openstack/ansible-hardening
Code Issues Proposed changes
088884c731
ansible-hardening/tasks/misc.yml
Jean-Philippe Evrard b5b92c1abe Fix chrony daemon name for rh derivatives 
RH/Centos 7 uses chronyd instead of chrony as service name.

Closes-Bug: 1604042

Change-Id: I69fbba7ea2d7c108f51d36b9fd4ed8cf547c517b
Signed-off-by: Jean-Philippe Evrard <jean-philippe.evrard@rackspace.co.uk>
2016-07-19 15:45:48 +01:00

424 lines
10 KiB
YAML
Raw Blame History

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: V-38489 - Install AIDE (with apt)
apt:
name: "{{ item }}"
state: present
with_items:
- aide
- aide-common
when: ansible_pkg_mgr == 'apt'
tags:
- cat2
- V-38489
- name: V-38489 - Install AIDE (with yum)
yum:
name: aide
state: present
when: ansible_pkg_mgr == 'yum'
tags:
- cat2
- V-38489
- name: Verify that AIDE configuration directory exists
stat:
path: /etc/aide/aide.conf.d
register: aide_conf
always_run: true
tags:
- always
- name: V-38489 - Exclude certain directories from AIDE and initialize DB
template:
src: ZZ_aide_exclusions.j2
dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions
when: aide_conf.stat.exists | bool
notify:
- initialize AIDE
tags:
- cat2
- V-38489
- name: Check for AIDE cron job (for V-38670)
stat:
path: /etc/cron.daily/aide
register: v38670_result
changed_when: False
tags:
- cat2
- V-38670
- name: V-38670 - System must detect unauthorized changes to software and information
fail:
msg: "AIDE cron job is missing"
when:
- not check_mode
- v38670_result.stat.exists == False
tags:
- cat2
- V-38670
- name: Search for .netrc files (for V-38619)
shell: find /root /home -xdev -name .netrc | wc -l
register: v38619_result
changed_when: False
always_run: True
tags:
- cat2
- V-38619
- name: V-38619 - There must be no .netrc files on the system
fail:
msg: ".netrc files found -- they must be removed"
when: v38619_result.stdout != '0'
tags:
- cat2
- V-38619
- name: V-38620 - Synchronize system clock (installing chrony with apt)
apt:
name: chrony
state: present
when: ansible_pkg_mgr == 'apt'
tags:
- cat2
- V-38620
- name: V-38620 - Synchronize system clock (installing chrony with yum)
yum:
name: chrony
state: present
when: ansible_pkg_mgr == 'yum'
tags:
- cat2
- V-38620
- name: V-38620 - Synchronize system clock (enable chrony)
service:
name: "{{ chrony_service }}"
state: started
enabled: yes
when: not check_mode
tags:
- cat2
- V-38620
- name: Check for chrony.conf
stat:
path: /etc/chrony/chrony.conf
register: chrony_conf
tags:
- always
- V-38620
- name: V-38620 - Synchronize system clock (configuration file)
template:
src: chrony.conf.j2
dest: /etc/chrony/chrony.conf
when: chrony_conf.stat.exists | bool
notify:
- restart chrony
tags:
- cat2
- V-38620
# The STIG only requires that logrotate is installed and configured in cron.
# The openstack-ansible project will configure logs to be rotated weekly and
# compressed with each run. We won't change the interval here, but we will
# ensure that logrotate is installed (to meet the STIG requirement).
- name: V-38624 - System logs must be rotated daily (install logrotate with apt)
apt:
name: logrotate
state: present
when: ansible_pkg_mgr == 'apt'
tags:
- cat3
- V-38624
- name: V-38624 - System logs must be rotated daily (install logrotate with yum)
yum:
name: logrotate
state: present
when: ansible_pkg_mgr == 'yum'
tags:
- cat3
- V-38624
- name: Check for logrotate cron job (for V-38624)
stat:
path: /etc/cron.daily/logrotate
register: v38624_result
tags:
- cat3
- V-38624
- name: V-38624 - System logs must be rotated daily (verify cron job)
fail:
msg: "Cron job for logrotate is missing"
when:
- not check_mode
- not v38624_result.stat.exists | bool
tags:
- cat3
- V-38624
- name: Check if samba is installed (for V-38656)
stat:
path: /etc/samba/smb.conf
register: v38656_result
changed_when: false
tags:
- cat3
- V-38656
- name: V-38656 - System must use SMB client signing
lineinfile:
dest: /etc/samba/smb.conf
regexp: "^(;)?client signing"
line: "client signing = mandatory"
insertafter: "############ Misc ############"
when: v38656_result.stat.exists | bool
notify:
- restart samba
tags:
- cat3
- V-38656
- name: Check if SNMP daemon is installed using dpkg (for V-38660)
shell: "dpkg --status snmpd | grep \"^Status:.*ok installed\""
register: v38660_snmpd_apt
changed_when: False
failed_when: False
always_run: True
when: ansible_pkg_mgr == 'apt'
tags:
- cat2
- V-38660
- name: Check if SNMP daemon is installed using rpm (for V-38660)
shell: "rpm -qi net-snmp"
register: v38660_snmpd_rpm
changed_when: False
failed_when: False
always_run: True
when: ansible_pkg_mgr == 'yum'
tags:
- cat2
- V-38660
- skip_ansible_lint
- name: Set fact for SNMP being installed
set_fact:
snmpd_installed: True
when: |
(v38660_snmpd_apt.rc is defined and v38660_snmpd_apt.rc == 0) or
(v38660_snmpd_rpm.rc is defined and v38660_snmpd_rpm.rc == 0)
# We shouldn't get any output from this grep since it looks for configuration
# lines for the SNMP v1 and v2c protocols.
- name: Check for insecure SNMP protocols (for V-38660)
shell: "egrep 'v1|v2c|com2sec|community' /etc/snmp/snmpd.conf | grep -v '^\\s*#'"
register: v38660_result
changed_when: False
failed_when: False
always_run: True
when:
- snmpd_installed is defined
- snmpd_installed | bool
tags:
- cat2
- V-38660
- name: V-38660 - The snmpd service must only use SNMPv3 or newer
fail:
msg: "Insecure SNMP configuration found -- use SNMPv3 only"
when:
- not check_mode
- snmpd_installed is defined
- snmpd_installed | bool
- v38660_result.rc == 0
tags:
- cat2
- V-38660
- name: V-38675 - Process core dump must be disabled
lineinfile:
dest: /etc/security/limits.d/V-38675-coredump.conf
line: "* hard core 0"
create: yes
when: security_disable_core_dumps is defined
tags:
- cat3
- V-38675
- name: V-38684 - Maximum simultaneous logins per user
lineinfile:
dest: /etc/security/limits.d/V-38684-maxlogins.conf
line: "* hard maxlogins {{ security_max_simultaneous_logins }}"
create: yes
when: security_max_simultaneous_logins is defined
tags:
- cat3
- V-38684
- name: Check if vsftpd installed using dpkg (for V-38599 and V-38702)
shell: "dpkg --status vsftpd | grep \"^Status:.*ok installed\""
register: v38599_vsftpd_apt
changed_when: False
failed_when: False
always_run: True
when: ansible_pkg_mgr == 'apt'
tags:
- cat2
- cat3
- V-38599
- V-38702
- name: Check if vsftpd installed using rpm (for V-38599 and V-38702)
shell: "rpm -qi vsftpd"
register: v38599_vsftpd_rpm
changed_when: False
failed_when: False
always_run: True
when: ansible_pkg_mgr == 'yum'
tags:
- cat2
- cat3
- V-38599
- V-38702
- skip_ansible_lint
- name: Set fact for vsftpd being installed
set_fact:
vsftpd_installed: True
when: |
(v38599_vsftpd_apt.rc is defined and v38599_vsftpd_apt.rc == 0) or
(v38599_vsftpd_rpm.rc is defined and v38599_vsftpd_rpm.rc == 0)
- name: Copy login banner (for V-38599)
copy:
src: login_banner.txt
dest: /etc/issue.net
when:
- vsftpd_installed is defined
- vsftpd_installed | bool
notify:
- restart vsftpd
tags:
- cat2
- V-38599
- name: V-38599 - Set warning banner for FTPS/FTP logins
lineinfile:
dest: "{{ vsftpd_conf_file }}"
regexp: "^(#)?banner_file"
line: "banner_file=/etc/issue.net"
when:
- vsftpd_installed is defined
- vsftpd_installed | bool
notify:
- restart vsftpd
tags:
- cat2
- V-38599
- name: V-38702 - Enable xferlog
lineinfile:
dest: "{{ vsftpd_conf_file }}"
regexp: "^(#)?xferlog_enable"
line: "xferlog_enable=YES"
when:
- vsftpd_installed is defined
- vsftpd_installed | bool
notify:
- restart vsftpd
tags:
- cat3
- V-38702
- name: V-38702 - Disable xferlog_std_format
lineinfile:
dest: "{{ vsftpd_conf_file }}"
regexp: "^(#)?xferlog_std_format"
line: "xferlog_std_format=NO"
when:
- vsftpd_installed is defined
- vsftpd_installed | bool
notify:
- restart vsftpd
tags:
- cat3
- V-38702
- name: V-38702 - Enable log_ftp_protocol
lineinfile:
dest: "{{ vsftpd_conf_file }}"
regexp: "^(#)?log_ftp_protocol"
line: "log_ftp_protocol=YES"
when:
- vsftpd_installed is defined
- vsftpd_installed | bool
notify:
- restart vsftpd
tags:
- cat3
- V-38702
- name: V-38674 - X Windows must not be enabled (upstart)
lineinfile:
dest: /etc/init/rc-sysinit.conf
regexp: "^env DEFAULT_RUNLEVEL"
line: "env DEFAULT_RUNLEVEL=2"
when:
- security_disable_x_windows | bool
- not systemd_running | bool
tags:
- cat2
- V-38674
- name: V-38674 - X Windows must not be enabled (systemd)
shell: "systemctl set-default multi-user.target"
register: systemctl_default_target
changed_when: "'Created symlink' in systemctl_default_target.stdout"
when:
- security_disable_x_windows | bool
- systemd_running | bool
tags:
- cat2
- V-38674
- name: Check for unlabeled device files (for V-51379)
shell: "find /dev -context '*unlabeled_t*'"
register: v51379_unlabeled_devices
always_run: True
when:
- ansible_os_family == 'RedHat'
tags:
- cat1
- V-51379
- name: V-51379 - All device files must be monitored by the Linux Security Module
fail:
msg: "Devices were found without SELinux labels: {{ v51379_unlabeled_devices.stdout_lines | join(', ') }}"
when:
- ansible_os_family == 'RedHat'
- v51379_unlabeled_devices.stdout is defined
- v51379_unlabeled_devices.stdout | length > 0
tags:
- cat1
- V-51379
View Git Blame Copy Permalink