ansible-hardening/tasks/rhel7stig/misc.yml

---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Check autofs service
  command: systemctl status autofs # noqa: command-instead-of-module
  register: autofs_check
  failed_when: autofs_check.rc not in [0,3,4]
  changed_when: False
  check_mode: no
  tags:
    - always

- name: V-71985 - File system automounter must be disabled unless required.
  service:
    name: autofs
    state: stopped
    enabled: no
  when:
    - autofs_check.rc not in [3,4]
    - security_rhel7_disable_autofs | bool
  tags:
    - medium
    - misc
    - V-71985

# NOTE(noonedeadpunk): We run this twice because of the ansible bug:
#                      https://github.com/ansible/ansible/issues/68680
# This returns an exit code of 0 if it's running, 3 if it's masked.
- name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled
  systemd:
    name: ctrl-alt-del.target
    enabled: no
  when:
    - security_rhel7_disable_ctrl_alt_delete | bool
  tags:
    - high
    - misc
    - V-71993

- name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled
  systemd:
    name: ctrl-alt-del.target
    masked: yes
    daemon_reload: yes
  when:
    - security_rhel7_disable_ctrl_alt_delete | bool
  tags:
    - high
    - misc
    - V-71993

- name: Check for /home on mounted filesystem
  debug:
    msg: |
      The STIG requires that /home is on its own filesystem, but this system
      does not appear to be following the requirement.
  when:
    - ansible_facts['mounts'] | selectattr('mount', 'equalto', '/home') | list | length == 0
  tags:
    - low
    - misc
    - V-72059

- name: Check for /var on mounted filesystem
  debug:
    msg: |
      The STIG requires that /var is on its own filesystem, but this system
      does not appear to be following the requirement.
  when:
    - ansible_facts['mounts'] | selectattr('mount', 'equalto', '/var') | list | length == 0
  tags:
    - low
    - misc
    - V-72067

- name: Check for /var/log/audit on mounted filesystem
  debug:
    msg: |
      The STIG requires that /var/log/audit is on its own filesystem, but this system
      does not appear to be following the requirement.
  when:
    - ansible_facts['mounts'] | selectattr('mount', 'equalto', '/var/log/audit') | list | length == 0
  tags:
    - low
    - misc
    - V-72063

- name: Check for /tmp on mounted filesystem
  debug:
    msg: |
      The STIG requires that /tmp is on its own filesystem, but this system
      does not appear to be following the requirement.
  when:
    - ansible_facts['mounts'] | selectattr('mount', 'equalto', '/tmp') | list | length == 0
  tags:
    - low
    - misc
    - V-72065

- name: Check if syslog output is being sent to another server
  command: 'grep "^[^#].*@" /etc/rsyslog.conf'
  register: rsyslog_transmit_check
  changed_when: False
  failed_when: False
  check_mode: no
  tags:
    - always

- name: V-72209 - The system must send rsyslog output to a log aggregation server.
  debug:
    msg: Output from syslog must be sent to another server.
  when:
    - rsyslog_transmit_check is defined
    - rsyslog_transmit_check.rc != 0
  tags:
    - medium
    - misc
    - V-72209

- name: Check if ClamAV is installed
  stat:
    path: /usr/bin/clamdscan
  register: clamav_install_check
  changed_when: False
  tags:
    - always

- name: Remove 'Example' line from ClamAV configuration files
  lineinfile:
    dest: "{{ item }}"
    regexp: "^Example"
    state: absent
  with_items:
    - /etc/freshclam.conf
    - /etc/clamd.d/scan.conf
  when:
    - clamav_install_check.stat.exists
    - security_enable_virus_scanner | bool
    - ansible_facts['os_family'] | lower == 'redhat'
  notify:
    - Restart clamav
  tags:
    - misc
    - V-72213

- name: Set ClamAV server type as socket
  lineinfile:
    dest: /etc/clamd.d/scan.conf
    regexp: "^(#)?LocalSocket (.*)$"
    line: "LocalSocket {{ clamav_service_details['socket_path'] }}"
    backrefs: yes
  when:
    - clamav_install_check.stat.exists
    - security_enable_virus_scanner | bool
    - ansible_facts['os_family'] | lower == 'redhat'
  notify:
    - Restart clamav
  tags:
    - misc
    - V-72213

- name: Ensure ClamAV socket directory exists
  file:
    path: "{{ clamav_service_details['socket_path'] | dirname }}"
    owner: "{{ clamav_service_details['user'] }}"
    group: "{{ clamav_service_details['group'] }}"
    mode: "{{ clamav_service_details['mode'] }}"
  when:
    - clamav_install_check.stat.exists
    - security_enable_virus_scanner | bool
    - ansible_facts['os_family'] | lower == 'redhat'
  notify:
    - Restart clamav
  tags:
    - misc
    - V-72213

- name: Allow automatic freshclam updates
  lineinfile:
    dest: /etc/sysconfig/freshclam
    regexp: "^FRESHCLAM_DELAY"
    state: absent
  when:
    - clamav_install_check.stat.exists
    - security_enable_virus_scanner | bool
    - ansible_facts['os_family'] | lower == 'redhat'
  notify:
    - Restart clamav
  tags:
    - misc
    - V-72213

- name: Check if ClamAV update process is already running
  shell: "set -o pipefail; ps -ef | egrep [f]reshclam -q"
  register: freshclam_proc
  changed_when: False
  failed_when: False
  check_mode: no
  tags:
    - always

- name: Update ClamAV database
  command: freshclam
  changed_when: False
  when:
    - freshclam_proc.rc != 0
    - clamav_install_check.stat.exists
    - security_enable_virus_scanner | bool
    - security_run_virus_scanner_update | bool
  async: 300
  poll: 5
  tags:
    - misc
    - V-72213

- name: Ensure ClamAV is running
  service:
    name: "{{ clamav_service }}"
    state: started
    enabled: yes
  when:
    - clamav_install_check.stat.exists
    - security_enable_virus_scanner | bool
  tags:
    - misc
    - V-72213

# NOTE(mhayden): This role changed names and this task ensures that the old
# configuration block is properly removed. Without this task, /etc/profile
# will have two config blocks that set the same variable and this leads to
# errors on the command prompt. See LP bug 1736702.
# TODO(mhayden): Remove this task when the Rocky release is in development.
- name: Remove old config block for V-72223 from openstack-ansible-security
  blockinfile:
    dest: /etc/profile
    state: absent
    insertbefore: EOF
    marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
  tags:
    - medium
    - misc
    - V-72223

- name: V-72223 - Set 10 minute timeout on communication sessions
  blockinfile:
    dest: /etc/profile
    state: present
    insertbefore: EOF
    marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
    block: |
      # Set a {{ security_rhel7_session_timeout }} second timeout for sessions
      TMOUT={{ security_rhel7_session_timeout }}
      readonly TMOUT
      export TMOUT
  tags:
    - medium
    - misc
    - V-72223

- name: Start and enable chrony
  service:
    name: "{{ chrony_service }}"
    state: started
    enabled: yes
  when:
    - not check_mode
    - security_rhel7_enable_chrony | bool
  tags:
    - medium
    - misc
    - V-72269

- name: Check if chrony configuration file exists
  stat:
    path: "{{ chrony_conf_file }}"
  register: chrony_conf_check
  tags:
    - always

- name: V-72269 - Synchronize system clock (configuration file)
  template:
    src: chrony.conf.j2
    dest: "{{ chrony_conf_file }}"
    mode: "0644"
  when:
    - chrony_conf_check.stat.exists | bool
    - security_rhel7_enable_chrony | bool
  notify:
    - Restart chrony
  tags:
    - medium
    - misc
    - V-72269

# Returns 0 if installed, 3 if not installed
- name: Check firewalld status
  command: systemctl status firewalld # noqa: command-instead-of-module
  register: firewalld_status_check
  failed_when: firewalld_status_check.rc not in [0,3,4]
  changed_when: False
  check_mode: no
  tags:
    - always

- name: Ensure firewalld is running and enabled
  service:
    name: firewalld
    state: started
    enabled: yes
  when:
    - firewalld_status_check.rc not in [3,4]
    - security_enable_firewalld | bool
  tags:
    - medium
    - misc
    - V-72273

- name: Limit new TCP connections to 25/minute and allow bursting to 100
  command: >-
    firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{
      security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT
  register: add_rate_limit_firewalld_rule
  changed_when: "'ALREADY_ENABLED' not in add_rate_limit_firewalld_rule.stdout"
  when:
    - firewalld_status_check.rc != 3
    - security_enable_firewalld_rate_limit | bool
  tags:
    - medium
    - misc
    - V-72271

# Linting checks need to be skipped because this command doesn't create any
# files.
- name: Count nameserver entries in /etc/resolv.conf
  command: grep ^nameserver /etc/resolv.conf
  register: nameserver_check
  check_mode: no
  changed_when: False
  failed_when: False
  tags:
    - always
    - skip_ansible_lint

- name: V-72281 - For systems using DNS resolution, at least two name servers must be configured.
  debug:
    msg: |
      Two or more nameservers must be configured in /etc/resolv.conf.
      Nameservers found: {{ nameserver_check.stdout_lines | length }}
  when:
    - nameserver_check is defined
    - nameserver_check.stdout_lines | length < 2
  tags:
    - low
    - misc
    - V-72281

- name: Check for interfaces in promiscuous mode
  shell: "set -o pipefail; ip link | grep -i promisc"
  register: promiscuous_interface_check
  changed_when: False
  failed_when: False
  check_mode: no
  tags:
    - always

- name: V-72295 - Network interfaces must not be in promiscuous mode.
  debug:
    msg: >
      One or more network interfaces were found to be in promiscuous mode.
      Review all interfaces and disable promiscuous mode.
  when:
    - promiscuous_interface_check.rc == 0
  tags:
    - medium
    - misc
    - V-72295

- name: Check for postfix configuration file
  stat:
    path: /etc/postfix/main.cf
  register: postfix_conf_check
  tags:
    - always

- name: V-72297 - Prevent unrestricted mail relaying
  lineinfile:
    dest: /etc/postfix/main.cf
    regexp: '^smtpd_client_restrictions'
    line: 'smtpd_client_restrictions = permit_mynetworks, reject'
  when:
    - postfix_conf_check.stat.exists
    - security_rhel7_restrict_mail_relaying | bool
  tags:
    - medium
    - misc
    - V-72297

- name: Check for TFTP server configuration file
  stat:
    path: /etc/xinetd.d/tftp
  register: tftp_config_check
  check_mode: no
  tags:
    - always

- name: Check TFTP configuration mode
  command: 'grep server_args /etc/xinetd.d/tftp'
  register: tftp_secure_check
  changed_when: False
  failed_when: False
  check_mode: no
  when:
    - tftp_config_check.stat.exists
  tags:
    - always

- name: V-72305 - TFTP must be configured to operate in secure mode
  debug:
    msg: TFTP must be configured to run in secure mode with the '-s' flag.
  when:
    - tftp_config_check.stat.exists
    - "'-s' not in tftp_secure_check.stdout"
  tags:
    - medium
    - misc
    - V-72305

- name: Check to see if snmpd config contains public/private
  command: 'egrep "^[^#].*(public|private)" /etc/snmp/snmpd.conf'
  register: snmp_public_private_check
  changed_when: False
  failed_when: False
  check_mode: no
  tags:
    - always

- name: V-72313 - Change SNMP community strings from default.
  debug:
    msg: >
      Change the SNMP community strings from the defaults of 'public' and
      'private' to meet the requirements of V-72313.
  when:
    - snmp_public_private_check.rc == 0
  tags:
    - high
    - misc
    - V-72313