From 4dbd95132c589b671b917396d300362907c5d69c Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Thu, 13 Feb 2025 07:54:07 +0100 Subject: [PATCH] Auto-fix usage of modules via FQCN Since ansible-core 2.10 it is recommended to use modules via FQCN In order to align with recommendation, we perform migration by applying suggestions made by `ansible-lint --fix=fqcn` Change-Id: I76bf3945bf413a8e9f0661f9aba697fdb8e993f7 --- handlers/main.yml | 16 ++++---- tasks/contrib/main.yml | 2 +- tasks/main.yml | 15 ++++--- tasks/rhel7stig/accounts.yml | 32 +++++++-------- tasks/rhel7stig/aide.yml | 16 ++++---- tasks/rhel7stig/apt.yml | 20 ++++----- tasks/rhel7stig/async_tasks.yml | 4 +- tasks/rhel7stig/auditd.yml | 20 ++++----- tasks/rhel7stig/auth.yml | 32 +++++++-------- tasks/rhel7stig/dnf.yml | 8 ++-- tasks/rhel7stig/file_perms.yml | 20 ++++----- tasks/rhel7stig/graphical.yml | 20 ++++----- tasks/rhel7stig/kernel.yml | 14 +++---- tasks/rhel7stig/lsm.yml | 16 ++++---- tasks/rhel7stig/main.yml | 35 ++++++++-------- tasks/rhel7stig/misc.yml | 72 ++++++++++++++++----------------- tasks/rhel7stig/packages.yml | 4 +- tasks/rhel7stig/rpm.yml | 10 ++--- tasks/rhel7stig/sshd.yml | 18 ++++----- tasks/rhel7stig/yum.yml | 6 +-- tasks/rhel7stig/zypper.yml | 14 +++---- 21 files changed, 196 insertions(+), 198 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 8b55dc6a..ecf3d445 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -18,32 +18,32 @@ # NOTE(mhayden): It's not possible to use systemd to restart auditd on CentOS # since it's a special service. Using the old service scripts is required. - name: Restart auditd - command: service auditd restart # noqa: command-instead-of-module + ansible.builtin.command: service auditd restart changed_when: false - name: Restart chrony - service: + ansible.builtin.service: name: "{{ chrony_service }}" state: restarted - name: Restart ssh - service: + ansible.builtin.service: name: "{{ ssh_service }}" state: restarted - name: Restart clamav - service: + ansible.builtin.service: name: "{{ clamav_service }}" state: restarted # Miscellaneous ############################################################## - name: Generate auditd rules - command: augenrules --load + ansible.builtin.command: augenrules --load changed_when: false notify: restart auditd - name: Update grub config - command: "{{ grub_update_cmd }}" + ansible.builtin.command: "{{ grub_update_cmd }}" changed_when: false when: - security_enable_grub_update | bool @@ -55,10 +55,10 @@ # NOTE(mhayden): Running `update-grub` causes the bootloader permissions to # change, which breaks V-38583. - name: Set bootloader file permissions after updating grub config - file: + ansible.builtin.file: path: "{{ grub_config_file_boot }}" mode: "0644" - name: Dconf update - command: dconf update + ansible.builtin.command: dconf update changed_when: false diff --git a/tasks/contrib/main.yml b/tasks/contrib/main.yml index e3ebea63..cbf79bd6 100644 --- a/tasks/contrib/main.yml +++ b/tasks/contrib/main.yml @@ -14,5 +14,5 @@ # limitations under the License. - name: Notify the deployer that contrib tasks are enabled - debug: + ansible.builtin.debug: msg: "The contrib tasks are enabled." diff --git a/tasks/main.yml b/tasks/main.yml index 49087464..5b430e3f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: Gather variables for each operating system - include_vars: "{{ lookup('first_found', params) }}" + ansible.builtin.include_vars: "{{ lookup('first_found', params) }}" vars: params: files: @@ -30,20 +30,20 @@ - always - name: Check for check/audit mode - command: /bin/true + ansible.builtin.command: /bin/true register: noop_result changed_when: false tags: - always - name: Check to see if we are booting with EFI or UEFI - set_fact: + ansible.builtin.set_fact: booted_with_efi: "{{ ansible_facts['mounts'] | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}" tags: - always - name: Set facts - set_fact: + ansible.builtin.set_fact: check_mode: "{{ noop_result is skipped }}" # noqa: var-naming[no-reserved] linux_security_module: "{{ (ansible_facts['os_family'] == 'Debian') | ternary('apparmor', 'selinux') }}" grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}" @@ -51,16 +51,15 @@ - always - name: Check if grub is present on the remote node - stat: + ansible.builtin.stat: path: "{{ grub_update_cmd.split(' ')[0] }}" register: grub_update_binary tags: - always - name: Importing STIG tasks - import_tasks: "{{ stig_version }}stig/main.yml" - + ansible.builtin.import_tasks: "{{ stig_version }}stig/main.yml" - name: Including contrib tasks - include_tasks: contrib/main.yml + ansible.builtin.include_tasks: contrib/main.yml when: - security_contrib_enabled | bool diff --git a/tasks/rhel7stig/accounts.yml b/tasks/rhel7stig/accounts.yml index b145d65a..7da3b050 100644 --- a/tasks/rhel7stig/accounts.yml +++ b/tasks/rhel7stig/accounts.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: Check if /etc/security/pwquality.conf exists - stat: + ansible.builtin.stat: path: /etc/security/pwquality.conf check_mode: false register: pwquality_config_check @@ -22,7 +22,7 @@ - always - name: Set password quality requirements - blockinfile: + ansible.builtin.blockinfile: dest: /etc/security/pwquality.conf backup: true insertbefore: EOF @@ -45,7 +45,7 @@ - V-71935 - name: Check for SHA512 password storage in PAM - command: "grep pam_unix.so {{ pam_password_file }}" + ansible.builtin.command: "grep pam_unix.so {{ pam_password_file }}" register: password_sha512_check changed_when: false check_mode: false @@ -53,7 +53,7 @@ - always - name: Print warning if PAM is not using SHA512 for password storage - debug: + ansible.builtin.debug: msg: > PAM is not using SHA512 for password storage. This is a security issue. when: @@ -65,7 +65,7 @@ - V-71919 - name: Ensure libuser is storing passwords using SHA512 - ini_file: + community.general.ini_file: dest: /etc/libuser.conf section: defaults option: crypt_style @@ -84,7 +84,7 @@ # may be attached to a Kerberos realm and they may not have shadow data on the # system. See bug 1659232 for more details. - name: Set minimum password lifetime limit to 24 hours for interactive accounts - command: "chage -m 1 {{ item.name }}" + ansible.builtin.command: "chage -m 1 {{ item.name }}" changed_when: false when: - item.shadow is mapping @@ -101,7 +101,7 @@ # may be attached to a Kerberos realm and they may not have shadow data on the # system. See bug 1659232 for more details. - name: Set maximum password lifetime limit to 60 days for interactive accounts - command: "chage -M 60 {{ item.name }}" + ansible.builtin.command: "chage -M 60 {{ item.name }}" changed_when: false when: - item.shadow is mapping @@ -115,7 +115,7 @@ - V-71931 - name: Ensure that users cannot reuse one of their last 5 passwords - lineinfile: + ansible.builtin.lineinfile: dest: "{{ pam_password_file }}" regexp: "^(password\\s+[a-z0-9\\=\\[\\] ]+\\s+pam_unix\\.so.+?)\\s+(?:remember=\\d+)?$" line: "\\1 remember={{ security_password_remember_password }}" @@ -129,7 +129,7 @@ - V-71933 - name: Ensure accounts are disabled if the password expires - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/useradd regexp: "^[#\\s]*INACTIVE" line: "INACTIVE=0" @@ -141,7 +141,7 @@ - V-71941 - name: Apply shadow-utils configurations - lineinfile: + ansible.builtin.lineinfile: dest: /etc/login.defs regexp: "^{{ item.parameter }}" line: "{{ item.parameter }} {{ item.value }}" @@ -161,7 +161,7 @@ - V-72013 - name: Print warning for groups in /etc/passwd that are not in /etc/group - debug: + ansible.builtin.debug: msg: > The following users have GIDs in /etc/passwd that do not exist in /etc/group: {{ hardening_user_list.users | selectattr('group', 'equalto', False) | map(attribute='name') | join(', ') }} @@ -185,7 +185,7 @@ - skip_ansible_lint - name: Print warnings for non-root users with UID 0 - fail: + ansible.builtin.fail: msg: | Only the 'root' user should have UID 0. Other users were found: {{ root_user_check.stdout_lines | join(', ') }}" @@ -197,7 +197,7 @@ - V-72005 - name: Print warning for local interactive users without a home directory assigned - debug: + ansible.builtin.debug: msg: | The following users do not have a home directory assigned: {{ hardening_user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | join(', ') }} @@ -210,7 +210,7 @@ - V-72011 - name: Check each user to see if its home directory exists on the filesystem - stat: + ansible.builtin.stat: path: "{{ item['dir'] }}" when: - item['dir'] | length > 0 @@ -222,7 +222,7 @@ - V-72015 - name: Print warning for users with an assigned home directory that does not exist - debug: + ansible.builtin.debug: msg: | These users have a home directory assigned, but the directory does not exist: {% for check in home_directory_checks.results %} @@ -238,7 +238,7 @@ - V-72015 - name: Use pwquality when passwords are changed or created - lineinfile: + ansible.builtin.lineinfile: dest: /etc/pam.d/passwd line: "password required pam_pwquality.so retry=3" state: present diff --git a/tasks/rhel7stig/aide.yml b/tasks/rhel7stig/aide.yml index 4cf03833..3c64c570 100644 --- a/tasks/rhel7stig/aide.yml +++ b/tasks/rhel7stig/aide.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: Verify that AIDE configuration directory exists - stat: + ansible.builtin.stat: path: "{{ item }}" register: aide_conf check_mode: false @@ -25,7 +25,7 @@ - always - name: Exclude certain directories from AIDE - template: + ansible.builtin.template: src: ZZ_aide_exclusions.j2 dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions mode: "0644" @@ -39,7 +39,7 @@ # that meets the requirements of V-72069 and V-72071. That config # is borrowed for Ubuntu 16.04 here. - name: Configure AIDE to verify additional properties (Ubuntu) - blockinfile: + ansible.builtin.blockinfile: dest: "/etc/aide/aide.conf" insertbefore: EOF marker: "# {mark} MANAGED BY ANSIBLE-HARDENING" @@ -69,7 +69,7 @@ # NOTE(hwoarang): Add acl and xattrs on SUSE to meet V-72069 and V-72071. - name: Configure AIDE to verify additional properties (SUSE) - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/aide.conf" regexp: "(^Binlib.*= )" line: "\\1p+i+n+u+g+s+b+m+c+sha256+sha512+acl+xattrs" @@ -86,7 +86,7 @@ - V-72073 - name: Check to see if AIDE database is already in place - stat: + ansible.builtin.stat: path: "{{ aide_database_file }}" register: aide_database check_mode: false @@ -97,7 +97,7 @@ # NOTE(hwoarang): aideinit is an Ubuntu wrapper. An alternative # would be to use aideinit || aide -i but that will possibly mask # genuine aideinit failures. - shell: "if test -x /usr/sbin/aideinit; then aideinit; else aide -i; fi" + ansible.builtin.shell: "if test -x /usr/sbin/aideinit; then aideinit; else aide -i; fi" changed_when: false register: aide_init when: @@ -113,7 +113,7 @@ # copies the new AIDE database into place automatically with its AIDE wrapper # script. - name: Move AIDE database into place - command: "mv {{ aide_database_out_file }} {{ aide_database_file }}" + ansible.builtin.command: "mv {{ aide_database_out_file }} {{ aide_database_file }}" changed_when: false when: - aide_init is not skipped @@ -127,7 +127,7 @@ # package doesn't come with a cron job file. Ubuntu packages a cron job for # AIDE checks already. - name: Create AIDE cron job - cron: + ansible.builtin.cron: name: aide cron_file: aide user: root diff --git a/tasks/rhel7stig/apt.yml b/tasks/rhel7stig/apt.yml index 16d36898..c8695442 100644 --- a/tasks/rhel7stig/apt.yml +++ b/tasks/rhel7stig/apt.yml @@ -14,13 +14,13 @@ # limitations under the License. - name: Ensure debsums is installed - apt: + ansible.builtin.apt: name: debsums state: present when: security_check_package_checksums | bool - name: Gather debsums report - shell: "debsums > {{ temp_dir }}/debsums.txt" + ansible.builtin.shell: "debsums > {{ temp_dir }}/debsums.txt" changed_when: false failed_when: false when: @@ -28,7 +28,7 @@ - not check_mode | bool - name: V-71855 - Get files with invalid checksums (apt) - shell: "grep -v OK$ {{ temp_dir }}/debsums.txt | awk '{ print $1 }'" # noqa risky-shell-pipe + ansible.builtin.shell: "grep -v OK$ {{ temp_dir }}/debsums.txt | awk '{ print $1 }'" register: invalid_checksum_files changed_when: false when: @@ -40,7 +40,7 @@ - V-71855 - name: V-71855 - Create comma-separated list - set_fact: + ansible.builtin.set_fact: invalid_checksum_files_violations: "{{ invalid_checksum_files.stdout_lines | default([]) | join(', ') }}" when: - security_check_package_checksums | bool @@ -51,7 +51,7 @@ - V-71855 - name: V-71855 - The cryptographic hash of system files and commands must match vendor values (apt) - debug: + ansible.builtin.debug: msg: > The following files have checksums that differ from the checksum provided with their package. Each of these should be verified manually to ensure @@ -68,14 +68,14 @@ # See the documentation for V-71977 for more details on this check. - name: Search for AllowUnauthenticated in /etc/apt/apt.conf.d/ - command: grep -r '^[^#].*AllowUnauthenticated \"true\"' /etc/apt/apt.conf.d/ + ansible.builtin.command: grep -r '^[^#].*AllowUnauthenticated \"true\"' /etc/apt/apt.conf.d/ register: gpgcheck_result changed_when: false failed_when: false check_mode: false - name: V-71977 - Package management tool must verify authenticity of packages - debug: + ansible.builtin.debug: msg: "Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified." when: - security_enable_gpgcheck_packages | bool @@ -85,7 +85,7 @@ - V-71977 - name: V-71979 - Package management tool must verify authenticity of locally-installed packages - lineinfile: + ansible.builtin.lineinfile: dest: /etc/dpkg/dpkg.cfg regexp: "^(#)?no-debsig" line: "#no-debsig" @@ -97,7 +97,7 @@ - V-71979 - name: V-71987 - Clean requirements/dependencies when removing packages (dpkg) - lineinfile: + ansible.builtin.lineinfile: dest: /etc/apt/apt.conf.d/security-autoremove regexp: "^(#)?APT::Get::AutomaticRemove" line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";" @@ -113,7 +113,7 @@ - V-71987 - name: Enable automatic package updates (apt) - copy: + ansible.builtin.copy: src: 20auto-upgrades dest: /etc/apt/apt.conf.d/20auto-upgrades mode: "0644" diff --git a/tasks/rhel7stig/async_tasks.yml b/tasks/rhel7stig/async_tasks.yml index e161d249..1158583e 100644 --- a/tasks/rhel7stig/async_tasks.yml +++ b/tasks/rhel7stig/async_tasks.yml @@ -32,7 +32,7 @@ - skip_ansible_lint - name: Locate top level directories to check for .shosts - find: + ansible.builtin.find: paths: / file_type: directory register: shosts_dirs @@ -46,7 +46,7 @@ - V-72279 - name: Check for .shosts or shosts.equiv files - find: + ansible.builtin.find: paths: "{{ shosts_dirs.files | map(attribute='path') | difference(security_rhel7_remove_shosts_exclude_dirs) }}" recurse: true hidden: true diff --git a/tasks/rhel7stig/auditd.yml b/tasks/rhel7stig/auditd.yml index b46dadb5..8aa44c53 100644 --- a/tasks/rhel7stig/auditd.yml +++ b/tasks/rhel7stig/auditd.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: Verify that auditd.conf exists - stat: + ansible.builtin.stat: path: /etc/audit/auditd.conf register: auditd_conf check_mode: false @@ -22,7 +22,7 @@ - always - name: Verify that audisp-remote.conf exists - stat: + ansible.builtin.stat: path: /etc/audisp/audisp-remote.conf register: audisp_remote_conf check_mode: false @@ -30,7 +30,7 @@ - always - name: V-72083 - The operating system must off-load audit records onto a different system or media from the system being audited - lineinfile: + ansible.builtin.lineinfile: dest: /etc/audisp/audisp-remote.conf regexp: "^(#)?remote_server" line: "remote_server = {{ security_audisp_remote_server }}" @@ -45,7 +45,7 @@ - V-72083 - name: V-72085 - The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited - lineinfile: + ansible.builtin.lineinfile: dest: /etc/audisp/audisp-remote.conf regexp: "^(#)?enable_krb5" line: "enable_krb5 = yes" @@ -60,14 +60,14 @@ - V-72085 - name: Get valid system architectures for audit rules - set_fact: + ansible.builtin.set_fact: auditd_architectures: "{{ (ansible_facts['architecture'] == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}" check_mode: false tags: - always - name: Remove system default audit.rules file - file: + ansible.builtin.file: path: /etc/audit/rules.d/audit.rules state: absent when: @@ -78,7 +78,7 @@ - always - name: Remove old RHEL 6 audit rules file - file: + ansible.builtin.file: path: /etc/audit/rules.d/osas-auditd.rules state: absent when: @@ -89,7 +89,7 @@ - always - name: Deploy rules for auditd based on STIG requirements - template: + ansible.builtin.template: src: osas-auditd-rhel7.j2 dest: /etc/audit/rules.d/osas-auditd-rhel7.rules mode: "0644" @@ -155,7 +155,7 @@ - V-72081 - name: Adjust auditd/audispd configurations - lineinfile: + ansible.builtin.lineinfile: dest: "{{ item.config }}" regexp: "^#?{{ item.parameter }}\\s*=" line: "{{ item.parameter }} = {{ item.value }}" @@ -174,7 +174,7 @@ - V-72093 - name: Ensure auditd is running and enabled at boot time - service: + ansible.builtin.service: name: auditd state: started enabled: true diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml index b08967ac..b3d6a6e1 100644 --- a/tasks/rhel7stig/auth.yml +++ b/tasks/rhel7stig/auth.yml @@ -16,7 +16,7 @@ # NOTE(mhayden): pam_faildelay expects the `delay` parameter to be in # microseconds. - name: Set pam_faildelay configuration on Ubuntu - lineinfile: + ansible.builtin.lineinfile: dest: /etc/pam.d/login regexp: "^(auth[\\s]+optional[\\s]+pam_faildelay.so).*$" line: "\\1 delay={{ (security_shadow_utils_fail_delay | int) * 10**6 }}" @@ -31,7 +31,7 @@ - V-71951 - name: Prevent users with blank or null passwords from authenticating (Debian/Ubuntu) - lineinfile: + ansible.builtin.lineinfile: dest: "{{ pam_auth_file }}" state: present regexp: "^(.*)nullok_secure(.*)$" @@ -47,7 +47,7 @@ - V-71937 - name: Prevent users with blank or null passwords from authenticating (Red Hat) - lineinfile: + ansible.builtin.lineinfile: dest: "{{ item[1] }}" state: present regexp: "^({{ item[0] }}.*sufficient.*)nullok(.*)$" @@ -64,7 +64,7 @@ - V-71937 - name: Prevent users with blank or null passwords from authenticating (SUSE) - lineinfile: + ansible.builtin.lineinfile: dest: "{{ item }}" state: present regexp: "^(.*required.*)nullok(.*)$" @@ -83,7 +83,7 @@ - V-71937 - name: Lock accounts after three failed login attempts a 15 minute period - blockinfile: + ansible.builtin.blockinfile: dest: "{{ pam_password_file }}" state: present marker: "# {mark} MANAGED BY ANSIBLE-HARDENING" @@ -106,7 +106,7 @@ # those lines that have a '#' as the first character or '#' as the first # character following a space (or series of spaces). - name: Check for 'nopasswd' in sudoers files - shell: 'grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ | egrep -v "^([[:space:]]*)?(#|$)" || echo "not found"' # noqa risky-shell-pipe + ansible.builtin.shell: 'grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ | egrep -v "^([[:space:]]*)?(#|$)" || echo "not found"' register: sudoers_nopasswd_check changed_when: false when: @@ -132,7 +132,7 @@ - skip_ansible_lint - name: Check for '!authenticate' in sudoers files - shell: grep -ir '\!authenticate' /etc/sudoers /etc/sudoers.d/ || echo 'not found' + ansible.builtin.shell: grep -ir '\!authenticate' /etc/sudoers /etc/sudoers.d/ || echo 'not found' register: sudoers_authenticate_check changed_when: false tags: @@ -156,7 +156,7 @@ - skip_ansible_lint - name: Check if sssd.conf exists - stat: + ansible.builtin.stat: path: /etc/sssd/sssd.conf register: sssd_conf_check check_mode: false @@ -166,7 +166,7 @@ # NOTE(mhayden): Some systems, such as ARM, don't have grub at all. This task # should be skipped on those systems. - name: Check if GRUB2 custom file exists - stat: + ansible.builtin.stat: path: "{{ grub_custom_file }}" register: grub_custom_file_check check_mode: false @@ -176,7 +176,7 @@ - name: Set a GRUB 2 password for single-user/maintenance modes block: - name: Define password options for grub - blockinfile: + ansible.builtin.blockinfile: path: "{{ grub_custom_file }}" insertbefore: EOF marker: "# {mark} MANAGED BY ANSIBLE-HARDENING" @@ -187,7 +187,7 @@ notify: - Update grub config - name: Set CLASS for grub file - lineinfile: + ansible.builtin.lineinfile: path: "{{ grub_linux_file }}" regexp: "^CLASS=.*" line: 'CLASS="--class gnu-linux --class gnu --class os --unrestricted"' @@ -205,7 +205,7 @@ - V-71963 - name: V-72217 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types. - blockinfile: + ansible.builtin.blockinfile: dest: /etc/security/limits.d/ansible-hardening-maxlogins.conf create: true mode: "0644" @@ -221,7 +221,7 @@ - V-72217 - name: Check for pam_lastlog in PAM configuration - command: "grep pam_lastlog {{ pam_postlogin_file }}" + ansible.builtin.command: "grep pam_lastlog {{ pam_postlogin_file }}" register: pam_lastlog_check changed_when: false failed_when: false @@ -230,7 +230,7 @@ - always - name: V-72275 - Display date/time of last logon after logon - debug: + ansible.builtin.debug: msg: > The 'pam_lastlog' directive is missing in {{ pam_postlogin_file }}. This is required by V-72275. @@ -242,7 +242,7 @@ - V-72275 - name: Ensure .shosts find has finished - async_status: + ansible.builtin.async_status: jid: "{{ shosts_find.ansible_job_id }}" failed_when: false changed_when: false @@ -258,7 +258,7 @@ - V-72279 - name: Remove .shosts or shosts.equiv files - file: + ansible.builtin.file: path: "{{ item.path }}" state: absent with_items: "{{ job_result.files }}" diff --git a/tasks/rhel7stig/dnf.yml b/tasks/rhel7stig/dnf.yml index 072b1026..5130caf9 100644 --- a/tasks/rhel7stig/dnf.yml +++ b/tasks/rhel7stig/dnf.yml @@ -14,10 +14,10 @@ # limitations under the License. - name: Including rpm tasks - include_tasks: rpm.yml + ansible.builtin.include_tasks: rpm.yml - name: Check if /etc/dnf/automatic.conf exists - stat: + ansible.builtin.stat: path: /etc/dnf/automatic.conf check_mode: false register: dnf_automatic_config_check @@ -28,7 +28,7 @@ - always - name: Enable automatic package updates (dnf) - lineinfile: + ansible.builtin.lineinfile: dest: /etc/dnf/automatic.conf regexp: "^apply_updates" line: "apply_updates = yes" @@ -77,7 +77,7 @@ - skip_ansible_lint - name: Enable dnf automatic timer for automatic package updates - systemd: + ansible.builtin.systemd: name: "{{ dnf_automatic_timer }}" enabled: true state: started diff --git a/tasks/rhel7stig/file_perms.yml b/tasks/rhel7stig/file_perms.yml index 826a3417..41074fa1 100644 --- a/tasks/rhel7stig/file_perms.yml +++ b/tasks/rhel7stig/file_perms.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: V-71849 - Get packages with incorrect file permissions or ownership - shell: "grep '^.M' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe + ansible.builtin.shell: "grep '^.M' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" register: rpmverify_package_list changed_when: false when: @@ -47,7 +47,7 @@ - skip_ansible_lint - name: Search for files/directories with an invalid owner - command: find / -xdev -nouser -fstype local # noqa: command-instead-of-module + ansible.builtin.command: find / -xdev -nouser -fstype local register: invalid_owner_files changed_when: false when: @@ -56,7 +56,7 @@ - always - name: V-72007 - All files and directories must have a valid owner. - debug: + ansible.builtin.debug: msg: | Files and directories were found that are owned by an invalid user: {{ invalid_owner_files.stdout_lines | join('\n') }} @@ -70,7 +70,7 @@ - V-72007 - name: Search for files/directories with an invalid group owner - command: find / -xdev -nogroup -fstype local # noqa: command-instead-of-module + ansible.builtin.command: find / -xdev -nogroup -fstype local register: invalid_group_owner_files changed_when: false when: @@ -79,7 +79,7 @@ - always - name: V-72009 - All files and directories must have a valid group owner. - debug: + ansible.builtin.debug: msg: | Files and directories were found that are owned by an invalid group: {{ invalid_group_owner_files.stdout_lines | join('\n') }} @@ -93,7 +93,7 @@ - V-72009 - name: Set proper owner, group owner, and permissions on home directories - file: + ansible.builtin.file: dest: "{{ item.dir }}" owner: "{{ item.name }}" group: "{{ item.group.name }}" @@ -111,7 +111,7 @@ - V-72021 - name: Find all world-writable directories - shell: "find / -perm -002 -type d -exec ls -lLd {} \\; | tr -s ' ' | cut -d' ' -f 4,9 | grep -v ^root" # noqa risky-shell-pipe + ansible.builtin.shell: "find / -perm -002 -type d -exec ls -lLd {} \\; | tr -s ' ' | cut -d' ' -f 4,9 | grep -v ^root" register: world_writable_dirs changed_when: false failed_when: false @@ -122,7 +122,7 @@ - always - name: V-72047 - All world-writable directories must be group-owned by root, sys, bin, or an application group. - debug: + ansible.builtin.debug: msg: | The group owners on the following world-writable directories should be examined: {{ world_writable_dirs.stdout }} @@ -135,14 +135,14 @@ - V-72047 - name: Check if /etc/cron.allow exists - stat: + ansible.builtin.stat: path: /etc/cron.allow register: cron_allow_check tags: - always - name: Set owner/group owner on /etc/cron.allow - file: + ansible.builtin.file: path: /etc/cron.allow owner: root group: root diff --git a/tasks/rhel7stig/graphical.yml b/tasks/rhel7stig/graphical.yml index 1c8a2392..db5f8e85 100644 --- a/tasks/rhel7stig/graphical.yml +++ b/tasks/rhel7stig/graphical.yml @@ -14,13 +14,13 @@ # limitations under the License. - name: Check if gdm is installed and configured - stat: + ansible.builtin.stat: path: /etc/gdm/custom.conf register: gdm_conf_check check_mode: false - name: V-71953 - The operating system must not allow an unattended or automatic logon to the system via a graphical user interface - lineinfile: + ansible.builtin.lineinfile: dest: /etc/gdm/custom.conf line: "^AutomaticLoginEnable=true" state: absent @@ -33,7 +33,7 @@ - V-71953 - name: V-71955 - The operating system must not allow guest logon to the system. - lineinfile: + ansible.builtin.lineinfile: dest: /etc/gdm/custom.conf line: "^TimedLoginEnable=true" state: absent @@ -46,14 +46,14 @@ - V-71955 - name: Check for dconf profiles - stat: + ansible.builtin.stat: path: /etc/dconf/profile register: dconf_check tags: - always - name: Create a user profile in dconf - copy: + ansible.builtin.copy: src: dconf-user-profile dest: /etc/dconf/profile/user mode: "0644" @@ -67,7 +67,7 @@ - V-71901 - name: Create dconf directories - file: + ansible.builtin.file: path: "{{ item }}" state: directory mode: "0755" @@ -86,7 +86,7 @@ - V-71901 - name: Configure graphical session locking - template: + ansible.builtin.template: src: dconf-screensaver-lock.j2 dest: /etc/dconf/db/local.d/00-screensaver mode: "0644" @@ -102,7 +102,7 @@ - V-71901 - name: Prevent users from changing graphical session locking configurations - template: + ansible.builtin.template: src: dconf-session-user-config-lockout.j2 dest: /etc/dconf/db/local.d/locks/session mode: "0644" @@ -118,7 +118,7 @@ - V-71901 - name: Create a GDM profile for displaying a login banner - copy: + ansible.builtin.copy: src: dconf-profile-gdm dest: /etc/dconf/profile/gdm mode: "0644" @@ -132,7 +132,7 @@ - V-71859 - name: Create a GDM keyfile for machine-wide settings - template: + ansible.builtin.template: src: dconf-gdm-banner-message.j2 dest: "{{ item }}" mode: "0644" diff --git a/tasks/rhel7stig/kernel.yml b/tasks/rhel7stig/kernel.yml index f463d28b..ea0ac7b7 100644 --- a/tasks/rhel7stig/kernel.yml +++ b/tasks/rhel7stig/kernel.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: V-71983 - USB mass storage must be disabled. - lineinfile: + ansible.builtin.lineinfile: dest: /etc/modprobe.d/ansible-hardening-disable-usb-storage.conf line: install usb-storage /bin/true create: true @@ -27,7 +27,7 @@ - V-71983 - name: Set sysctl configurations - sysctl: + ansible.posix.sysctl: name: "{{ item.name }}" value: "{{ item.value }}" state: "{{ item.enabled | ternary('present', 'absent') }}" @@ -51,7 +51,7 @@ - C-00001 - name: Check kdump service - command: systemctl status kdump # noqa: command-instead-of-module + ansible.builtin.command: systemctl status kdump register: kdump_service_check failed_when: kdump_service_check.rc not in [0,3,4] changed_when: false @@ -62,7 +62,7 @@ - V-72057 - name: V-72057 - Kernel core dumps must be disabled unless needed. - service: + ansible.builtin.service: name: kdump state: stopped enabled: false @@ -75,7 +75,7 @@ - V-72057 - name: Check if FIPS is enabled - command: cat /proc/sys/crypto/fips_enabled + ansible.builtin.command: cat /proc/sys/crypto/fips_enabled register: fips_check changed_when: false failed_when: false @@ -86,7 +86,7 @@ - always - name: Print a warning if FIPS isn't enabled - debug: + ansible.builtin.debug: msg: > FIPS is not enabled at boot time on this server. The STIG requires FIPS to be enabled at boot time. @@ -100,7 +100,7 @@ - V-72067 - name: V-77821 - Datagram Congestion Control Protocol (DCCP) kernel module must be disabled - copy: + ansible.builtin.copy: src: ansible-hardening-disable-dccp.conf dest: /etc/modprobe.d/ansible-hardening-disable-dccp.conf mode: "0644" diff --git a/tasks/rhel7stig/lsm.yml b/tasks/rhel7stig/lsm.yml index c48011ba..61ded96f 100644 --- a/tasks/rhel7stig/lsm.yml +++ b/tasks/rhel7stig/lsm.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: Check apparmor_status output - command: apparmor_status + ansible.builtin.command: apparmor_status register: apparmor_status_output check_mode: false changed_when: false @@ -32,7 +32,7 @@ # started apparmor each time. This breaks idempotency and we check # systemd's status directly as an alternative. - name: Check if apparmor is running - command: "systemctl status apparmor" # noqa: command-instead-of-module + ansible.builtin.command: "systemctl status apparmor" register: systemctl_apparmor_status check_mode: false changed_when: false @@ -45,7 +45,7 @@ - V-71989 - name: Ensure AppArmor is enabled at boot time - service: + ansible.builtin.service: name: apparmor enabled: true when: @@ -60,7 +60,7 @@ # unit will always say AppArmor is dead. This means that the following task # will always start the unit every time it runs (which breaks idempotency). - name: Ensure AppArmor is running - service: + ansible.builtin.service: name: apparmor state: started changed_when: @@ -79,7 +79,7 @@ # to switch to permissive/enforcing in an online way when SELinux is completely # disabled at boot time. - name: Ensure SELinux is in enforcing mode on the next reboot - selinux: + ansible.posix.selinux: state: enforcing policy: targeted register: selinux_status_change @@ -93,7 +93,7 @@ - V-71991 - name: Relabel files on next boot if SELinux mode changed - file: + ansible.builtin.file: path: /.autorelabel state: touch mode: "0644" @@ -109,7 +109,7 @@ # NOTE(mhayden): Ansible's find module doesn't support searching for files # based on SELinux contexts yet. - name: Check for unlabeled device files - command: "find /dev -context '*unlabeled_t*'" + ansible.builtin.command: "find /dev -context '*unlabeled_t*'" register: unlabeled_devices changed_when: false check_mode: false @@ -122,7 +122,7 @@ - V-72039 - name: V-72039 - All system device files must be correctly labeled to prevent unauthorized modification. - debug: + ansible.builtin.debug: msg: | Devices were found without SELinux labels: {% for device in unlabeled_devices.stdout_lines %} diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml index d9e29113..3c8f86f5 100644 --- a/tasks/rhel7stig/main.yml +++ b/tasks/rhel7stig/main.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: Create temporary directory to hold any temporary files - tempfile: + ansible.builtin.tempfile: state: directory suffix: hardening register: mktemp_result @@ -24,7 +24,7 @@ - always - name: Set a fact for the temporary directory - set_fact: + ansible.builtin.set_fact: temp_dir: "{{ mktemp_result.path }}" changed_when: false when: @@ -35,8 +35,7 @@ # Some of the tasks in the role may take a long time to run. Let's start them # as early as possible so they have time to finish. - name: Importing async_tasks tasks - import_tasks: async_tasks.yml - + ansible.builtin.import_tasks: async_tasks.yml - name: Get user data for all users on the system get_users: min_uid: 0 @@ -56,7 +55,7 @@ # NOTE(mhayden): EPEL is only needed for the clamav packages. We should only # install EPEL if the deployer asked for clamav to be installed. - name: Install EPEL repository - yum: + ansible.builtin.dnf: name: "{{ security_epel_release_package }}" state: "{{ security_package_state }}" when: @@ -69,43 +68,43 @@ # Package installations and removals must come first so that configuration # changes can be made later. - name: Importing packages tasks - import_tasks: packages.yml + ansible.builtin.import_tasks: packages.yml tags: - always # Package managers are managed first since the changes in these tasks will # affect the remainder of the tasks in the role. - name: Including OS-specific tasks - include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml" + ansible.builtin.include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml" # The bulk of the security changes are applied in these tasks. The tasks in # each file are tagged with the same name (for example, tasks in `auth.yml` # are tagged with `auth`). Also, the tag name matches up with the "STIG # Controls by Tag" section of the role documentation. - name: Importing accounts tasks - import_tasks: accounts.yml + ansible.builtin.import_tasks: accounts.yml - name: Importing aide tasks - import_tasks: aide.yml + ansible.builtin.import_tasks: aide.yml when: security_rhel7_enable_aide | bool - name: Importing auditd tasks - import_tasks: auditd.yml + ansible.builtin.import_tasks: auditd.yml - name: Importing auth tasks - import_tasks: auth.yml + ansible.builtin.import_tasks: auth.yml - name: Importing file_perms tasks - import_tasks: file_perms.yml + ansible.builtin.import_tasks: file_perms.yml - name: Importing graphical tasks - import_tasks: graphical.yml + ansible.builtin.import_tasks: graphical.yml - name: Importing kernel tasks - import_tasks: kernel.yml + ansible.builtin.import_tasks: kernel.yml - name: Importing lsm tasks - import_tasks: lsm.yml + ansible.builtin.import_tasks: lsm.yml - name: Importing misc tasks - import_tasks: misc.yml + ansible.builtin.import_tasks: misc.yml - name: Importing sshd tasks - import_tasks: sshd.yml + ansible.builtin.import_tasks: sshd.yml - name: Remove the temporary directory - file: + ansible.builtin.file: path: "{{ temp_dir }}" state: absent changed_when: false diff --git a/tasks/rhel7stig/misc.yml b/tasks/rhel7stig/misc.yml index e7b53d89..8b4cd449 100644 --- a/tasks/rhel7stig/misc.yml +++ b/tasks/rhel7stig/misc.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: Check autofs service - command: systemctl status autofs # noqa: command-instead-of-module + ansible.builtin.command: systemctl status autofs # noqa: command-instead-of-module register: autofs_check failed_when: autofs_check.rc not in [0,3,4] changed_when: false @@ -23,7 +23,7 @@ - always - name: V-71985 - File system automounter must be disabled unless required. - service: + ansible.builtin.service: name: autofs state: stopped enabled: false @@ -39,7 +39,7 @@ # https://github.com/ansible/ansible/issues/68680 # This returns an exit code of 0 if it's running, 3 if it's masked. - name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled - systemd: + ansible.builtin.systemd: name: ctrl-alt-del.target enabled: false when: @@ -50,7 +50,7 @@ - V-71993 - name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled - systemd: + ansible.builtin.systemd: name: ctrl-alt-del.target masked: true daemon_reload: true @@ -62,7 +62,7 @@ - V-71993 - name: Check for /home on mounted filesystem - debug: + ansible.builtin.debug: msg: | The STIG requires that /home is on its own filesystem, but this system does not appear to be following the requirement. @@ -74,7 +74,7 @@ - V-72059 - name: Check for /var on mounted filesystem - debug: + ansible.builtin.debug: msg: | The STIG requires that /var is on its own filesystem, but this system does not appear to be following the requirement. @@ -86,7 +86,7 @@ - V-72067 - name: Check for /var/log/audit on mounted filesystem - debug: + ansible.builtin.debug: msg: | The STIG requires that /var/log/audit is on its own filesystem, but this system does not appear to be following the requirement. @@ -98,7 +98,7 @@ - V-72063 - name: Check for /tmp on mounted filesystem - debug: + ansible.builtin.debug: msg: | The STIG requires that /tmp is on its own filesystem, but this system does not appear to be following the requirement. @@ -110,7 +110,7 @@ - V-72065 - name: Check if syslog output is being sent to another server - command: 'grep "^[^#].*@" /etc/rsyslog.conf' + ansible.builtin.command: 'grep "^[^#].*@" /etc/rsyslog.conf' register: rsyslog_transmit_check changed_when: false failed_when: false @@ -119,7 +119,7 @@ - always - name: V-72209 - The system must send rsyslog output to a log aggregation server. - debug: + ansible.builtin.debug: msg: Output from syslog must be sent to another server. when: - rsyslog_transmit_check is defined @@ -130,7 +130,7 @@ - V-72209 - name: Check if ClamAV is installed - stat: + ansible.builtin.stat: path: /usr/bin/clamdscan register: clamav_install_check changed_when: false @@ -138,7 +138,7 @@ - always - name: Remove 'Example' line from ClamAV configuration files - lineinfile: + ansible.builtin.lineinfile: dest: "{{ item }}" regexp: "^Example" state: absent @@ -156,7 +156,7 @@ - V-72213 - name: Set ClamAV server type as socket - lineinfile: + ansible.builtin.lineinfile: dest: /etc/clamd.d/scan.conf regexp: "^(#)?LocalSocket (.*)$" line: "LocalSocket {{ clamav_service_details['socket_path'] }}" @@ -172,7 +172,7 @@ - V-72213 - name: Ensure ClamAV socket directory exists - file: + ansible.builtin.file: path: "{{ clamav_service_details['socket_path'] | dirname }}" owner: "{{ clamav_service_details['user'] }}" group: "{{ clamav_service_details['group'] }}" @@ -188,7 +188,7 @@ - V-72213 - name: Allow automatic freshclam updates - lineinfile: + ansible.builtin.lineinfile: dest: /etc/sysconfig/freshclam regexp: "^FRESHCLAM_DELAY" state: absent @@ -203,7 +203,7 @@ - V-72213 - name: Check if ClamAV update process is already running - shell: "set -o pipefail; ps -ef | egrep [f]reshclam -q" + ansible.builtin.shell: "set -o pipefail; ps -ef | egrep [f]reshclam -q" register: freshclam_proc changed_when: false failed_when: false @@ -212,7 +212,7 @@ - always - name: Update ClamAV database - command: freshclam + ansible.builtin.command: freshclam changed_when: false when: - freshclam_proc.rc != 0 @@ -226,7 +226,7 @@ - V-72213 - name: Ensure ClamAV is running - service: + ansible.builtin.service: name: "{{ clamav_service }}" state: started enabled: true @@ -243,7 +243,7 @@ # errors on the command prompt. See LP bug 1736702. # TODO(mhayden): Remove this task when the Rocky release is in development. - name: Remove old config block for V-72223 from openstack-ansible-security - blockinfile: + ansible.builtin.blockinfile: dest: /etc/profile state: absent insertbefore: EOF @@ -254,7 +254,7 @@ - V-72223 - name: V-72223 - Set 10 minute timeout on communication sessions - blockinfile: + ansible.builtin.blockinfile: dest: /etc/profile state: present insertbefore: EOF @@ -270,7 +270,7 @@ - V-72223 - name: Start and enable chrony - service: + ansible.builtin.service: name: "{{ chrony_service }}" state: started enabled: true @@ -283,14 +283,14 @@ - V-72269 - name: Check if chrony configuration file exists - stat: + ansible.builtin.stat: path: "{{ chrony_conf_file }}" register: chrony_conf_check tags: - always - name: V-72269 - Synchronize system clock (configuration file) - template: + ansible.builtin.template: src: chrony.conf.j2 dest: "{{ chrony_conf_file }}" mode: "0644" @@ -306,7 +306,7 @@ # Returns 0 if installed, 3 if not installed - name: Check firewalld status - command: systemctl status firewalld # noqa: command-instead-of-module + ansible.builtin.command: systemctl status firewalld register: firewalld_status_check failed_when: firewalld_status_check.rc not in [0,3,4] changed_when: false @@ -315,7 +315,7 @@ - always - name: Ensure firewalld is running and enabled - service: + ansible.builtin.service: name: firewalld state: started enabled: true @@ -328,7 +328,7 @@ - V-72273 - name: Limit new TCP connections to 25/minute and allow bursting to 100 - command: >- + ansible.builtin.command: >- firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{ security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT register: add_rate_limit_firewalld_rule @@ -354,7 +354,7 @@ - skip_ansible_lint - name: V-72281 - For systems using DNS resolution, at least two name servers must be configured. - debug: + ansible.builtin.debug: msg: | Two or more nameservers must be configured in /etc/resolv.conf. Nameservers found: {{ nameserver_check.stdout_lines | length }} @@ -367,7 +367,7 @@ - V-72281 - name: Check for interfaces in promiscuous mode - shell: "set -o pipefail; ip link | grep -i promisc" + ansible.builtin.shell: "set -o pipefail; ip link | grep -i promisc" register: promiscuous_interface_check changed_when: false failed_when: false @@ -376,7 +376,7 @@ - always - name: V-72295 - Network interfaces must not be in promiscuous mode. - debug: + ansible.builtin.debug: msg: > One or more network interfaces were found to be in promiscuous mode. Review all interfaces and disable promiscuous mode. @@ -388,14 +388,14 @@ - V-72295 - name: Check for postfix configuration file - stat: + ansible.builtin.stat: path: /etc/postfix/main.cf register: postfix_conf_check tags: - always - name: V-72297 - Prevent unrestricted mail relaying - lineinfile: + ansible.builtin.lineinfile: dest: /etc/postfix/main.cf regexp: "^smtpd_client_restrictions" line: "smtpd_client_restrictions = permit_mynetworks, reject" @@ -408,7 +408,7 @@ - V-72297 - name: Check for TFTP server configuration file - stat: + ansible.builtin.stat: path: /etc/xinetd.d/tftp register: tftp_config_check check_mode: false @@ -416,7 +416,7 @@ - always - name: Check TFTP configuration mode - command: "grep server_args /etc/xinetd.d/tftp" + ansible.builtin.command: "grep server_args /etc/xinetd.d/tftp" register: tftp_secure_check changed_when: false failed_when: false @@ -427,7 +427,7 @@ - always - name: V-72305 - TFTP must be configured to operate in secure mode - debug: + ansible.builtin.debug: msg: TFTP must be configured to run in secure mode with the '-s' flag. when: - tftp_config_check.stat.exists @@ -438,7 +438,7 @@ - V-72305 - name: Check to see if snmpd config contains public/private - command: 'egrep "^[^#].*(public|private)" /etc/snmp/snmpd.conf' + ansible.builtin.command: 'egrep "^[^#].*(public|private)" /etc/snmp/snmpd.conf' register: snmp_public_private_check changed_when: false failed_when: false @@ -447,7 +447,7 @@ - always - name: V-72313 - Change SNMP community strings from default. - debug: + ansible.builtin.debug: msg: > Change the SNMP community strings from the defaults of 'public' and 'private' to meet the requirements of V-72313. diff --git a/tasks/rhel7stig/packages.yml b/tasks/rhel7stig/packages.yml index e3bd6c14..dad65be9 100644 --- a/tasks/rhel7stig/packages.yml +++ b/tasks/rhel7stig/packages.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: Add packages based on STIG requirements - package: + ansible.builtin.package: name: "{{ stig_packages_rhel7 | selectattr('enabled') | selectattr('state', 'equalto', item) | sum(attribute='packages', start=[]) }}" state: "{{ item }}" with_items: @@ -35,7 +35,7 @@ - V-72307 - name: Remove packages based on STIG requirements - package: + ansible.builtin.package: name: "{{ stig_packages_rhel7 | selectattr('enabled') | selectattr('state', 'equalto', item) | sum(attribute='packages', start=[]) }}" state: "{{ item }}" with_items: diff --git a/tasks/rhel7stig/rpm.yml b/tasks/rhel7stig/rpm.yml index 0d8059b0..738d1c33 100644 --- a/tasks/rhel7stig/rpm.yml +++ b/tasks/rhel7stig/rpm.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: Ensure RPM verification task has finished - async_status: + ansible.builtin.async_status: jid: "{{ rpmverify_task.ansible_job_id }}" failed_when: false changed_when: false @@ -30,7 +30,7 @@ - V-71855 - name: V-71855 - Get files with invalid checksums (rpm) - shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe + ansible.builtin.shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" register: invalid_checksum_files changed_when: false when: @@ -43,7 +43,7 @@ - V-71855 - name: V-71855 - The cryptographic hash of system files and commands must match vendor values (rpm) - debug: + ansible.builtin.debug: msg: | The following files have checksums that differ from the checksum provided with their package. Each of these should be verified manually to ensure @@ -64,7 +64,7 @@ - V-71855 - name: V-71977 - Require digital signatures for all packages - lineinfile: + ansible.builtin.lineinfile: dest: "{{ pkg_mgr_config }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -78,7 +78,7 @@ - V-71981 - name: V-71987 - Clean requirements/dependencies when removing packages (RedHat) - lineinfile: + ansible.builtin.lineinfile: dest: "{{ pkg_mgr_config }}" regexp: "^(#)?clean_requirements_on_remove" line: "clean_requirements_on_remove=1" diff --git a/tasks/rhel7stig/sshd.yml b/tasks/rhel7stig/sshd.yml index dcadace8..59e8f91f 100644 --- a/tasks/rhel7stig/sshd.yml +++ b/tasks/rhel7stig/sshd.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: Copy login warning banner - copy: + ansible.builtin.copy: content: "{{ security_login_banner_text }}" dest: "{{ security_sshd_banner_file }}" owner: root @@ -27,7 +27,7 @@ - V-72225 - name: Drop options from SSH config that we manage - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config state: absent regexp: "^{{ item.name }}\\s+(?!{{ item.value }})" @@ -59,7 +59,7 @@ - V-72263 - name: Adjust ssh server configuration based on STIG requirements - blockinfile: + ansible.builtin.blockinfile: dest: /etc/ssh/sshd_config state: present marker: "# {mark} MANAGED BY ANSIBLE-HARDENING" @@ -97,7 +97,7 @@ - V-72263 - name: Ensure sshd is enabled at boot time - service: + ansible.builtin.service: name: "{{ ssh_service }}" enabled: true when: @@ -108,7 +108,7 @@ - V-72235 - name: Determine existing public ssh host keys - shell: ls /etc/ssh/*.pub + ansible.builtin.shell: ls /etc/ssh/*.pub register: public_ssh_host_keys # The shell command will always report 'changed' so we need to # ignore that since this role is supposed to be idempotent. @@ -118,7 +118,7 @@ - always - name: Public host key files must have mode 0644 or less - file: + ansible.builtin.file: path: "{{ item }}" mode: "u-xX,g-wxs,o-wxt" with_items: @@ -129,7 +129,7 @@ - V-72255 - name: Determine existing private ssh host keys - shell: ls /etc/ssh/*_key + ansible.builtin.shell: ls /etc/ssh/*_key register: private_ssh_host_keys # The shell command will always report 'changed' so we need to # ignore that since this role is supposed to be idempotent @@ -139,7 +139,7 @@ - always - name: Private host key files must have mode 0600 or less - file: + ansible.builtin.file: path: "{{ item }}" mode: "u-xX,g-rwxs,o-rwxt" with_items: @@ -150,7 +150,7 @@ - V-72257 - name: Manage motd in pam.d - replace: + ansible.builtin.replace: path: /etc/pam.d/sshd regexp: "^(#\\s)?(session\\s*optional\\s*pam_motd.so.*)$" replace: '{{ (security_sshd_dynamic_banner_disable | bool) | ternary("# \2", "\2") }}' diff --git a/tasks/rhel7stig/yum.yml b/tasks/rhel7stig/yum.yml index 0fc39c92..9f4b50a1 100644 --- a/tasks/rhel7stig/yum.yml +++ b/tasks/rhel7stig/yum.yml @@ -14,10 +14,10 @@ # limitations under the License. - name: Including rpm tasks - include_tasks: rpm.yml + ansible.builtin.include_tasks: rpm.yml - name: Check if /etc/yum/yum-cron.conf exists - stat: + ansible.builtin.stat: path: /etc/yum/yum-cron.conf check_mode: false register: yum_cron_config_check @@ -27,7 +27,7 @@ - always - name: Enable automatic package updates (yum) - lineinfile: + ansible.builtin.lineinfile: dest: /etc/yum/yum-cron.conf regexp: "^apply_updates" line: "apply_updates = yes" diff --git a/tasks/rhel7stig/zypper.yml b/tasks/rhel7stig/zypper.yml index 487645ea..8dba26b6 100644 --- a/tasks/rhel7stig/zypper.yml +++ b/tasks/rhel7stig/zypper.yml @@ -15,7 +15,7 @@ # limitations under the License. - name: Ensure RPM verification task has finished - async_status: + ansible.builtin.async_status: jid: "{{ rpmverify_task.ansible_job_id }}" failed_when: false changed_when: false @@ -31,7 +31,7 @@ - V-71855 - name: V-71855 - Get files with invalid checksums (rpm) - shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe + ansible.builtin.shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" register: invalid_checksum_files changed_when: false when: @@ -43,7 +43,7 @@ - V-71855 - name: V-71855 - The cryptographic hash of system files and commands must match vendor values (rpm) - debug: + ansible.builtin.debug: msg: | The following files have checksums that differ from the checksum provided with their package. Each of these should be verified manually to ensure @@ -63,12 +63,12 @@ - V-71855 - name: Determine all SUSE repositories - shell: ls /etc/zypp/repos.d/*.repo + ansible.builtin.shell: ls /etc/zypp/repos.d/*.repo changed_when: false register: all_zypper_repositories - name: V-71977 - Require digital signatures for all packages and repositories - lineinfile: + ansible.builtin.lineinfile: dest: "{{ item }}" regexp: "^(#)?\\s*gpgcheck" line: "gpgcheck=1" @@ -84,7 +84,7 @@ - V-71981 - name: V-71987 - Clean requirements/dependencies when removing packages (SUSE) - lineinfile: + ansible.builtin.lineinfile: dest: "{{ pkg_mgr_config }}" regexp: "^(#)?\\s*solver\\.cleandepsOnRemove" line: "solver.cleandepsOnRemove = true" @@ -97,7 +97,7 @@ - V-71987 - name: Enable automatic package updates (SUSE) - copy: + ansible.builtin.copy: src: zypper-autoupdates dest: /etc/cron.daily/zypper-autoupdates mode: "0750"