openstack/ansible-hardening
Code Issues Proposed changes
Files
fa11dd430b3f38b5bcd4424c0a25eb84abd529e2
ansible-hardening/tasks/misc.yml
Major Hayden fa11dd430b Add idempotency check 
This patch adds idempotency checking for the security role. It
ensures that no changes are made when the security role runs
multiple times against the same system.

Change-Id: Ia5df45ddc64b1af5149df64f3483f472b06d73f7
2016-07-22 10:52:49 -05:00

425 lines
10 KiB
YAML
Raw Blame History

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: V-38489 - Install AIDE (with apt)
apt:
name: "{{ item }}"
state: present
with_items:
- aide
- aide-common
when: ansible_pkg_mgr == 'apt'
tags:
- cat2
- V-38489
- name: V-38489 - Install AIDE (with yum)
yum:
name: aide
state: present
when: ansible_pkg_mgr == 'yum'
tags:
- cat2
- V-38489
- name: Verify that AIDE configuration directory exists
stat:
path: /etc/aide/aide.conf.d
register: aide_conf
always_run: true
tags:
- always
- name: V-38489 - Exclude certain directories from AIDE and initialize DB
template:
src: ZZ_aide_exclusions.j2
dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions
when: aide_conf.stat.exists | bool
notify:
- initialize AIDE
tags:
- cat2
- V-38489
- name: Check for AIDE cron job (for V-38670)
stat:
path: /etc/cron.daily/aide
register: v38670_result
changed_when: False
tags:
- cat2
- V-38670
- name: V-38670 - System must detect unauthorized changes to software and information
fail:
msg: "AIDE cron job is missing"
when:
- not check_mode
- v38670_result.stat.exists == False
tags:
- cat2
- V-38670
- name: Search for .netrc files (for V-38619)
shell: find /root /home -xdev -name .netrc | wc -l
register: v38619_result
changed_when: False
always_run: True
tags:
- cat2
- V-38619
- name: V-38619 - There must be no .netrc files on the system
fail:
msg: ".netrc files found -- they must be removed"
when: v38619_result.stdout != '0'
tags:
- cat2
- V-38619
- name: V-38620 - Synchronize system clock (installing chrony with apt)
apt:
name: chrony
state: present
when: ansible_pkg_mgr == 'apt'
tags:
- cat2
- V-38620
- name: V-38620 - Synchronize system clock (installing chrony with yum)
yum:
name: chrony
state: present
when: ansible_pkg_mgr == 'yum'
tags:
- cat2
- V-38620
- name: V-38620 - Synchronize system clock (enable chrony)
service:
name: chrony
state: started
enabled: yes
when: not check_mode
tags:
- cat2
- V-38620
- name: Check for chrony.conf
stat:
path: /etc/chrony/chrony.conf
register: chrony_conf
tags:
- always
- V-38620
- name: V-38620 - Synchronize system clock (configuration file)
template:
src: chrony.conf.j2
dest: /etc/chrony/chrony.conf
when: chrony_conf.stat.exists | bool
notify:
- restart chrony
tags:
- cat2
- V-38620
# The STIG only requires that logrotate is installed and configured in cron.
# The openstack-ansible project will configure logs to be rotated weekly and
# compressed with each run. We won't change the interval here, but we will
# ensure that logrotate is installed (to meet the STIG requirement).
- name: V-38624 - System logs must be rotated daily (install logrotate with apt)
apt:
name: logrotate
state: present
when: ansible_pkg_mgr == 'apt'
tags:
- cat3
- V-38624
- name: V-38624 - System logs must be rotated daily (install logrotate with yum)
yum:
name: logrotate
state: present
when: ansible_pkg_mgr == 'yum'
tags:
- cat3
- V-38624
- name: Check for logrotate cron job (for V-38624)
stat:
path: /etc/cron.daily/logrotate
register: v38624_result
tags:
- cat3
- V-38624
- name: V-38624 - System logs must be rotated daily (verify cron job)
fail:
msg: "Cron job for logrotate is missing"
when:
- not check_mode
- not v38624_result.stat.exists | bool
tags:
- cat3
- V-38624
- name: Check if samba is installed (for V-38656)
stat:
path: /etc/samba/smb.conf
register: v38656_result
changed_when: false
tags:
- cat3
- V-38656
- name: V-38656 - System must use SMB client signing
lineinfile:
dest: /etc/samba/smb.conf
regexp: "^(;)?client signing"
line: "client signing = mandatory"
insertafter: "############ Misc ############"
when: v38656_result.stat.exists | bool
notify:
- restart samba
tags:
- cat3
- V-38656
- name: Check if SNMP daemon is installed using dpkg (for V-38660)
shell: "dpkg --status snmpd | grep \"^Status:.*ok installed\""
register: v38660_snmpd_apt
changed_when: False
failed_when: False
always_run: True
when: ansible_pkg_mgr == 'apt'
tags:
- cat2
- V-38660
- name: Check if SNMP daemon is installed using rpm (for V-38660)
shell: "rpm -qi net-snmp"
register: v38660_snmpd_rpm
changed_when: False
failed_when: False
always_run: True
when: ansible_pkg_mgr == 'yum'
tags:
- cat2
- V-38660
- skip_ansible_lint
- name: Set fact for SNMP being installed
set_fact:
snmpd_installed: True
when: |
(v38660_snmpd_apt.rc is defined and v38660_snmpd_apt.rc == 0) or
(v38660_snmpd_rpm.rc is defined and v38660_snmpd_rpm.rc == 0)
# We shouldn't get any output from this grep since it looks for configuration
# lines for the SNMP v1 and v2c protocols.
- name: Check for insecure SNMP protocols (for V-38660)
shell: "egrep 'v1|v2c|com2sec|community' /etc/snmp/snmpd.conf | grep -v '^\\s*#'"
register: v38660_result
changed_when: False
failed_when: False
always_run: True
when:
- snmpd_installed is defined
- snmpd_installed | bool
tags:
- cat2
- V-38660
- name: V-38660 - The snmpd service must only use SNMPv3 or newer
fail:
msg: "Insecure SNMP configuration found -- use SNMPv3 only"
when:
- not check_mode
- snmpd_installed is defined
- snmpd_installed | bool
- v38660_result.rc == 0
tags:
- cat2
- V-38660
- name: V-38675 - Process core dump must be disabled
lineinfile:
dest: /etc/security/limits.d/V-38675-coredump.conf
line: "* hard core 0"
create: yes
when: security_disable_core_dumps is defined
tags:
- cat3
- V-38675
- name: V-38684 - Maximum simultaneous logins per user
lineinfile:
dest: /etc/security/limits.d/V-38684-maxlogins.conf
line: "* hard maxlogins {{ security_max_simultaneous_logins }}"
create: yes
when: security_max_simultaneous_logins is defined
tags:
- cat3
- V-38684
- name: Check if vsftpd installed using dpkg (for V-38599 and V-38702)
shell: "dpkg --status vsftpd | grep \"^Status:.*ok installed\""
register: v38599_vsftpd_apt
changed_when: False
failed_when: False
always_run: True
when: ansible_pkg_mgr == 'apt'
tags:
- cat2
- cat3
- V-38599
- V-38702
- name: Check if vsftpd installed using rpm (for V-38599 and V-38702)
shell: "rpm -qi vsftpd"
register: v38599_vsftpd_rpm
changed_when: False
failed_when: False
always_run: True
when: ansible_pkg_mgr == 'yum'
tags:
- cat2
- cat3
- V-38599
- V-38702
- skip_ansible_lint
- name: Set fact for vsftpd being installed
set_fact:
vsftpd_installed: True
when: |
(v38599_vsftpd_apt.rc is defined and v38599_vsftpd_apt.rc == 0) or
(v38599_vsftpd_rpm.rc is defined and v38599_vsftpd_rpm.rc == 0)
- name: Copy login banner (for V-38599)
copy:
src: login_banner.txt
dest: /etc/issue.net
when:
- vsftpd_installed is defined
- vsftpd_installed | bool
notify:
- restart vsftpd
tags:
- cat2
- V-38599
- name: V-38599 - Set warning banner for FTPS/FTP logins
lineinfile:
dest: "{{ vsftpd_conf_file }}"
regexp: "^(#)?banner_file"
line: "banner_file=/etc/issue.net"
when:
- vsftpd_installed is defined
- vsftpd_installed | bool
notify:
- restart vsftpd
tags:
- cat2
- V-38599
- name: V-38702 - Enable xferlog
lineinfile:
dest: "{{ vsftpd_conf_file }}"
regexp: "^(#)?xferlog_enable"
line: "xferlog_enable=YES"
when:
- vsftpd_installed is defined
- vsftpd_installed | bool
notify:
- restart vsftpd
tags:
- cat3
- V-38702
- name: V-38702 - Disable xferlog_std_format
lineinfile:
dest: "{{ vsftpd_conf_file }}"
regexp: "^(#)?xferlog_std_format"
line: "xferlog_std_format=NO"
when:
- vsftpd_installed is defined
- vsftpd_installed | bool
notify:
- restart vsftpd
tags:
- cat3
- V-38702
- name: V-38702 - Enable log_ftp_protocol
lineinfile:
dest: "{{ vsftpd_conf_file }}"
regexp: "^(#)?log_ftp_protocol"
line: "log_ftp_protocol=YES"
when:
- vsftpd_installed is defined
- vsftpd_installed | bool
notify:
- restart vsftpd
tags:
- cat3
- V-38702
- name: V-38674 - X Windows must not be enabled (upstart)
lineinfile:
dest: /etc/init/rc-sysinit.conf
regexp: "^env DEFAULT_RUNLEVEL"
line: "env DEFAULT_RUNLEVEL=2"
when:
- security_disable_x_windows | bool
- not systemd_running | bool
tags:
- cat2
- V-38674
- name: V-38674 - X Windows must not be enabled (systemd)
shell: "systemctl set-default multi-user.target"
register: systemctl_default_target
changed_when: "'Created symlink' in systemctl_default_target.stdout"
when:
- security_disable_x_windows | bool
- systemd_running | bool
tags:
- cat2
- V-38674
- name: Check for unlabeled device files (for V-51379)
shell: "find /dev -context '*unlabeled_t*'"
register: v51379_unlabeled_devices
changed_when: False
always_run: True
when:
- ansible_os_family == 'RedHat'
tags:
- cat1
- V-51379
- name: V-51379 - All device files must be monitored by the Linux Security Module
fail:
msg: "Devices were found without SELinux labels: {{ v51379_unlabeled_devices.stdout_lines | join(', ') }}"
when:
- ansible_os_family == 'RedHat'
- v51379_unlabeled_devices.stdout is defined
- v51379_unlabeled_devices.stdout | length > 0
tags:
- cat1
- V-51379
View Git Blame Copy Permalink