fa2800419e
This patch migrates all of the remaining non-unique variable names in the security role to a pattern that begins with `security_*`. This will reduce potential variable collisions with other roles. This is a breaking change for deployers and users who are moving from the liberty or stable/mitaka branches to master. Release notes are included with additional details to help with the transition. Closes-Bug: 1578326 Change-Id: Ib716e81e6fed971b21dc5579ae1a871736e21189
185 lines
4.4 KiB
YAML
185 lines
4.4 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: V-38443 - The /etc/gshadow file must be owned by root
|
|
file:
|
|
dest: /etc/gshadow
|
|
owner: root
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38443
|
|
|
|
- name: V-38448 - The /etc/gshadow file must be group-owned by root
|
|
file:
|
|
dest: /etc/gshadow
|
|
group: root
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38448
|
|
|
|
- name: V-38449 - The /etc/gshadow file must have mode 0000
|
|
file:
|
|
dest: /etc/gshadow
|
|
mode: 0000
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38449
|
|
|
|
- name: V-38458 - The /etc/group file must be owned by root
|
|
file:
|
|
dest: /etc/group
|
|
owner: root
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38458
|
|
|
|
- name: V-38459 - The /etc/group file must be group-owned by root
|
|
file:
|
|
dest: /etc/group
|
|
group: root
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38459
|
|
|
|
- name: V-38461 - The /etc/group file must have mode 0644 or less
|
|
file:
|
|
dest: /etc/group
|
|
mode: 0644
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38461
|
|
|
|
- name: V-38493 - Audit log directories must have mode 0755 or less
|
|
file:
|
|
dest: /var/log/audit/
|
|
state: directory
|
|
mode: 0750
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38493
|
|
|
|
- name: V-38502 - The /etc/shadow file must be owned by root
|
|
file:
|
|
dest: /etc/shadow
|
|
owner: root
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38502
|
|
|
|
- name: V-38503 - The /etc/shadow file must be group-owned by root
|
|
file:
|
|
dest: /etc/shadow
|
|
group: root
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38503
|
|
|
|
- name: V-38504 - The /etc/shadow file must have mode 0000
|
|
file:
|
|
dest: /etc/shadow
|
|
mode: 0000
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38504
|
|
|
|
# This change will go into effect on the next log rotation.
|
|
- name: V-38623 - All rsyslog-generated files must have mode 0600 or less
|
|
lineinfile:
|
|
dest: /etc/rsyslog.conf
|
|
regexp: "^(#)?\\$FileCreateMode"
|
|
line: "$FileCreateMode 0600"
|
|
notify:
|
|
- restart rsyslog
|
|
tags:
|
|
- file_perms
|
|
- cat2
|
|
- V-38623
|
|
|
|
# BEGIN: UMASK ADJUSTMENTS ####################################################
|
|
# Please read the documentation and the comments in defaults/main.yml prior
|
|
# to making any umask-related changes.
|
|
|
|
# Ubuntu 14.04's default umask in /etc/init.d/rc is 022 already.
|
|
- name: V-38642 - System default umask for daemons must be 027 or 022
|
|
lineinfile:
|
|
dest: /etc/init.d/rc
|
|
regexp: "^umask "
|
|
line: "umask {{ security_umask_daemons_init }}"
|
|
when: security_umask_daemons_init is defined
|
|
tags:
|
|
- file_perms
|
|
- cat3
|
|
- V-38642
|
|
|
|
# Ubuntu 14.04's default umask in /etc/login.defs is 022
|
|
- name: V-38645 - System default umask in /etc/login.defs must be 077
|
|
lineinfile:
|
|
dest: /etc/login.defs
|
|
regexp: "^UMASK"
|
|
line: "UMASK {{ security_umask_login_defs }}"
|
|
when: security_umask_login_defs is defined
|
|
tags:
|
|
- file_perms
|
|
- cat3
|
|
- V-38645
|
|
|
|
# Ubuntu 14.04 and openstack-ansible don't install csh by default. We will
|
|
# check if csh is installed and then apply the umask setting if needed.
|
|
- name: Check if csh is installed (for V-38649)
|
|
shell: dpkg --status csh | grep ^Status | grep "ok installed"
|
|
register: v38649_result
|
|
changed_when: False
|
|
failed_when: False
|
|
when: security_umask_csh is defined
|
|
tags:
|
|
- file_perms
|
|
- cat3
|
|
- V-38649
|
|
|
|
- name: V-38649 - System default umask for csh must be 077
|
|
lineinfile:
|
|
dest: /etc/csh.cshrc
|
|
regexp: "^(#)?umask"
|
|
line: "umask {{ security_umask_csh }}"
|
|
create: yes
|
|
when: security_umask_csh is defined and v38649_result.rc == 0
|
|
tags:
|
|
- file_perms
|
|
- cat3
|
|
- V-38649
|
|
|
|
- name: V-38651 - System default umask for bash must be 077
|
|
lineinfile:
|
|
dest: /etc/bash.bashrc
|
|
regexp: "^(#)?umask"
|
|
line: "umask {{ security_umask_bash }}"
|
|
when: security_umask_bash is defined
|
|
tags:
|
|
- file_perms
|
|
- cat3
|
|
- V-38651
|
|
|
|
# END: UMASK ADJUSTMENTS ######################################################
|