--- # Copyright 2016, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - name: Check autofs service command: systemctl status autofs register: autofs_check failed_when: autofs_check.rc not in [0,3,4] changed_when: False check_mode: no tags: - always - name: V-71985 - File system automounter must be disabled unless required. service: name: autofs state: stopped enabled: no when: - autofs_check.rc not in [3,4] - security_rhel7_disable_autofs | bool tags: - medium - misc - V-71985 # This returns an exit code of 0 if it's running, 3 if it's masked. - name: Check if ctrl-alt-del.target is already masked command: systemctl status ctrl-alt-del.target register: cad_mask_check check_mode: no changed_when: False failed_when: cad_mask_check.rc not in [0,3] tags: - always - name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled command: systemctl mask ctrl-alt-del.target when: - security_rhel7_disable_ctrl_alt_delete | bool - cad_mask_check.rc != 3 notify: - reload systemd tags: - high - misc - V-71993 - name: Check for /home on mounted filesystem debug: msg: | The STIG requires that /home is on its own filesystem, but this system does not appear to be following the requirement. when: - ansible_mounts | selectattr('mount', 'equalto', '/home') | list | length == 0 tags: - low - misc - V-72059 - name: Check for /var on mounted filesystem debug: msg: | The STIG requires that /var is on its own filesystem, but this system does not appear to be following the requirement. when: - ansible_mounts | selectattr('mount', 'equalto', '/var') | list | length == 0 tags: - low - misc - V-72067 - name: Check for /var/log/audit on mounted filesystem debug: msg: | The STIG requires that /var/log/audit is on its own filesystem, but this system does not appear to be following the requirement. when: - ansible_mounts | selectattr('mount', 'equalto', '/var/log/audit') | list | length == 0 tags: - low - misc - V-72063 - name: Check for /tmp on mounted filesystem debug: msg: | The STIG requires that /tmp is on its own filesystem, but this system does not appear to be following the requirement. when: - ansible_mounts | selectattr('mount', 'equalto', '/tmp') | list | length == 0 tags: - low - misc - V-72065 - name: Check if syslog output is being sent to another server command: 'grep "^[^#].*@" /etc/rsyslog.conf' register: rsyslog_transmit_check changed_when: False failed_when: False check_mode: no tags: - always - name: V-72209 - The system must send rsyslog output to a log aggregation server. debug: msg: Output from syslog must be sent to another server. when: - rsyslog_transmit_check is defined - rsyslog_transmit_check.rc != 0 tags: - medium - misc - V-72209 - name: Check if ClamAV is installed stat: path: /usr/bin/clamdscan register: clamav_install_check changed_when: False tags: - always - name: Remove 'Example' line from ClamAV configuration files lineinfile: dest: "{{ item }}" regexp: "^Example" state: absent with_items: - /etc/freshclam.conf - /etc/clamd.d/scan.conf when: - clamav_install_check.stat.exists - security_enable_virus_scanner | bool - ansible_os_family | lower == 'redhat' notify: - restart clamav tags: - misc - V-72213 - name: Set ClamAV server type as socket lineinfile: dest: /etc/clamd.d/scan.conf regexp: "^(#)?LocalSocket (.*)$" line: 'LocalSocket \2' backrefs: yes when: - clamav_install_check.stat.exists - security_enable_virus_scanner | bool - ansible_os_family | lower == 'redhat' notify: - restart clamav tags: - misc - V-72213 - name: Allow automatic freshclam updates lineinfile: dest: /etc/sysconfig/freshclam regexp: "^FRESHCLAM_DELAY" state: absent when: - clamav_install_check.stat.exists - security_enable_virus_scanner | bool - ansible_os_family | lower == 'redhat' notify: - restart clamav tags: - misc - V-72213 - name: Check if ClamAV update process is already running shell: "ps -ef | egrep [f]reshclam -q" register: freshclam_proc changed_when: False failed_when: False check_mode: no tags: - always - name: Update ClamAV database command: freshclam changed_when: False when: - freshclam_proc.rc != 0 - clamav_install_check.stat.exists - security_enable_virus_scanner | bool - security_run_virus_scanner_update | bool async: 300 poll: 5 tags: - misc - V-72213 - name: Ensure ClamAV is running service: name: "{{ clamav_service }}" state: started enabled: yes when: - clamav_install_check.stat.exists - security_enable_virus_scanner | bool tags: - misc - V-72213 # NOTE(mhayden): This role changed names and this task ensures that the old # configuration block is properly removed. Without this task, /etc/profile # will have two config blocks that set the same variable and this leads to # errors on the command prompt. See LP bug 1736702. # TODO(mhayden): Remove this task when the Rocky release is in development. - name: Remove old config block for V-72223 from openstack-ansible-security blockinfile: dest: /etc/profile state: absent insertbefore: EOF marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY" tags: - medium - misc - V-72223 - name: V-72223 - Set 10 minute timeout on communication sessions blockinfile: dest: /etc/profile state: present insertbefore: EOF marker: "# {mark} MANAGED BY ANSIBLE-HARDENING" block: | # Set a {{ security_rhel7_session_timeout }} second timeout for sessions TMOUT={{ security_rhel7_session_timeout }} readonly TMOUT export TMOUT tags: - medium - misc - V-72223 - name: Start and enable chrony service: name: "{{ chrony_service }}" state: started enabled: yes when: - not check_mode - security_rhel7_enable_chrony | bool tags: - medium - misc - V-72269 - name: Check if chrony configuration file exists stat: path: "{{ chrony_conf_file }}" register: chrony_conf_check tags: - always - name: V-72269 - Synchronize system clock (configuration file) template: src: chrony.conf.j2 dest: "{{ chrony_conf_file }}" when: - chrony_conf_check.stat.exists - security_rhel7_enable_chrony | bool notify: - restart chrony tags: - medium - misc - V-72269 # Returns 0 if installed, 3 if not installed - name: Check firewalld status command: systemctl status firewalld register: firewalld_status_check failed_when: firewalld_status_check.rc not in [0,3,4] changed_when: False check_mode: no tags: - always - name: Ensure firewalld is running and enabled service: name: firewalld state: started enabled: yes when: - firewalld_status_check.rc not in [3,4] - security_enable_firewalld | bool tags: - medium - misc - V-72273 - name: Limit new TCP connections to 25/minute and allow bursting to 100 command: "firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{ security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT" register: add_rate_limit_firewalld_rule changed_when: "'ALREADY_ENABLED' not in add_rate_limit_firewalld_rule.stdout" when: - firewalld_status_check.rc != 3 - security_enable_firewalld_rate_limit | bool tags: - medium - misc - V-72271 # Linting checks need to be skipped because this command doesn't create any # files. - name: Count nameserver entries in /etc/resolv.conf command: grep nameserver /etc/resolv.conf register: nameserver_check check_mode: no changed_when: False failed_when: False tags: - always - skip_ansible_lint - name: V-72281 - For systems using DNS resolution, at least two name servers must be configured. debug: msg: | Two or more nameservers must be configured in /etc/resolv.conf. Nameservers found: {{ nameserver_check.stdout_lines | length }} when: - nameserver_check is defined - nameserver_check.stdout_lines | length < 2 tags: - low - misc - V-72281 - name: Check for interfaces in promiscuous mode shell: "ip link | grep -i promisc" register: promiscuous_interface_check changed_when: False failed_when: False check_mode: no tags: - always - name: V-72295 - Network interfaces must not be in promiscuous mode. debug: msg: > One or more network interfaces were found to be in promiscuous mode. Review all interfaces and disable promiscuous mode. when: - promiscuous_interface_check.rc == 0 tags: - medium - misc - V-72295 - name: Check for postfix configuration file stat: path: /etc/postfix/main.cf register: postfix_conf_check tags: - always - name: V-72297 - Prevent unrestricted mail relaying lineinfile: dest: /etc/postfix/main.cf regexp: '^smtpd_client_restrictions' line: 'smtpd_client_restrictions = permit_mynetworks, reject' when: - postfix_conf_check.stat.exists - security_rhel7_restrict_mail_relaying | bool tags: - medium - misc - V-72297 - name: Check for TFTP server configuration file stat: path: /etc/xinetd.d/tftp register: tftp_config_check check_mode: no tags: - always - name: Check TFTP configuration mode command: 'grep server_args /etc/xinetd.d/tftp' register: tftp_secure_check changed_when: False failed_when: False check_mode: no when: - tftp_config_check.stat.exists tags: - always - name: V-72305 - TFTP must be configured to operate in secure mode debug: msg: TFTP must be configured to run in secure mode with the '-s' flag. when: - tftp_config_check.stat.exists - "'-s' not in tftp_secure_check.stdout" tags: - medium - misc - V-72305 - name: Check to see if snmpd config contains public/private shell: 'egrep "^[^#].*(public|private)" /etc/snmp/snmpd.conf' register: snmp_public_private_check changed_when: False failed_when: False check_mode: no tags: - always - name: V-72313 - Change SNMP community strings from default. debug: msg: > Change the SNMP community strings from the defaults of 'public' and 'private' to meet the requirements of V-72313. when: - snmp_public_private_check.rc == 0 tags: - high - misc - V-72313