time.epoch|float - apt_cache_stat.stat.mtime > {{cache_timeout}}"
tags:
- auditd-apt-packages
# Notes for V-38476 ###########################################################
#
# These GPG keys are valid as of Ubuntu 14.04 in late 2015, but they could
# change or additional keys may be added in the future.
#
- name: Gather current GPG keys for apt (for V-38476)
command: apt-key list
register: v38476_result
changed_when: "v38476_result.rc != 0"
always_run: True
- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
fail:
msg: "Missing Ubuntu Archive signing keys"
when: "'437D05B5' not in v38476_result.stdout or 'C0B21F32' not in v38476_result.stdout"
tags:
- package
- cat1
- V-38476
# Notes for V-38462 ###########################################################
#
# Ubuntu checks packages against GPG signatures by default. It can be turned
# off for all package installations by a setting in /etc/apt/apt.conf.d and we
# search for that here. Users can pass an argument on the apt command line
# to bypass the checks as well, but that's outside the scope of this check
# and remediation.
#
- name: Search for AllowUnauthenticated in /etc/apt/apt.conf.d/ (for V-38462)
command: grep -r AllowUnauthenticated /etc/apt/apt.conf.d/
register: v38462_result
changed_when: False
failed_when: False
always_run: True
tags:
- package
- cat1
- V-38462
- name: V-38462 - Package management tool must verify authenticity of packages
fail:
msg: "Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified."
when: "v38462_result.rc == 0"
tags:
- package
- cat1
- V-38462
- name: Install unattended-upgrades package (for V-38481)
apt:
name: unattended-upgrades
state: present
when: security_unattended_upgrades_enabled | bool
tags:
- package
- cat2
- V-38481
- name: V-38481 - System security patches and updates must be installed and up-to-date
copy:
src: 20auto-upgrades
dest: /etc/apt/apt.conf.d/20auto-upgrades
when: security_unattended_upgrades_enabled | bool
tags:
- package
- cat2
- V-38481
- name: Enable unattended upgrades notifications (for V-38481)
lineinfile:
dest: /etc/apt/apt.conf.d/50unattended-upgrades
regexp: '^(\/\/)?Unattended-Upgrade::Mail "root";'
line: 'Unattended-Upgrade::Mail "root";'
when:
- security_unattended_upgrades_enabled | bool
- security_unattended_upgrades_notifications | bool
tags:
- package
- cat2
- V-38481
View Git Blame Copy Permalink