openstack/ansible-hardening
Code Issues Proposed changes

Merge "Securing sysctl configurations"

Browse Source
This commit is contained in:
Jenkins 2016-11-18 18:21:57 +00:00 committed by Gerrit Code Review
commit fa92539798
5 changed files with 89 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
defaults/main.yml
View File

@ -506,3 +506,16 @@ security_sshd_enable_privilege_separation: yes # RHEL-07-040690
security_sshd_enable_strict_modes: yes # RHEL-07-040680 security_sshd_enable_strict_modes: yes # RHEL-07-040680
# Disallow Kerberos authentication. # Disallow Kerberos authentication.
security_sshd_disable_kerberos_auth: yes # RHEL-07-040670 security_sshd_disable_kerberos_auth: yes # RHEL-07-040670
## sysctl settings (kernel)
# Disallow forwarding IPv4/IPv6 source routed packets on all interfaces
# immediately and by default on new interfaces.
security_disallow_source_routed_packet_forward_ipv4: yes # RHEL-07-040350 / RHEL-07-040351
security_disallow_source_routed_packet_forward_ipv6: yes # RHEL-07-040860
# Disallow responses to IPv4 ICMP echoes sent to broadcast address.
security_disallow_echoes_broadcast_address: yes # RHEL-07-040380
# Disallow IPV4 ICMP redirects on all interfaces immediately and by default on
# new interfaces.
security_disallow_icmp_redirects: yes # RHEL-07-040410 / RHEL-07-040420 / RHEL-07-040421
# Disallow IP forwarding.
security_disallow_ip_forwarding: no # RHEL-07-040730

5
tasks/main.yml
View File

@ -24,6 +24,11 @@
tags: tags:
- always - always
- name: Gather additional variables about sysctl settings
include_vars: sysctl.yml
tags:
- always
- name: Check for check/audit mode - name: Check for check/audit mode
command: /bin/true command: /bin/true
register: noop_result register: noop_result

33
tasks/rhel7stig/kernel.yml Normal file
View File

@ -0,0 +1,33 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Set sysctl configurations
sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
state: "{{ item.enabled | ternary('present', 'absent') }}"
reload: yes
with_items: "{{ sysctl_settings_rhel7 }}"
tags:
- medium
- kernel
- RHEL-07-040350
- RHEL-07-040351
- RHEL-07-040380
- RHEL-07-040410
- RHEL-07-040420
- RHEL-07-040421
- RHEL-07-040730
- RHEL-07-040860

1
tasks/rhel7stig/main.yml
View File

@ -47,6 +47,7 @@
- include: auth.yml - include: auth.yml
- include: file_perms.yml - include: file_perms.yml
- include: graphical.yml - include: graphical.yml
- include: kernel.yml
- include: misc.yml - include: misc.yml
- include: sshd.yml - include: sshd.yml

37
vars/sysctl.yml Normal file
View File

@ -0,0 +1,37 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
sysctl_settings_rhel7:
- name: net.ipv4.conf.all.accept_source_route
value: 0
enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}"
- name: net.ipv4.conf.default.accept_source_route
value: 0
enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool}}"
- name: net.ipv4.icmp_echo_ignore_broadcasts
value: 1
enabled: "{{ security_disallow_echoes_broadcast_address | bool }}"
- name: net.ipv4.conf.all.send_redirects
value: 0
enabled: "{{ security_disallow_icmp_redirects | bool }}"
- name: net.ipv4.conf.default.send_redirects
value: 0
enabled: "{{ security_disallow_icmp_redirects | bool }}"
- name: net.ipv4.ip_forward
value: 0
enabled: "{{ security_disallow_ip_forwarding | bool }}"
- name: net.ipv6.conf.all.accept_source_route
value: 0
enabled: "{{ security_disallow_source_routed_packet_forward_ipv6 | bool }}"