openstack
/
ansible-hardening
Code Issues Proposed changes

Remove references to unsupported operating systems 

All references to Gentoo, SUSE, Debian stretch and Centos-7  are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: Id3136a5eed068e317aa1a7b33a1149629dc76d77
This commit is contained in:
Jonathan Rosser 2021-03-17 09:28:09 +00:00 committed by Dmitriy Rabotyagov
parent 6f354a7a4b
commit 480dd9d866
11 changed files with 25 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@ -7,13 +7,10 @@ The ansible-hardening role applies security hardening configurations
from the [Security Technical Implementation Guide (STIG)](http://iase.disa.mil/stigs/Pages/index.aspx) from the [Security Technical Implementation Guide (STIG)](http://iase.disa.mil/stigs/Pages/index.aspx)
to systems running the following distributions: to systems running the following distributions:
* CentOS 7 * CentOS 8
* Debian Jessie * Debian Buster
* Fedora 27 * Ubuntu Bionic
* openSUSE Leap 42.2 and 42.3 * Ubuntu Focal
* Red Hat Enterprise Linux 7
* SUSE Linux Enterprise 12 (*experimental*)
* Ubuntu 16.04
For more details, review the For more details, review the
[ansible-hardening documentation](http://docs.openstack.org/developer/ansible-hardening/). [ansible-hardening documentation](http://docs.openstack.org/developer/ansible-hardening/).

9
defaults/main.yml
View File

@ -17,12 +17,11 @@
# The RHEL 7 STIG content first appeared in the Ocata release and is compatible # The RHEL 7 STIG content first appeared in the Ocata release and is compatible
# with the following operating systems: # with the following operating systems:
# #
# * CentOS 7 # * CentOS 8
# * Debian Jessie # * Debian Buster
# * Fedora 27 # * Fedora 27
# * openSUSE Leap 42.x # * Ubuntu Bionic
# * SUSE Linux Enterprise 12 # * Ubuntu Focal
# * Ubuntu 16.04 Xenial LTS
# #
# Valid options: rhel7 # Valid options: rhel7
stig_version: rhel7 stig_version: rhel7

13
meta/main.yml
View File

@ -8,27 +8,14 @@ galaxy_info:
platforms: platforms:
- name: Debian - name: Debian
versions: versions:
- jessie
- buster - buster
- name: Fedora
versions:
- 25
- name: EL - name: EL
versions: versions:
- 7
- 8 - 8
- name: Ubuntu - name: Ubuntu
versions: versions:
- trusty
- xenial
- bionic - bionic
- focal - focal
- name: opensuse
versions:
- 42.1
- 42.2
- 42.3
- 15.0
categories: categories:
- cloud - cloud
- security - security

2
tasks/rhel7stig/accounts.yml
View File

@ -145,7 +145,7 @@
state: present state: present
when: when:
- item.value is truthy(convert_bool=True) - item.value is truthy(convert_bool=True)
- item.ansible_os_family == 'all' or item.ansible_os_family == ansible_facts['os_family'] - item.os_family == 'all' or item.os_family == ansible_facts['os_family']
with_items: "{{ shadow_utils_rhel7 }}" with_items: "{{ shadow_utils_rhel7 }}"
tags: tags:
- accounts - accounts

4
tasks/rhel7stig/aide.yml
View File

@ -116,7 +116,7 @@
changed_when: false changed_when: false
when: when:
- aide_init is not skipped - aide_init is not skipped
- ansible_facts['pkg_mgr'] in ['yum', 'zypper'] - ansible_facts['pkg_mgr'] == 'dnf'
tags: tags:
- medium - medium
- aide - aide
@ -133,7 +133,7 @@
special_time: daily special_time: daily
job: "/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root" job: "/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root"
when: when:
- ansible_facts['pkg_mgr'] in ['yum', 'zypper'] - ansible_facts['pkg_mgr'] == 'dnf'
tags: tags:
- medium - medium
- aide - aide

2
tasks/rhel7stig/auth.yml
View File

@ -90,7 +90,7 @@
insertbefore: EOF insertbefore: EOF
block: "{{ lookup('template', 'pam_faillock.j2') }}" block: "{{ lookup('template', 'pam_faillock.j2') }}"
when: when:
- ansible_facts['pkg_mgr'] in ['yum', 'zypper'] - ansible_facts['pkg_mgr'] == 'dnf'
- security_pam_faillock_enable | bool - security_pam_faillock_enable | bool
tags: tags:
- auth - auth

4
tasks/rhel7stig/file_perms.yml
View File

@ -21,7 +21,7 @@
changed_when: False changed_when: False
when: when:
- not check_mode | bool - not check_mode | bool
- ansible_facts['pkg_mgr'] in ['yum', 'zypper'] - ansible_facts['pkg_mgr'] == 'dnf'
- security_reset_perm_ownership | bool - security_reset_perm_ownership | bool
tags: tags:
- file_perms - file_perms
@ -38,7 +38,7 @@
- "{{ rpmverify_package_list.stdout_lines | default([]) }}" - "{{ rpmverify_package_list.stdout_lines | default([]) }}"
when: when:
- not check_mode | bool - not check_mode | bool
- ansible_facts['pkg_mgr'] in ['yum', 'zypper'] - ansible_facts['pkg_mgr'] == 'dnf'
- rpmverify_package_list is defined - rpmverify_package_list is defined
- rpmverify_package_list.stdout_lines | length > 0 - rpmverify_package_list.stdout_lines | length > 0
async: 300 async: 300

4
tasks/rhel7stig/kernel.yml
View File

@ -79,7 +79,7 @@
failed_when: False failed_when: False
check_mode: no check_mode: no
when: when:
- ansible_facts['pkg_mgr'] in ['yum', 'zypper'] - ansible_facts['pkg_mgr'] == 'dnf'
tags: tags:
- always - always
@ -89,7 +89,7 @@
FIPS is not enabled at boot time on this server. FIPS is not enabled at boot time on this server.
The STIG requires FIPS to be enabled at boot time. The STIG requires FIPS to be enabled at boot time.
when: when:
- ansible_facts['pkg_mgr'] in ['yum', 'zypper'] - ansible_facts['pkg_mgr'] == 'dnf'
- fips_check is defined - fips_check is defined
- fips_check.stdout != '1' - fips_check.stdout != '1'
tags: tags:

2
tasks/rhel7stig/main.yml
View File

@ -59,7 +59,7 @@
name: "{{ security_epel_release_package }}" name: "{{ security_epel_release_package }}"
state: "{{ security_package_state }}" state: "{{ security_package_state }}"
when: when:
- ansible_facts['pkg_mgr'] == 'yum' - ansible_facts['pkg_mgr'] == 'dnf'
- security_epel_install_repository | bool - security_epel_install_repository | bool
- security_enable_virus_scanner | bool - security_enable_virus_scanner | bool
tags: tags:

12
vars/main.yml
View File

@ -287,27 +287,27 @@ shadow_utils_rhel7:
- parameter: ENCRYPT_METHOD - parameter: ENCRYPT_METHOD
value: "{{ security_password_encrypt_method | default('') }}" value: "{{ security_password_encrypt_method | default('') }}"
stig_id: V-71921 stig_id: V-71921
ansible_os_family: all os_family: all
- parameter: PASS_MIN_DAYS - parameter: PASS_MIN_DAYS
value: "{{ security_password_min_lifetime_days | default('') }}" value: "{{ security_password_min_lifetime_days | default('') }}"
stig_id: V-71925 stig_id: V-71925
ansible_os_family: all os_family: all
- parameter: PASS_MAX_DAYS - parameter: PASS_MAX_DAYS
value: "{{ security_password_max_lifetime_days | default('') }}" value: "{{ security_password_max_lifetime_days | default('') }}"
stig_id: V-71929 stig_id: V-71929
ansible_os_family: all os_family: all
- parameter: FAIL_DELAY - parameter: FAIL_DELAY
value: "{{ security_shadow_utils_fail_delay | default('') }}" value: "{{ security_shadow_utils_fail_delay | default('') }}"
stig_id: V-71951 stig_id: V-71951
ansible_os_family: RedHat os_family: RedHat
- parameter: UMASK - parameter: UMASK
value: "{{ security_shadow_utils_umask | default('') }}" value: "{{ security_shadow_utils_umask | default('') }}"
stig_id: V-71995 stig_id: V-71995
ansible_os_family: all os_family: all
- parameter: CREATE_HOME - parameter: CREATE_HOME
value: "{{ security_shadow_utils_create_home | default('') }}" value: "{{ security_shadow_utils_create_home | default('') }}"
stig_id: V-72013 stig_id: V-72013
ansible_os_family: all os_family: all
## sysctl settings ## sysctl settings
# This variable is used in main/rhel7stig/kernel.yml to set sysctl # This variable is used in main/rhel7stig/kernel.yml to set sysctl

4
vars/redhat-8.yml
View File

@ -32,7 +32,7 @@ aide_database_out_file: /var/lib/aide/aide.db.new.gz
chrony_conf_file: /etc/chrony.conf chrony_conf_file: /etc/chrony.conf
chrony_key_file: /etc/chrony.keys chrony_key_file: /etc/chrony.keys
daemon_init_params_file: /etc/init.d/functions daemon_init_params_file: /etc/init.d/functions
pkg_mgr_config: "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}" pkg_mgr_config: /etc/dnf/dnf.conf
# Service names # Service names
cron_service: crond cron_service: crond
@ -90,7 +90,7 @@ stig_packages_rhel7:
state: "{{ security_package_state }}" state: "{{ security_package_state }}"
enabled: "{{ security_enable_firewalld }}" enabled: "{{ security_enable_firewalld }}"
- packages: - packages:
- "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('yum-cron', 'dnf-automatic') }}" - dnf-automatic
state: "{{ security_package_state }}" state: "{{ security_package_state }}"
enabled: "{{ security_rhel7_automatic_package_updates }}" enabled: "{{ security_rhel7_automatic_package_updates }}"
- packages: - packages: