openstack/ansible-hardening
Code Issues Proposed changes

Auto-fix usage of modules via FQCN

Browse Source 
Since ansible-core 2.10 it is recommended to use modules via FQCN
In order to align with recommendation, we perform migration
by applying suggestions made by `ansible-lint --fix=fqcn`

Change-Id: I76bf3945bf413a8e9f0661f9aba697fdb8e993f7
This commit is contained in:
Dmitriy Rabotyagov 2025-02-13 07:54:07 +01:00
parent c774a1fb24
commit 4dbd95132c
21 changed files with 196 additions and 198 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
handlers/main.yml
View File

@ -18,32 +18,32 @@
# NOTE(mhayden): It's not possible to use systemd to restart auditd on CentOS
# since it's a special service. Using the old service scripts is required.
- name: Restart auditd
command: service auditd restart # noqa: command-instead-of-module
ansible.builtin.command: service auditd restart
changed_when: false
- name: Restart chrony
service:
ansible.builtin.service:
name: "{{ chrony_service }}"
state: restarted
- name: Restart ssh
service:
ansible.builtin.service:
name: "{{ ssh_service }}"
state: restarted
- name: Restart clamav
service:
ansible.builtin.service:
name: "{{ clamav_service }}"
state: restarted
# Miscellaneous ##############################################################
- name: Generate auditd rules
command: augenrules --load
ansible.builtin.command: augenrules --load
changed_when: false
notify: restart auditd
- name: Update grub config
command: "{{ grub_update_cmd }}"
ansible.builtin.command: "{{ grub_update_cmd }}"
changed_when: false
when:
- security_enable_grub_update | bool
@ -55,10 +55,10 @@
# NOTE(mhayden): Running `update-grub` causes the bootloader permissions to
# change, which breaks V-38583.
- name: Set bootloader file permissions after updating grub config
file:
ansible.builtin.file:
path: "{{ grub_config_file_boot }}"
mode: "0644"
- name: Dconf update
command: dconf update
ansible.builtin.command: dconf update
changed_when: false

2
tasks/contrib/main.yml
View File

@ -14,5 +14,5 @@
# limitations under the License.
- name: Notify the deployer that contrib tasks are enabled
debug:
ansible.builtin.debug:
msg: "The contrib tasks are enabled."

15
tasks/main.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Gather variables for each operating system
include_vars: "{{ lookup('first_found', params) }}"
ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
vars:
params:
files:
@ -30,20 +30,20 @@
- always
- name: Check for check/audit mode
command: /bin/true
ansible.builtin.command: /bin/true
register: noop_result
changed_when: false
tags:
- always
- name: Check to see if we are booting with EFI or UEFI
set_fact:
ansible.builtin.set_fact:
booted_with_efi: "{{ ansible_facts['mounts'] | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}"
tags:
- always
- name: Set facts
set_fact:
ansible.builtin.set_fact:
check_mode: "{{ noop_result is skipped }}" # noqa: var-naming[no-reserved]
linux_security_module: "{{ (ansible_facts['os_family'] == 'Debian') | ternary('apparmor', 'selinux') }}"
grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}"
@ -51,16 +51,15 @@
- always
- name: Check if grub is present on the remote node
stat:
ansible.builtin.stat:
path: "{{ grub_update_cmd.split(' ')[0] }}"
register: grub_update_binary
tags:
- always
- name: Importing STIG tasks
import_tasks: "{{ stig_version }}stig/main.yml"
ansible.builtin.import_tasks: "{{ stig_version }}stig/main.yml"
- name: Including contrib tasks
include_tasks: contrib/main.yml
ansible.builtin.include_tasks: contrib/main.yml
when:
- security_contrib_enabled | bool

32
tasks/rhel7stig/accounts.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Check if /etc/security/pwquality.conf exists
stat:
ansible.builtin.stat:
path: /etc/security/pwquality.conf
check_mode: false
register: pwquality_config_check
@ -22,7 +22,7 @@
- always
- name: Set password quality requirements
blockinfile:
ansible.builtin.blockinfile:
dest: /etc/security/pwquality.conf
backup: true
insertbefore: EOF
@ -45,7 +45,7 @@
- V-71935
- name: Check for SHA512 password storage in PAM
command: "grep pam_unix.so {{ pam_password_file }}"
ansible.builtin.command: "grep pam_unix.so {{ pam_password_file }}"
register: password_sha512_check
changed_when: false
check_mode: false
@ -53,7 +53,7 @@
- always
- name: Print warning if PAM is not using SHA512 for password storage
debug:
ansible.builtin.debug:
msg: >
PAM is not using SHA512 for password storage. This is a security issue.
when:
@ -65,7 +65,7 @@
- V-71919
- name: Ensure libuser is storing passwords using SHA512
ini_file:
community.general.ini_file:
dest: /etc/libuser.conf
section: defaults
option: crypt_style
@ -84,7 +84,7 @@
# may be attached to a Kerberos realm and they may not have shadow data on the
# system. See bug 1659232 for more details.
- name: Set minimum password lifetime limit to 24 hours for interactive accounts
command: "chage -m 1 {{ item.name }}"
ansible.builtin.command: "chage -m 1 {{ item.name }}"
changed_when: false
when:
- item.shadow is mapping
@ -101,7 +101,7 @@
# may be attached to a Kerberos realm and they may not have shadow data on the
# system. See bug 1659232 for more details.
- name: Set maximum password lifetime limit to 60 days for interactive accounts
command: "chage -M 60 {{ item.name }}"
ansible.builtin.command: "chage -M 60 {{ item.name }}"
changed_when: false
when:
- item.shadow is mapping
@ -115,7 +115,7 @@
- V-71931
- name: Ensure that users cannot reuse one of their last 5 passwords
lineinfile:
ansible.builtin.lineinfile:
dest: "{{ pam_password_file }}"
regexp: "^(password\\s+[a-z0-9\\=\\[\\] ]+\\s+pam_unix\\.so.+?)\\s+(?:remember=\\d+)?$"
line: "\\1 remember={{ security_password_remember_password }}"
@ -129,7 +129,7 @@
- V-71933
- name: Ensure accounts are disabled if the password expires
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/default/useradd
regexp: "^[#\\s]*INACTIVE"
line: "INACTIVE=0"
@ -141,7 +141,7 @@
- V-71941
- name: Apply shadow-utils configurations
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/login.defs
regexp: "^{{ item.parameter }}"
line: "{{ item.parameter }} {{ item.value }}"
@ -161,7 +161,7 @@
- V-72013
- name: Print warning for groups in /etc/passwd that are not in /etc/group
debug:
ansible.builtin.debug:
msg: >
The following users have GIDs in /etc/passwd that do not exist in /etc/group:
{{ hardening_user_list.users | selectattr('group', 'equalto', False) | map(attribute='name') | join(', ') }}
@ -185,7 +185,7 @@
- skip_ansible_lint
- name: Print warnings for non-root users with UID 0
fail:
ansible.builtin.fail:
msg: |
Only the 'root' user should have UID 0. Other users were found:
{{ root_user_check.stdout_lines | join(', ') }}"
@ -197,7 +197,7 @@
- V-72005
- name: Print warning for local interactive users without a home directory assigned
debug:
ansible.builtin.debug:
msg: |
The following users do not have a home directory assigned:
{{ hardening_user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | join(', ') }}
@ -210,7 +210,7 @@
- V-72011
- name: Check each user to see if its home directory exists on the filesystem
stat:
ansible.builtin.stat:
path: "{{ item['dir'] }}"
when:
- item['dir'] | length > 0
@ -222,7 +222,7 @@
- V-72015
- name: Print warning for users with an assigned home directory that does not exist
debug:
ansible.builtin.debug:
msg: |
These users have a home directory assigned, but the directory does not exist:
{% for check in home_directory_checks.results %}
@ -238,7 +238,7 @@
- V-72015
- name: Use pwquality when passwords are changed or created
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/pam.d/passwd
line: "password required pam_pwquality.so retry=3"
state: present

16
tasks/rhel7stig/aide.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Verify that AIDE configuration directory exists
stat:
ansible.builtin.stat:
path: "{{ item }}"
register: aide_conf
check_mode: false
@ -25,7 +25,7 @@
- always
- name: Exclude certain directories from AIDE
template:
ansible.builtin.template:
src: ZZ_aide_exclusions.j2
dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions
mode: "0644"
@ -39,7 +39,7 @@
# that meets the requirements of V-72069 and V-72071. That config
# is borrowed for Ubuntu 16.04 here.
- name: Configure AIDE to verify additional properties (Ubuntu)
blockinfile:
ansible.builtin.blockinfile:
dest: "/etc/aide/aide.conf"
insertbefore: EOF
marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
@ -69,7 +69,7 @@
# NOTE(hwoarang): Add acl and xattrs on SUSE to meet V-72069 and V-72071.
- name: Configure AIDE to verify additional properties (SUSE)
lineinfile:
ansible.builtin.lineinfile:
dest: "/etc/aide.conf"
regexp: "(^Binlib.*= )"
line: "\\1p+i+n+u+g+s+b+m+c+sha256+sha512+acl+xattrs"
@ -86,7 +86,7 @@
- V-72073
- name: Check to see if AIDE database is already in place
stat:
ansible.builtin.stat:
path: "{{ aide_database_file }}"
register: aide_database
check_mode: false
@ -97,7 +97,7 @@
# NOTE(hwoarang): aideinit is an Ubuntu wrapper. An alternative
# would be to use aideinit || aide -i but that will possibly mask
# genuine aideinit failures.
shell: "if test -x /usr/sbin/aideinit; then aideinit; else aide -i; fi"
ansible.builtin.shell: "if test -x /usr/sbin/aideinit; then aideinit; else aide -i; fi"
changed_when: false
register: aide_init
when:
@ -113,7 +113,7 @@
# copies the new AIDE database into place automatically with its AIDE wrapper
# script.
- name: Move AIDE database into place
command: "mv {{ aide_database_out_file }} {{ aide_database_file }}"
ansible.builtin.command: "mv {{ aide_database_out_file }} {{ aide_database_file }}"
changed_when: false
when:
- aide_init is not skipped
@ -127,7 +127,7 @@
# package doesn't come with a cron job file. Ubuntu packages a cron job for
# AIDE checks already.
- name: Create AIDE cron job
cron:
ansible.builtin.cron:
name: aide
cron_file: aide
user: root

20
tasks/rhel7stig/apt.yml
View File

@ -14,13 +14,13 @@
# limitations under the License.
- name: Ensure debsums is installed
apt:
ansible.builtin.apt:
name: debsums
state: present
when: security_check_package_checksums | bool
- name: Gather debsums report
shell: "debsums > {{ temp_dir }}/debsums.txt"
ansible.builtin.shell: "debsums > {{ temp_dir }}/debsums.txt"
changed_when: false
failed_when: false
when:
@ -28,7 +28,7 @@
- not check_mode | bool
- name: V-71855 - Get files with invalid checksums (apt)
shell: "grep -v OK$ {{ temp_dir }}/debsums.txt | awk '{ print $1 }'" # noqa risky-shell-pipe
ansible.builtin.shell: "grep -v OK$ {{ temp_dir }}/debsums.txt | awk '{ print $1 }'"
register: invalid_checksum_files
changed_when: false
when:
@ -40,7 +40,7 @@
- V-71855
- name: V-71855 - Create comma-separated list
set_fact:
ansible.builtin.set_fact:
invalid_checksum_files_violations: "{{ invalid_checksum_files.stdout_lines | default([]) | join(', ') }}"
when:
- security_check_package_checksums | bool
@ -51,7 +51,7 @@
- V-71855
- name: V-71855 - The cryptographic hash of system files and commands must match vendor values (apt)
debug:
ansible.builtin.debug:
msg: >
The following files have checksums that differ from the checksum provided
with their package. Each of these should be verified manually to ensure
@ -68,14 +68,14 @@
# See the documentation for V-71977 for more details on this check.
- name: Search for AllowUnauthenticated in /etc/apt/apt.conf.d/
command: grep -r '^[^#].*AllowUnauthenticated \"true\"' /etc/apt/apt.conf.d/
ansible.builtin.command: grep -r '^[^#].*AllowUnauthenticated \"true\"' /etc/apt/apt.conf.d/
register: gpgcheck_result
changed_when: false
failed_when: false
check_mode: false
- name: V-71977 - Package management tool must verify authenticity of packages
debug:
ansible.builtin.debug:
msg: "Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified."
when:
- security_enable_gpgcheck_packages | bool
@ -85,7 +85,7 @@
- V-71977
- name: V-71979 - Package management tool must verify authenticity of locally-installed packages
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/dpkg/dpkg.cfg
regexp: "^(#)?no-debsig"
line: "#no-debsig"
@ -97,7 +97,7 @@
- V-71979
- name: V-71987 - Clean requirements/dependencies when removing packages (dpkg)
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apt/apt.conf.d/security-autoremove
regexp: "^(#)?APT::Get::AutomaticRemove"
line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";"
@ -113,7 +113,7 @@
- V-71987
- name: Enable automatic package updates (apt)
copy:
ansible.builtin.copy:
src: 20auto-upgrades
dest: /etc/apt/apt.conf.d/20auto-upgrades
mode: "0644"

4
tasks/rhel7stig/async_tasks.yml
View File

@ -32,7 +32,7 @@
- skip_ansible_lint
- name: Locate top level directories to check for .shosts
find:
ansible.builtin.find:
paths: /
file_type: directory
register: shosts_dirs
@ -46,7 +46,7 @@
- V-72279
- name: Check for .shosts or shosts.equiv files
find:
ansible.builtin.find:
paths: "{{ shosts_dirs.files | map(attribute='path') | difference(security_rhel7_remove_shosts_exclude_dirs) }}"
recurse: true
hidden: true

20
tasks/rhel7stig/auditd.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Verify that auditd.conf exists
stat:
ansible.builtin.stat:
path: /etc/audit/auditd.conf
register: auditd_conf
check_mode: false
@ -22,7 +22,7 @@
- always
- name: Verify that audisp-remote.conf exists
stat:
ansible.builtin.stat:
path: /etc/audisp/audisp-remote.conf
register: audisp_remote_conf
check_mode: false
@ -30,7 +30,7 @@
- always
- name: V-72083 - The operating system must off-load audit records onto a different system or media from the system being audited
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/audisp/audisp-remote.conf
regexp: "^(#)?remote_server"
line: "remote_server = {{ security_audisp_remote_server }}"
@ -45,7 +45,7 @@
- V-72083
- name: V-72085 - The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/audisp/audisp-remote.conf
regexp: "^(#)?enable_krb5"
line: "enable_krb5 = yes"
@ -60,14 +60,14 @@
- V-72085
- name: Get valid system architectures for audit rules
set_fact:
ansible.builtin.set_fact:
auditd_architectures: "{{ (ansible_facts['architecture'] == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}"
check_mode: false
tags:
- always
- name: Remove system default audit.rules file
file:
ansible.builtin.file:
path: /etc/audit/rules.d/audit.rules
state: absent
when:
@ -78,7 +78,7 @@
- always
- name: Remove old RHEL 6 audit rules file
file:
ansible.builtin.file:
path: /etc/audit/rules.d/osas-auditd.rules
state: absent
when:
@ -89,7 +89,7 @@
- always
- name: Deploy rules for auditd based on STIG requirements
template:
ansible.builtin.template:
src: osas-auditd-rhel7.j2
dest: /etc/audit/rules.d/osas-auditd-rhel7.rules
mode: "0644"
@ -155,7 +155,7 @@
- V-72081
- name: Adjust auditd/audispd configurations
lineinfile:
ansible.builtin.lineinfile:
dest: "{{ item.config }}"
regexp: "^#?{{ item.parameter }}\\s*="
line: "{{ item.parameter }} = {{ item.value }}"
@ -174,7 +174,7 @@
- V-72093
- name: Ensure auditd is running and enabled at boot time
service:
ansible.builtin.service:
name: auditd
state: started
enabled: true

32
tasks/rhel7stig/auth.yml
View File

@ -16,7 +16,7 @@
# NOTE(mhayden): pam_faildelay expects the `delay` parameter to be in
# microseconds.
- name: Set pam_faildelay configuration on Ubuntu
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/pam.d/login
regexp: "^(auth[\\s]+optional[\\s]+pam_faildelay.so).*$"
line: "\\1 delay={{ (security_shadow_utils_fail_delay | int) * 10**6 }}"
@ -31,7 +31,7 @@
- V-71951
- name: Prevent users with blank or null passwords from authenticating (Debian/Ubuntu)
lineinfile:
ansible.builtin.lineinfile:
dest: "{{ pam_auth_file }}"
state: present
regexp: "^(.*)nullok_secure(.*)$"
@ -47,7 +47,7 @@
- V-71937
- name: Prevent users with blank or null passwords from authenticating (Red Hat)
lineinfile:
ansible.builtin.lineinfile:
dest: "{{ item[1] }}"
state: present
regexp: "^({{ item[0] }}.*sufficient.*)nullok(.*)$"
@ -64,7 +64,7 @@
- V-71937
- name: Prevent users with blank or null passwords from authenticating (SUSE)
lineinfile:
ansible.builtin.lineinfile:
dest: "{{ item }}"
state: present
regexp: "^(.*required.*)nullok(.*)$"
@ -83,7 +83,7 @@
- V-71937
- name: Lock accounts after three failed login attempts a 15 minute period
blockinfile:
ansible.builtin.blockinfile:
dest: "{{ pam_password_file }}"
state: present
marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
@ -106,7 +106,7 @@
# those lines that have a '#' as the first character or '#' as the first
# character following a space (or series of spaces).
- name: Check for 'nopasswd' in sudoers files
shell: 'grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ | egrep -v "^([[:space:]]*)?(#|$)" || echo "not found"' # noqa risky-shell-pipe
ansible.builtin.shell: 'grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ | egrep -v "^([[:space:]]*)?(#|$)" || echo "not found"'
register: sudoers_nopasswd_check
changed_when: false
when:
@ -132,7 +132,7 @@
- skip_ansible_lint
- name: Check for '!authenticate' in sudoers files
shell: grep -ir '\!authenticate' /etc/sudoers /etc/sudoers.d/ || echo 'not found'
ansible.builtin.shell: grep -ir '\!authenticate' /etc/sudoers /etc/sudoers.d/ || echo 'not found'
register: sudoers_authenticate_check
changed_when: false
tags:
@ -156,7 +156,7 @@
- skip_ansible_lint
- name: Check if sssd.conf exists
stat:
ansible.builtin.stat:
path: /etc/sssd/sssd.conf
register: sssd_conf_check
check_mode: false
@ -166,7 +166,7 @@
# NOTE(mhayden): Some systems, such as ARM, don't have grub at all. This task
# should be skipped on those systems.
- name: Check if GRUB2 custom file exists
stat:
ansible.builtin.stat:
path: "{{ grub_custom_file }}"
register: grub_custom_file_check
check_mode: false
@ -176,7 +176,7 @@
- name: Set a GRUB 2 password for single-user/maintenance modes
block:
- name: Define password options for grub
blockinfile:
ansible.builtin.blockinfile:
path: "{{ grub_custom_file }}"
insertbefore: EOF
marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
@ -187,7 +187,7 @@
notify:
- Update grub config
- name: Set CLASS for grub file
lineinfile:
ansible.builtin.lineinfile:
path: "{{ grub_linux_file }}"
regexp: "^CLASS=.*"
line: 'CLASS="--class gnu-linux --class gnu --class os --unrestricted"'
@ -205,7 +205,7 @@
- V-71963
- name: V-72217 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
blockinfile:
ansible.builtin.blockinfile:
dest: /etc/security/limits.d/ansible-hardening-maxlogins.conf
create: true
mode: "0644"
@ -221,7 +221,7 @@
- V-72217
- name: Check for pam_lastlog in PAM configuration
command: "grep pam_lastlog {{ pam_postlogin_file }}"
ansible.builtin.command: "grep pam_lastlog {{ pam_postlogin_file }}"
register: pam_lastlog_check
changed_when: false
failed_when: false
@ -230,7 +230,7 @@
- always
- name: V-72275 - Display date/time of last logon after logon
debug:
ansible.builtin.debug:
msg: >
The 'pam_lastlog' directive is missing in {{ pam_postlogin_file }}.
This is required by V-72275.
@ -242,7 +242,7 @@
- V-72275
- name: Ensure .shosts find has finished
async_status:
ansible.builtin.async_status:
jid: "{{ shosts_find.ansible_job_id }}"
failed_when: false
changed_when: false
@ -258,7 +258,7 @@
- V-72279
- name: Remove .shosts or shosts.equiv files
file:
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
with_items: "{{ job_result.files }}"

8
tasks/rhel7stig/dnf.yml
View File

@ -14,10 +14,10 @@
# limitations under the License.
- name: Including rpm tasks
include_tasks: rpm.yml
ansible.builtin.include_tasks: rpm.yml
- name: Check if /etc/dnf/automatic.conf exists
stat:
ansible.builtin.stat:
path: /etc/dnf/automatic.conf
check_mode: false
register: dnf_automatic_config_check
@ -28,7 +28,7 @@
- always
- name: Enable automatic package updates (dnf)
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/dnf/automatic.conf
regexp: "^apply_updates"
line: "apply_updates = yes"
@ -77,7 +77,7 @@
- skip_ansible_lint
- name: Enable dnf automatic timer for automatic package updates
systemd:
ansible.builtin.systemd:
name: "{{ dnf_automatic_timer }}"
enabled: true
state: started

20
tasks/rhel7stig/file_perms.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: V-71849 - Get packages with incorrect file permissions or ownership
shell: "grep '^.M' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe
ansible.builtin.shell: "grep '^.M' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'"
register: rpmverify_package_list
changed_when: false
when:
@ -47,7 +47,7 @@
- skip_ansible_lint
- name: Search for files/directories with an invalid owner
command: find / -xdev -nouser -fstype local # noqa: command-instead-of-module
ansible.builtin.command: find / -xdev -nouser -fstype local
register: invalid_owner_files
changed_when: false
when:
@ -56,7 +56,7 @@
- always
- name: V-72007 - All files and directories must have a valid owner.
debug:
ansible.builtin.debug:
msg: |
Files and directories were found that are owned by an invalid user:
{{ invalid_owner_files.stdout_lines | join('\n') }}
@ -70,7 +70,7 @@
- V-72007
- name: Search for files/directories with an invalid group owner
command: find / -xdev -nogroup -fstype local # noqa: command-instead-of-module
ansible.builtin.command: find / -xdev -nogroup -fstype local
register: invalid_group_owner_files
changed_when: false
when:
@ -79,7 +79,7 @@
- always
- name: V-72009 - All files and directories must have a valid group owner.
debug:
ansible.builtin.debug:
msg: |
Files and directories were found that are owned by an invalid group:
{{ invalid_group_owner_files.stdout_lines | join('\n') }}
@ -93,7 +93,7 @@
- V-72009
- name: Set proper owner, group owner, and permissions on home directories
file:
ansible.builtin.file:
dest: "{{ item.dir }}"
owner: "{{ item.name }}"
group: "{{ item.group.name }}"
@ -111,7 +111,7 @@
- V-72021
- name: Find all world-writable directories
shell: "find / -perm -002 -type d -exec ls -lLd {} \\; | tr -s ' ' | cut -d' ' -f 4,9 | grep -v ^root" # noqa risky-shell-pipe
ansible.builtin.shell: "find / -perm -002 -type d -exec ls -lLd {} \\; | tr -s ' ' | cut -d' ' -f 4,9 | grep -v ^root"
register: world_writable_dirs
changed_when: false
failed_when: false
@ -122,7 +122,7 @@
- always
- name: V-72047 - All world-writable directories must be group-owned by root, sys, bin, or an application group.
debug:
ansible.builtin.debug:
msg: |
The group owners on the following world-writable directories should be examined:
{{ world_writable_dirs.stdout }}
@ -135,14 +135,14 @@
- V-72047
- name: Check if /etc/cron.allow exists
stat:
ansible.builtin.stat:
path: /etc/cron.allow
register: cron_allow_check
tags:
- always
- name: Set owner/group owner on /etc/cron.allow
file:
ansible.builtin.file:
path: /etc/cron.allow
owner: root
group: root

20
tasks/rhel7stig/graphical.yml
View File

@ -14,13 +14,13 @@
# limitations under the License.
- name: Check if gdm is installed and configured
stat:
ansible.builtin.stat:
path: /etc/gdm/custom.conf
register: gdm_conf_check
check_mode: false
- name: V-71953 - The operating system must not allow an unattended or automatic logon to the system via a graphical user interface
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/gdm/custom.conf
line: "^AutomaticLoginEnable=true"
state: absent
@ -33,7 +33,7 @@
- V-71953
- name: V-71955 - The operating system must not allow guest logon to the system.
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/gdm/custom.conf
line: "^TimedLoginEnable=true"
state: absent
@ -46,14 +46,14 @@
- V-71955
- name: Check for dconf profiles
stat:
ansible.builtin.stat:
path: /etc/dconf/profile
register: dconf_check
tags:
- always
- name: Create a user profile in dconf
copy:
ansible.builtin.copy:
src: dconf-user-profile
dest: /etc/dconf/profile/user
mode: "0644"
@ -67,7 +67,7 @@
- V-71901
- name: Create dconf directories
file:
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "0755"
@ -86,7 +86,7 @@
- V-71901
- name: Configure graphical session locking
template:
ansible.builtin.template:
src: dconf-screensaver-lock.j2
dest: /etc/dconf/db/local.d/00-screensaver
mode: "0644"
@ -102,7 +102,7 @@
- V-71901
- name: Prevent users from changing graphical session locking configurations
template:
ansible.builtin.template:
src: dconf-session-user-config-lockout.j2
dest: /etc/dconf/db/local.d/locks/session
mode: "0644"
@ -118,7 +118,7 @@
- V-71901
- name: Create a GDM profile for displaying a login banner
copy:
ansible.builtin.copy:
src: dconf-profile-gdm
dest: /etc/dconf/profile/gdm
mode: "0644"
@ -132,7 +132,7 @@
- V-71859
- name: Create a GDM keyfile for machine-wide settings
template:
ansible.builtin.template:
src: dconf-gdm-banner-message.j2
dest: "{{ item }}"
mode: "0644"

14
tasks/rhel7stig/kernel.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: V-71983 - USB mass storage must be disabled.
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/modprobe.d/ansible-hardening-disable-usb-storage.conf
line: install usb-storage /bin/true
create: true
@ -27,7 +27,7 @@
- V-71983
- name: Set sysctl configurations
sysctl:
ansible.posix.sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
state: "{{ item.enabled | ternary('present', 'absent') }}"
@ -51,7 +51,7 @@
- C-00001
- name: Check kdump service
command: systemctl status kdump # noqa: command-instead-of-module
ansible.builtin.command: systemctl status kdump
register: kdump_service_check
failed_when: kdump_service_check.rc not in [0,3,4]
changed_when: false
@ -62,7 +62,7 @@
- V-72057
- name: V-72057 - Kernel core dumps must be disabled unless needed.
service:
ansible.builtin.service:
name: kdump
state: stopped
enabled: false
@ -75,7 +75,7 @@
- V-72057
- name: Check if FIPS is enabled
command: cat /proc/sys/crypto/fips_enabled
ansible.builtin.command: cat /proc/sys/crypto/fips_enabled
register: fips_check
changed_when: false
failed_when: false
@ -86,7 +86,7 @@
- always
- name: Print a warning if FIPS isn't enabled
debug:
ansible.builtin.debug:
msg: >
FIPS is not enabled at boot time on this server.
The STIG requires FIPS to be enabled at boot time.
@ -100,7 +100,7 @@
- V-72067
- name: V-77821 - Datagram Congestion Control Protocol (DCCP) kernel module must be disabled
copy:
ansible.builtin.copy:
src: ansible-hardening-disable-dccp.conf
dest: /etc/modprobe.d/ansible-hardening-disable-dccp.conf
mode: "0644"

16
tasks/rhel7stig/lsm.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Check apparmor_status output
command: apparmor_status
ansible.builtin.command: apparmor_status
register: apparmor_status_output
check_mode: false
changed_when: false
@ -32,7 +32,7 @@
# started apparmor each time. This breaks idempotency and we check
# systemd's status directly as an alternative.
- name: Check if apparmor is running
command: "systemctl status apparmor" # noqa: command-instead-of-module
ansible.builtin.command: "systemctl status apparmor"
register: systemctl_apparmor_status
check_mode: false
changed_when: false
@ -45,7 +45,7 @@
- V-71989
- name: Ensure AppArmor is enabled at boot time
service:
ansible.builtin.service:
name: apparmor
enabled: true
when:
@ -60,7 +60,7 @@
# unit will always say AppArmor is dead. This means that the following task
# will always start the unit every time it runs (which breaks idempotency).
- name: Ensure AppArmor is running
service:
ansible.builtin.service:
name: apparmor
state: started
changed_when:
@ -79,7 +79,7 @@
# to switch to permissive/enforcing in an online way when SELinux is completely
# disabled at boot time.
- name: Ensure SELinux is in enforcing mode on the next reboot
selinux:
ansible.posix.selinux:
state: enforcing
policy: targeted
register: selinux_status_change
@ -93,7 +93,7 @@
- V-71991
- name: Relabel files on next boot if SELinux mode changed
file:
ansible.builtin.file:
path: /.autorelabel
state: touch
mode: "0644"
@ -109,7 +109,7 @@
# NOTE(mhayden): Ansible's find module doesn't support searching for files
# based on SELinux contexts yet.
- name: Check for unlabeled device files
command: "find /dev -context '*unlabeled_t*'"
ansible.builtin.command: "find /dev -context '*unlabeled_t*'"
register: unlabeled_devices
changed_when: false
check_mode: false
@ -122,7 +122,7 @@
- V-72039
- name: V-72039 - All system device files must be correctly labeled to prevent unauthorized modification.
debug:
ansible.builtin.debug:
msg: |
Devices were found without SELinux labels:
{% for device in unlabeled_devices.stdout_lines %}

35
tasks/rhel7stig/main.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Create temporary directory to hold any temporary files
tempfile:
ansible.builtin.tempfile:
state: directory
suffix: hardening
register: mktemp_result
@ -24,7 +24,7 @@
- always
- name: Set a fact for the temporary directory
set_fact:
ansible.builtin.set_fact:
temp_dir: "{{ mktemp_result.path }}"
changed_when: false
when:
@ -35,8 +35,7 @@
# Some of the tasks in the role may take a long time to run. Let's start them
# as early as possible so they have time to finish.
- name: Importing async_tasks tasks
import_tasks: async_tasks.yml
ansible.builtin.import_tasks: async_tasks.yml
- name: Get user data for all users on the system
get_users:
min_uid: 0
@ -56,7 +55,7 @@
# NOTE(mhayden): EPEL is only needed for the clamav packages. We should only
# install EPEL if the deployer asked for clamav to be installed.
- name: Install EPEL repository
yum:
ansible.builtin.dnf:
name: "{{ security_epel_release_package }}"
state: "{{ security_package_state }}"
when:
@ -69,43 +68,43 @@
# Package installations and removals must come first so that configuration
# changes can be made later.
- name: Importing packages tasks
import_tasks: packages.yml
ansible.builtin.import_tasks: packages.yml
tags:
- always
# Package managers are managed first since the changes in these tasks will
# affect the remainder of the tasks in the role.
- name: Including OS-specific tasks
include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml"
ansible.builtin.include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml"
# The bulk of the security changes are applied in these tasks. The tasks in
# each file are tagged with the same name (for example, tasks in `auth.yml`
# are tagged with `auth`). Also, the tag name matches up with the "STIG
# Controls by Tag" section of the role documentation.
- name: Importing accounts tasks
import_tasks: accounts.yml
ansible.builtin.import_tasks: accounts.yml
- name: Importing aide tasks
import_tasks: aide.yml
ansible.builtin.import_tasks: aide.yml
when: security_rhel7_enable_aide | bool
- name: Importing auditd tasks
import_tasks: auditd.yml
ansible.builtin.import_tasks: auditd.yml
- name: Importing auth tasks
import_tasks: auth.yml
ansible.builtin.import_tasks: auth.yml
- name: Importing file_perms tasks
import_tasks: file_perms.yml
ansible.builtin.import_tasks: file_perms.yml
- name: Importing graphical tasks
import_tasks: graphical.yml
ansible.builtin.import_tasks: graphical.yml
- name: Importing kernel tasks
import_tasks: kernel.yml
ansible.builtin.import_tasks: kernel.yml
- name: Importing lsm tasks
import_tasks: lsm.yml
ansible.builtin.import_tasks: lsm.yml
- name: Importing misc tasks
import_tasks: misc.yml
ansible.builtin.import_tasks: misc.yml
- name: Importing sshd tasks
import_tasks: sshd.yml
ansible.builtin.import_tasks: sshd.yml
- name: Remove the temporary directory
file:
ansible.builtin.file:
path: "{{ temp_dir }}"
state: absent
changed_when: false

72
tasks/rhel7stig/misc.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Check autofs service
command: systemctl status autofs # noqa: command-instead-of-module
ansible.builtin.command: systemctl status autofs # noqa: command-instead-of-module
register: autofs_check
failed_when: autofs_check.rc not in [0,3,4]
changed_when: false
@ -23,7 +23,7 @@
- always
- name: V-71985 - File system automounter must be disabled unless required.
service:
ansible.builtin.service:
name: autofs
state: stopped
enabled: false
@ -39,7 +39,7 @@
# https://github.com/ansible/ansible/issues/68680
# This returns an exit code of 0 if it's running, 3 if it's masked.
- name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled
systemd:
ansible.builtin.systemd:
name: ctrl-alt-del.target
enabled: false
when:
@ -50,7 +50,7 @@
- V-71993
- name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled
systemd:
ansible.builtin.systemd:
name: ctrl-alt-del.target
masked: true
daemon_reload: true
@ -62,7 +62,7 @@
- V-71993
- name: Check for /home on mounted filesystem
debug:
ansible.builtin.debug:
msg: |
The STIG requires that /home is on its own filesystem, but this system
does not appear to be following the requirement.
@ -74,7 +74,7 @@
- V-72059
- name: Check for /var on mounted filesystem
debug:
ansible.builtin.debug:
msg: |
The STIG requires that /var is on its own filesystem, but this system
does not appear to be following the requirement.
@ -86,7 +86,7 @@
- V-72067
- name: Check for /var/log/audit on mounted filesystem
debug:
ansible.builtin.debug:
msg: |
The STIG requires that /var/log/audit is on its own filesystem, but this system
does not appear to be following the requirement.
@ -98,7 +98,7 @@
- V-72063
- name: Check for /tmp on mounted filesystem
debug:
ansible.builtin.debug:
msg: |
The STIG requires that /tmp is on its own filesystem, but this system
does not appear to be following the requirement.
@ -110,7 +110,7 @@
- V-72065
- name: Check if syslog output is being sent to another server
command: 'grep "^[^#].*@" /etc/rsyslog.conf'
ansible.builtin.command: 'grep "^[^#].*@" /etc/rsyslog.conf'
register: rsyslog_transmit_check
changed_when: false
failed_when: false
@ -119,7 +119,7 @@
- always
- name: V-72209 - The system must send rsyslog output to a log aggregation server.
debug:
ansible.builtin.debug:
msg: Output from syslog must be sent to another server.
when:
- rsyslog_transmit_check is defined
@ -130,7 +130,7 @@
- V-72209
- name: Check if ClamAV is installed
stat:
ansible.builtin.stat:
path: /usr/bin/clamdscan
register: clamav_install_check
changed_when: false
@ -138,7 +138,7 @@
- always
- name: Remove 'Example' line from ClamAV configuration files
lineinfile:
ansible.builtin.lineinfile:
dest: "{{ item }}"
regexp: "^Example"
state: absent
@ -156,7 +156,7 @@
- V-72213
- name: Set ClamAV server type as socket
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/clamd.d/scan.conf
regexp: "^(#)?LocalSocket (.*)$"
line: "LocalSocket {{ clamav_service_details['socket_path'] }}"
@ -172,7 +172,7 @@
- V-72213
- name: Ensure ClamAV socket directory exists
file:
ansible.builtin.file:
path: "{{ clamav_service_details['socket_path'] | dirname }}"
owner: "{{ clamav_service_details['user'] }}"
group: "{{ clamav_service_details['group'] }}"
@ -188,7 +188,7 @@
- V-72213
- name: Allow automatic freshclam updates
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/sysconfig/freshclam
regexp: "^FRESHCLAM_DELAY"
state: absent
@ -203,7 +203,7 @@
- V-72213
- name: Check if ClamAV update process is already running
shell: "set -o pipefail; ps -ef | egrep [f]reshclam -q"
ansible.builtin.shell: "set -o pipefail; ps -ef | egrep [f]reshclam -q"
register: freshclam_proc
changed_when: false
failed_when: false
@ -212,7 +212,7 @@
- always
- name: Update ClamAV database
command: freshclam
ansible.builtin.command: freshclam
changed_when: false
when:
- freshclam_proc.rc != 0
@ -226,7 +226,7 @@
- V-72213
- name: Ensure ClamAV is running
service:
ansible.builtin.service:
name: "{{ clamav_service }}"
state: started
enabled: true
@ -243,7 +243,7 @@
# errors on the command prompt. See LP bug 1736702.
# TODO(mhayden): Remove this task when the Rocky release is in development.
- name: Remove old config block for V-72223 from openstack-ansible-security
blockinfile:
ansible.builtin.blockinfile:
dest: /etc/profile
state: absent
insertbefore: EOF
@ -254,7 +254,7 @@
- V-72223
- name: V-72223 - Set 10 minute timeout on communication sessions
blockinfile:
ansible.builtin.blockinfile:
dest: /etc/profile
state: present
insertbefore: EOF
@ -270,7 +270,7 @@
- V-72223
- name: Start and enable chrony
service:
ansible.builtin.service:
name: "{{ chrony_service }}"
state: started
enabled: true
@ -283,14 +283,14 @@
- V-72269
- name: Check if chrony configuration file exists
stat:
ansible.builtin.stat:
path: "{{ chrony_conf_file }}"
register: chrony_conf_check
tags:
- always
- name: V-72269 - Synchronize system clock (configuration file)
template:
ansible.builtin.template:
src: chrony.conf.j2
dest: "{{ chrony_conf_file }}"
mode: "0644"
@ -306,7 +306,7 @@
# Returns 0 if installed, 3 if not installed
- name: Check firewalld status
command: systemctl status firewalld # noqa: command-instead-of-module
ansible.builtin.command: systemctl status firewalld
register: firewalld_status_check
failed_when: firewalld_status_check.rc not in [0,3,4]
changed_when: false
@ -315,7 +315,7 @@
- always
- name: Ensure firewalld is running and enabled
service:
ansible.builtin.service:
name: firewalld
state: started
enabled: true
@ -328,7 +328,7 @@
- V-72273
- name: Limit new TCP connections to 25/minute and allow bursting to 100
command: >-
ansible.builtin.command: >-
firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{
security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT
register: add_rate_limit_firewalld_rule
@ -354,7 +354,7 @@
- skip_ansible_lint
- name: V-72281 - For systems using DNS resolution, at least two name servers must be configured.
debug:
ansible.builtin.debug:
msg: |
Two or more nameservers must be configured in /etc/resolv.conf.
Nameservers found: {{ nameserver_check.stdout_lines | length }}
@ -367,7 +367,7 @@
- V-72281
- name: Check for interfaces in promiscuous mode
shell: "set -o pipefail; ip link | grep -i promisc"
ansible.builtin.shell: "set -o pipefail; ip link | grep -i promisc"
register: promiscuous_interface_check
changed_when: false
failed_when: false
@ -376,7 +376,7 @@
- always
- name: V-72295 - Network interfaces must not be in promiscuous mode.
debug:
ansible.builtin.debug:
msg: >
One or more network interfaces were found to be in promiscuous mode.
Review all interfaces and disable promiscuous mode.
@ -388,14 +388,14 @@
- V-72295
- name: Check for postfix configuration file
stat:
ansible.builtin.stat:
path: /etc/postfix/main.cf
register: postfix_conf_check
tags:
- always
- name: V-72297 - Prevent unrestricted mail relaying
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/postfix/main.cf
regexp: "^smtpd_client_restrictions"
line: "smtpd_client_restrictions = permit_mynetworks, reject"
@ -408,7 +408,7 @@
- V-72297
- name: Check for TFTP server configuration file
stat:
ansible.builtin.stat:
path: /etc/xinetd.d/tftp
register: tftp_config_check
check_mode: false
@ -416,7 +416,7 @@
- always
- name: Check TFTP configuration mode
command: "grep server_args /etc/xinetd.d/tftp"
ansible.builtin.command: "grep server_args /etc/xinetd.d/tftp"
register: tftp_secure_check
changed_when: false
failed_when: false
@ -427,7 +427,7 @@
- always
- name: V-72305 - TFTP must be configured to operate in secure mode
debug:
ansible.builtin.debug:
msg: TFTP must be configured to run in secure mode with the '-s' flag.
when:
- tftp_config_check.stat.exists
@ -438,7 +438,7 @@
- V-72305
- name: Check to see if snmpd config contains public/private
command: 'egrep "^[^#].*(public|private)" /etc/snmp/snmpd.conf'
ansible.builtin.command: 'egrep "^[^#].*(public|private)" /etc/snmp/snmpd.conf'
register: snmp_public_private_check
changed_when: false
failed_when: false
@ -447,7 +447,7 @@
- always
- name: V-72313 - Change SNMP community strings from default.
debug:
ansible.builtin.debug:
msg: >
Change the SNMP community strings from the defaults of 'public' and
'private' to meet the requirements of V-72313.

4
tasks/rhel7stig/packages.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Add packages based on STIG requirements
package:
ansible.builtin.package:
name: "{{ stig_packages_rhel7 | selectattr('enabled') | selectattr('state', 'equalto', item) | sum(attribute='packages', start=[]) }}"
state: "{{ item }}"
with_items:
@ -35,7 +35,7 @@
- V-72307
- name: Remove packages based on STIG requirements
package:
ansible.builtin.package:
name: "{{ stig_packages_rhel7 | selectattr('enabled') | selectattr('state', 'equalto', item) | sum(attribute='packages', start=[]) }}"
state: "{{ item }}"
with_items:

10
tasks/rhel7stig/rpm.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Ensure RPM verification task has finished
async_status:
ansible.builtin.async_status:
jid: "{{ rpmverify_task.ansible_job_id }}"
failed_when: false
changed_when: false
@ -30,7 +30,7 @@
- V-71855
- name: V-71855 - Get files with invalid checksums (rpm)
shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe
ansible.builtin.shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'"
register: invalid_checksum_files
changed_when: false
when:
@ -43,7 +43,7 @@
- V-71855
- name: V-71855 - The cryptographic hash of system files and commands must match vendor values (rpm)
debug:
ansible.builtin.debug:
msg: |
The following files have checksums that differ from the checksum provided
with their package. Each of these should be verified manually to ensure
@ -64,7 +64,7 @@
- V-71855
- name: V-71977 - Require digital signatures for all packages
lineinfile:
ansible.builtin.lineinfile:
dest: "{{ pkg_mgr_config }}"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
@ -78,7 +78,7 @@
- V-71981
- name: V-71987 - Clean requirements/dependencies when removing packages (RedHat)
lineinfile:
ansible.builtin.lineinfile:
dest: "{{ pkg_mgr_config }}"
regexp: "^(#)?clean_requirements_on_remove"
line: "clean_requirements_on_remove=1"

18
tasks/rhel7stig/sshd.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Copy login warning banner
copy:
ansible.builtin.copy:
content: "{{ security_login_banner_text }}"
dest: "{{ security_sshd_banner_file }}"
owner: root
@ -27,7 +27,7 @@
- V-72225
- name: Drop options from SSH config that we manage
lineinfile:
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
state: absent
regexp: "^{{ item.name }}\\s+(?!{{ item.value }})"
@ -59,7 +59,7 @@
- V-72263
- name: Adjust ssh server configuration based on STIG requirements
blockinfile:
ansible.builtin.blockinfile:
dest: /etc/ssh/sshd_config
state: present
marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
@ -97,7 +97,7 @@
- V-72263
- name: Ensure sshd is enabled at boot time
service:
ansible.builtin.service:
name: "{{ ssh_service }}"
enabled: true
when:
@ -108,7 +108,7 @@
- V-72235
- name: Determine existing public ssh host keys
shell: ls /etc/ssh/*.pub
ansible.builtin.shell: ls /etc/ssh/*.pub
register: public_ssh_host_keys
# The shell command will always report 'changed' so we need to
# ignore that since this role is supposed to be idempotent.
@ -118,7 +118,7 @@
- always
- name: Public host key files must have mode 0644 or less
file:
ansible.builtin.file:
path: "{{ item }}"
mode: "u-xX,g-wxs,o-wxt"
with_items:
@ -129,7 +129,7 @@
- V-72255
- name: Determine existing private ssh host keys
shell: ls /etc/ssh/*_key
ansible.builtin.shell: ls /etc/ssh/*_key
register: private_ssh_host_keys
# The shell command will always report 'changed' so we need to
# ignore that since this role is supposed to be idempotent
@ -139,7 +139,7 @@
- always
- name: Private host key files must have mode 0600 or less
file:
ansible.builtin.file:
path: "{{ item }}"
mode: "u-xX,g-rwxs,o-rwxt"
with_items:
@ -150,7 +150,7 @@
- V-72257
- name: Manage motd in pam.d
replace:
ansible.builtin.replace:
path: /etc/pam.d/sshd
regexp: "^(#\\s)?(session\\s*optional\\s*pam_motd.so.*)$"
replace: '{{ (security_sshd_dynamic_banner_disable | bool) | ternary("# \2", "\2") }}'

6
tasks/rhel7stig/yum.yml
View File

@ -14,10 +14,10 @@
# limitations under the License.
- name: Including rpm tasks
include_tasks: rpm.yml
ansible.builtin.include_tasks: rpm.yml
- name: Check if /etc/yum/yum-cron.conf exists
stat:
ansible.builtin.stat:
path: /etc/yum/yum-cron.conf
check_mode: false
register: yum_cron_config_check
@ -27,7 +27,7 @@
- always
- name: Enable automatic package updates (yum)
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/yum/yum-cron.conf
regexp: "^apply_updates"
line: "apply_updates = yes"

14
tasks/rhel7stig/zypper.yml
View File

@ -15,7 +15,7 @@
# limitations under the License.
- name: Ensure RPM verification task has finished
async_status:
ansible.builtin.async_status:
jid: "{{ rpmverify_task.ansible_job_id }}"
failed_when: false
changed_when: false
@ -31,7 +31,7 @@
- V-71855
- name: V-71855 - Get files with invalid checksums (rpm)
shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe
ansible.builtin.shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'"
register: invalid_checksum_files
changed_when: false
when:
@ -43,7 +43,7 @@
- V-71855
- name: V-71855 - The cryptographic hash of system files and commands must match vendor values (rpm)
debug:
ansible.builtin.debug:
msg: |
The following files have checksums that differ from the checksum provided
with their package. Each of these should be verified manually to ensure
@ -63,12 +63,12 @@
- V-71855
- name: Determine all SUSE repositories
shell: ls /etc/zypp/repos.d/*.repo
ansible.builtin.shell: ls /etc/zypp/repos.d/*.repo
changed_when: false
register: all_zypper_repositories
- name: V-71977 - Require digital signatures for all packages and repositories
lineinfile:
ansible.builtin.lineinfile:
dest: "{{ item }}"
regexp: "^(#)?\\s*gpgcheck"
line: "gpgcheck=1"
@ -84,7 +84,7 @@
- V-71981
- name: V-71987 - Clean requirements/dependencies when removing packages (SUSE)
lineinfile:
ansible.builtin.lineinfile:
dest: "{{ pkg_mgr_config }}"
regexp: "^(#)?\\s*solver\\.cleandepsOnRemove"
line: "solver.cleandepsOnRemove = true"
@ -97,7 +97,7 @@
- V-71987
- name: Enable automatic package updates (SUSE)
copy:
ansible.builtin.copy:
src: zypper-autoupdates
dest: /etc/cron.daily/zypper-autoupdates
mode: "0750"