openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/tasks/rhel7stig/apt.yml
Major Hayden 4dd5e3760c
Avoid skipped package-related tasks 
This patch splits up the tasks from packages.yml into the specific
package manager task files. This should avoid some skipped tasks
during playbook runs.

Change-Id: I7baab85abbcd91f72e1f104d45df53f540b756d0
2017-07-03 11:43:18 -05:00

120 lines
3.5 KiB
YAML
Raw Blame History

---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Ensure debsums is installed
apt:
name: debsums
state: installed
- name: Gather debsums report
shell: "debsums > {{ temp_dir }}/debsums.txt"
changed_when: False
failed_when: False
when:
- not check_mode | bool
- name: V-71855 - Get files with invalid checksums (apt)
shell: "grep -v OK$ {{ temp_dir }}/debsums.txt | awk '{ print $1 }'"
register: invalid_checksum_files
changed_when: False
when:
- not check_mode | bool
- ansible_os_family | lower == 'debian'
tags:
- high
- V-71855
- name: V-71855 - Create comma-separated list
set_fact:
invalid_checksum_files_violations: "{{ invalid_checksum_files.stdout_lines | default([]) | join(', ') }}"
when:
- invalid_checksum_files is defined
- invalid_checksum_files.stdout is defined
tags:
- high
- V-71855
- name: V-71855 - The cryptographic hash of system files and commands must match vendor values (apt)
debug:
msg: >
The following files have checksums that differ from the checksum provided
with their package. Each of these should be verified manually to ensure
they have not been modified by an unauthorized user:
{{ invalid_checksum_files_violations }}
when:
- ansible_os_family | lower == 'debian'
- invalid_checksum_files is defined
- invalid_checksum_files.stdout is defined
tags:
- high
- V-71855
# See the documentation for V-71977 for more details on this check.
- name: Search for AllowUnauthenticated in /etc/apt/apt.conf.d/
command: grep -r '^[^#].*AllowUnauthenticated \"true\"' /etc/apt/apt.conf.d/
register: gpgcheck_result
changed_when: False
failed_when: False
check_mode: no
- name: V-71977 - Package management tool must verify authenticity of packages
debug:
msg: "Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified."
when:
- security_enable_gpgcheck_packages | bool
- gpgcheck_result.rc == 0
tags:
- high
- V-71977
- name: V-71979 - Package management tool must verify authenticity of locally-installed packages
lineinfile:
dest: /etc/dpkg/dpkg.cfg
regexp: "^(#)?no-debsig"
line: "#no-debsig"
state: present
when:
- security_enable_gpgcheck_packages_local | bool
tags:
- high
- V-71979
- name: V-71987 - Clean requirements/dependencies when removing packages (dpkg)
lineinfile:
dest: /etc/apt/apt.conf.d/security-autoremove
regexp: "^(#)?APT::Get::AutomaticRemove"
line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";"
state: present
create: yes
when:
- security_package_clean_on_remove | bool
- ansible_os_family | lower == 'debian'
tags:
- low
- packages
- V-71987
- name: Enable automatic package updates (apt)
copy:
src: 20auto-upgrades
dest: /etc/apt/apt.conf.d/20auto-upgrades
when:
- ansible_os_family | lower == 'debian'
- security_rhel7_automatic_package_updates | bool
tags:
- packages
- cat2
- V-71999
View Git Blame Copy Permalink