openstack
/
ansible-hardening
Code Issues Proposed changes

Use ansible_facts[] instead of fact variables 

See https://github.com/ansible/ansible/issues/73654

Change-Id: I3dc2486a0666367d673b23403f2510c94c40eaf4
This commit is contained in:
Jonathan Rosser 2021-03-03 15:00:50 +00:00
parent 087919c425
commit b9a9310d7c
22 changed files with 75 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
defaults/main.yml
View File

@ -92,7 +92,7 @@ security_rhel7_audit_failure_flag: 1 # V-72081
security_rhel7_auditd_disk_full_action: syslog # V-72087 security_rhel7_auditd_disk_full_action: syslog # V-72087
security_rhel7_auditd_network_failure_action: syslog # V-72087 security_rhel7_auditd_network_failure_action: syslog # V-72087
# Size of remaining disk space (in MB) that triggers alerts. # Size of remaining disk space (in MB) that triggers alerts.
security_rhel7_auditd_space_left: "{{ (ansible_mounts | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # V-72089 security_rhel7_auditd_space_left: "{{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # V-72089
# Action to take when the space_left threshold is reached. # Action to take when the space_left threshold is reached.
security_rhel7_auditd_space_left_action: email # V-72091 security_rhel7_auditd_space_left_action: email # V-72091
# Send auditd email alerts to this user. # Send auditd email alerts to this user.

14
tasks/main.yml
View File

@ -16,11 +16,11 @@
- name: Gather variables for each operating system - name: Gather variables for each operating system
include_vars: "{{ item }}" include_vars: "{{ item }}"
with_first_found: with_first_found:
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml" - "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_version'] | lower }}.yml"
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml" - "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml"
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml" - "{{ ansible_facts['os_family'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml"
- "{{ ansible_distribution | lower }}.yml" - "{{ ansible_facts['distribution'] | lower }}.yml"
- "{{ ansible_os_family | lower }}.yml" - "{{ ansible_facts['os_family'] | lower }}.yml"
tags: tags:
- always - always
@ -33,14 +33,14 @@
- name: Check to see if we are booting with EFI or UEFI - name: Check to see if we are booting with EFI or UEFI
set_fact: set_fact:
booted_with_efi: "{{ ansible_mounts | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}" booted_with_efi: "{{ ansible_facts['mounts'] | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}"
tags: tags:
- always - always
- name: Set facts - name: Set facts
set_fact: set_fact:
check_mode: "{{ noop_result is skipped }}" check_mode: "{{ noop_result is skipped }}"
linux_security_module: "{{ (ansible_os_family == 'Debian') | ternary('apparmor','selinux') }}" linux_security_module: "{{ (ansible_facts['os_family'] == 'Debian') | ternary('apparmor','selinux') }}"
grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}" grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}"
tags: tags:
- always - always

4
tasks/rhel7stig/accounts.yml
View File

@ -73,7 +73,7 @@
backup: yes backup: yes
when: when:
- security_libuser_crypt_style_sha512 | bool - security_libuser_crypt_style_sha512 | bool
- ansible_os_family | lower == 'redhat' - ansible_facts['os_family'] | lower == 'redhat'
tags: tags:
- accounts - accounts
- medium - medium
@ -145,7 +145,7 @@
state: present state: present
when: when:
- item.value is truthy(convert_bool=True) - item.value is truthy(convert_bool=True)
- item.ansible_os_family == 'all' or item.ansible_os_family == ansible_os_family - item.ansible_os_family == 'all' or item.ansible_os_family == ansible_facts['os_family']
with_items: "{{ shadow_utils_rhel7 }}" with_items: "{{ shadow_utils_rhel7 }}"
tags: tags:
- accounts - accounts

8
tasks/rhel7stig/aide.yml
View File

@ -58,7 +58,7 @@
/sbin NORMAL /sbin NORMAL
when: when:
- aide_conf.results[0].stat.exists | bool - aide_conf.results[0].stat.exists | bool
- ansible_os_family | lower == 'debian' - ansible_facts['os_family'] | lower == 'debian'
tags: tags:
- low - low
- aide - aide
@ -76,7 +76,7 @@
backrefs: yes backrefs: yes
when: when:
- aide_conf.results[1].stat.exists | bool - aide_conf.results[1].stat.exists | bool
- ansible_pkg_mgr == 'zypper' - ansible_facts['pkg_mgr'] == 'zypper'
tags: tags:
- low - low
- aide - aide
@ -116,7 +116,7 @@
changed_when: false changed_when: false
when: when:
- aide_init is not skipped - aide_init is not skipped
- ansible_pkg_mgr in ['yum', 'zypper'] - ansible_facts['pkg_mgr'] in ['yum', 'zypper']
tags: tags:
- medium - medium
- aide - aide
@ -133,7 +133,7 @@
special_time: daily special_time: daily
job: "/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root" job: "/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root"
when: when:
- ansible_pkg_mgr in ['yum', 'zypper'] - ansible_facts['pkg_mgr'] in ['yum', 'zypper']
tags: tags:
- medium - medium
- aide - aide

8
tasks/rhel7stig/apt.yml
View File

@ -34,7 +34,7 @@
when: when:
- security_check_package_checksums | bool - security_check_package_checksums | bool
- not check_mode | bool - not check_mode | bool
- ansible_os_family | lower == 'debian' - ansible_facts['os_family'] | lower == 'debian'
tags: tags:
- high - high
- V-71855 - V-71855
@ -59,7 +59,7 @@
{{ invalid_checksum_files_violations }} {{ invalid_checksum_files_violations }}
when: when:
- security_check_package_checksums | bool - security_check_package_checksums | bool
- ansible_os_family | lower == 'debian' - ansible_facts['os_family'] | lower == 'debian'
- invalid_checksum_files is defined - invalid_checksum_files is defined
- invalid_checksum_files.stdout is defined - invalid_checksum_files.stdout is defined
tags: tags:
@ -105,7 +105,7 @@
create: yes create: yes
when: when:
- security_package_clean_on_remove | bool - security_package_clean_on_remove | bool
- ansible_os_family | lower == 'debian' - ansible_facts['os_family'] | lower == 'debian'
tags: tags:
- low - low
- packages - packages
@ -116,7 +116,7 @@
src: 20auto-upgrades src: 20auto-upgrades
dest: /etc/apt/apt.conf.d/20auto-upgrades dest: /etc/apt/apt.conf.d/20auto-upgrades
when: when:
- ansible_os_family | lower == 'debian' - ansible_facts['os_family'] | lower == 'debian'
- security_rhel7_automatic_package_updates | bool - security_rhel7_automatic_package_updates | bool
tags: tags:
- packages - packages

2
tasks/rhel7stig/async_tasks.yml
View File

@ -26,7 +26,7 @@
poll: 0 poll: 0
when: when:
- not check_mode | bool - not check_mode | bool
- ansible_os_family | lower in ['redhat', 'suse'] - ansible_facts['os_family'] | lower in ['redhat', 'suse']
tags: tags:
- rpm - rpm
- high - high

2
tasks/rhel7stig/auditd.yml
View File

@ -61,7 +61,7 @@
- name: Get valid system architectures for audit rules - name: Get valid system architectures for audit rules
set_fact: set_fact:
auditd_architectures: "{{ (ansible_architecture == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}" auditd_architectures: "{{ (ansible_facts['architecture'] == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}"
check_mode: no check_mode: no
tags: tags:
- always - always

10
tasks/rhel7stig/auth.yml
View File

@ -24,7 +24,7 @@
backrefs: yes backrefs: yes
when: when:
- security_shadow_utils_fail_delay is defined - security_shadow_utils_fail_delay is defined
- ansible_os_family | lower == 'debian' - ansible_facts['os_family'] | lower == 'debian'
tags: tags:
- auth - auth
- medium - medium
@ -39,7 +39,7 @@
backup: yes backup: yes
backrefs: yes backrefs: yes
when: when:
- ansible_os_family == 'Debian' - ansible_facts['os_family'] == 'Debian'
- security_disallow_blank_password_login | bool - security_disallow_blank_password_login | bool
tags: tags:
- auth - auth
@ -58,7 +58,7 @@
- auth - auth
- password - password
when: when:
- ansible_os_family == 'RedHat' - ansible_facts['os_family'] == 'RedHat'
- security_disallow_blank_password_login | bool - security_disallow_blank_password_login | bool
tags: tags:
- auth - auth
@ -77,7 +77,7 @@
- "{{ pam_auth_file }}" - "{{ pam_auth_file }}"
- "{{ pam_password_file }}" - "{{ pam_password_file }}"
when: when:
- ansible_pkg_mgr == 'zypper' - ansible_facts['pkg_mgr'] == 'zypper'
- security_disallow_blank_password_login | bool - security_disallow_blank_password_login | bool
tags: tags:
- auth - auth
@ -92,7 +92,7 @@
insertbefore: EOF insertbefore: EOF
block: "{{ lookup('template', 'pam_faillock.j2') }}" block: "{{ lookup('template', 'pam_faillock.j2') }}"
when: when:
- ansible_pkg_mgr in ['yum', 'zypper'] - ansible_facts['pkg_mgr'] in ['yum', 'zypper']
- security_pam_faillock_enable | bool - security_pam_faillock_enable | bool
tags: tags:
- auth - auth

20
tasks/rhel7stig/dnf.yml
View File

@ -21,8 +21,8 @@
check_mode: no check_mode: no
register: dnf_automatic_config_check register: dnf_automatic_config_check
when: when:
- ansible_os_family | lower == 'redhat' - ansible_facts['os_family'] | lower == 'redhat'
- ansible_pkg_mgr == 'dnf' - ansible_facts['pkg_mgr'] == 'dnf'
tags: tags:
- always - always
@ -33,8 +33,8 @@
line: "apply_updates = yes" line: "apply_updates = yes"
state: present state: present
when: when:
- ansible_os_family | lower == 'redhat' - ansible_facts['os_family'] | lower == 'redhat'
- ansible_pkg_mgr == 'dnf' - ansible_facts['pkg_mgr'] == 'dnf'
- dnf_automatic_config_check.stat.exists | bool - dnf_automatic_config_check.stat.exists | bool
- security_rhel7_automatic_package_updates | bool - security_rhel7_automatic_package_updates | bool
tags: tags:
@ -53,8 +53,8 @@
check_mode: no check_mode: no
changed_when: False changed_when: False
when: when:
- ansible_os_family | lower == 'redhat' - ansible_facts['os_family'] | lower == 'redhat'
- ansible_pkg_mgr == 'dnf' - ansible_facts['pkg_mgr'] == 'dnf'
- dnf_automatic_config_check.stat.exists | bool - dnf_automatic_config_check.stat.exists | bool
- security_rhel7_automatic_package_updates | bool - security_rhel7_automatic_package_updates | bool
tags: tags:
@ -67,8 +67,8 @@
set_fact: set_fact:
dnf_automatic_timer: "{{ ('dnf-automatic-install.timer' in dnf_automatic_timers.stdout) | ternary('dnf-automatic-install.timer', 'dnf-automatic.timer') }}" dnf_automatic_timer: "{{ ('dnf-automatic-install.timer' in dnf_automatic_timers.stdout) | ternary('dnf-automatic-install.timer', 'dnf-automatic.timer') }}"
when: when:
- ansible_os_family | lower == 'redhat' - ansible_facts['os_family'] | lower == 'redhat'
- ansible_pkg_mgr == 'dnf' - ansible_facts['pkg_mgr'] == 'dnf'
- dnf_automatic_config_check.stat.exists | bool - dnf_automatic_config_check.stat.exists | bool
- security_rhel7_automatic_package_updates | bool - security_rhel7_automatic_package_updates | bool
tags: tags:
@ -83,8 +83,8 @@
enabled: yes enabled: yes
state: started state: started
when: when:
- ansible_os_family | lower == 'redhat' - ansible_facts['os_family'] | lower == 'redhat'
- ansible_pkg_mgr == 'dnf' - ansible_facts['pkg_mgr'] == 'dnf'
- dnf_automatic_config_check.stat.exists | bool - dnf_automatic_config_check.stat.exists | bool
- security_rhel7_automatic_package_updates | bool - security_rhel7_automatic_package_updates | bool
tags: tags:

4
tasks/rhel7stig/file_perms.yml
View File

@ -21,7 +21,7 @@
changed_when: False changed_when: False
when: when:
- not check_mode | bool - not check_mode | bool
- ansible_pkg_mgr in ['yum', 'zypper'] - ansible_facts['pkg_mgr'] in ['yum', 'zypper']
- security_reset_perm_ownership | bool - security_reset_perm_ownership | bool
tags: tags:
- file_perms - file_perms
@ -38,7 +38,7 @@
- "{{ rpmverify_package_list.stdout_lines | default([]) }}" - "{{ rpmverify_package_list.stdout_lines | default([]) }}"
when: when:
- not check_mode | bool - not check_mode | bool
- ansible_pkg_mgr in ['yum', 'zypper'] - ansible_facts['pkg_mgr'] in ['yum', 'zypper']
- rpmverify_package_list is defined - rpmverify_package_list is defined
- rpmverify_package_list.stdout_lines | length > 0 - rpmverify_package_list.stdout_lines | length > 0
async: 300 async: 300

4
tasks/rhel7stig/kernel.yml
View File

@ -79,7 +79,7 @@
failed_when: False failed_when: False
check_mode: no check_mode: no
when: when:
- ansible_pkg_mgr in ['yum', 'zypper'] - ansible_facts['pkg_mgr'] in ['yum', 'zypper']
tags: tags:
- always - always
@ -89,7 +89,7 @@
FIPS is not enabled at boot time on this server. FIPS is not enabled at boot time on this server.
The STIG requires FIPS to be enabled at boot time. The STIG requires FIPS to be enabled at boot time.
when: when:
- ansible_pkg_mgr in ['yum', 'zypper'] - ansible_facts['pkg_mgr'] in ['yum', 'zypper']
- fips_check is defined - fips_check is defined
- fips_check.stdout != '1' - fips_check.stdout != '1'
tags: tags:

20
tasks/rhel7stig/lsm.yml
View File

@ -20,7 +20,7 @@
changed_when: false changed_when: false
failed_when: false failed_when: false
when: when:
- ansible_pkg_mgr in ['apt', 'zypper'] - ansible_facts['pkg_mgr'] in ['apt', 'zypper']
- security_rhel7_enable_linux_security_module | bool - security_rhel7_enable_linux_security_module | bool
tags: tags:
- high - high
@ -38,7 +38,7 @@
changed_when: false changed_when: false
failed_when: false failed_when: false
when: when:
- ansible_pkg_mgr in ['apt', 'zypper'] - ansible_facts['pkg_mgr'] in ['apt', 'zypper']
- security_rhel7_enable_linux_security_module | bool - security_rhel7_enable_linux_security_module | bool
tags: tags:
- high - high
@ -49,7 +49,7 @@
name: apparmor name: apparmor
enabled: yes enabled: yes
when: when:
- ansible_pkg_mgr in ['apt', 'zypper'] - ansible_facts['pkg_mgr'] in ['apt', 'zypper']
- security_rhel7_enable_linux_security_module | bool - security_rhel7_enable_linux_security_module | bool
- not check_mode - not check_mode
tags: tags:
@ -66,7 +66,7 @@
changed_when: changed_when:
- '"active (exited)" not in systemctl_apparmor_status.stdout' - '"active (exited)" not in systemctl_apparmor_status.stdout'
when: when:
- ansible_pkg_mgr in ['apt', 'zypper'] - ansible_facts['pkg_mgr'] in ['apt', 'zypper']
- security_rhel7_enable_linux_security_module | bool - security_rhel7_enable_linux_security_module | bool
- not check_mode - not check_mode
- '"apparmor filesystem is not mounted" not in apparmor_status_output.stderr' - '"apparmor filesystem is not mounted" not in apparmor_status_output.stderr'
@ -83,9 +83,9 @@
state: enforcing state: enforcing
policy: targeted policy: targeted
register: selinux_status_change register: selinux_status_change
changed_when: selinux_status_change is changed and ansible_selinux.status != 'disabled' changed_when: selinux_status_change is changed and ansible_facts['selinux']['status'] != 'disabled'
when: when:
- ansible_os_family == "RedHat" - ansible_facts['os_family'] == "RedHat"
- security_rhel7_enable_linux_security_module | bool - security_rhel7_enable_linux_security_module | bool
tags: tags:
- high - high
@ -97,7 +97,7 @@
path: /.autorelabel path: /.autorelabel
state: touch state: touch
when: when:
- ansible_os_family == "RedHat" - ansible_facts['os_family'] == "RedHat"
- security_rhel7_enable_linux_security_module | bool - security_rhel7_enable_linux_security_module | bool
- selinux_status_change is changed - selinux_status_change is changed
tags: tags:
@ -113,8 +113,8 @@
changed_when: False changed_when: False
check_mode: no check_mode: no
when: when:
- ansible_os_family == 'RedHat' - ansible_facts['os_family'] == 'RedHat'
- ansible_selinux.status == 'enabled' - ansible_facts['selinux']['status'] == 'enabled'
tags: tags:
- lsm - lsm
- medium - medium
@ -128,7 +128,7 @@
{{ device }} {{ device }}
{% endfor %} {% endfor %}
when: when:
- ansible_os_family == 'RedHat' - ansible_facts['os_family'] == 'RedHat'
- unlabeled_devices.stdout is defined - unlabeled_devices.stdout is defined
- unlabeled_devices.stdout | length > 0 - unlabeled_devices.stdout | length > 0
tags: tags:

4
tasks/rhel7stig/main.yml
View File

@ -59,7 +59,7 @@
name: "{{ security_epel_release_package }}" name: "{{ security_epel_release_package }}"
state: "{{ security_package_state }}" state: "{{ security_package_state }}"
when: when:
- ansible_pkg_mgr == 'yum' - ansible_facts['pkg_mgr'] == 'yum'
- security_epel_install_repository | bool - security_epel_install_repository | bool
- security_enable_virus_scanner | bool - security_enable_virus_scanner | bool
tags: tags:
@ -73,7 +73,7 @@
# Package managers are managed first since the changes in these tasks will # Package managers are managed first since the changes in these tasks will
# affect the remainder of the tasks in the role. # affect the remainder of the tasks in the role.
- include_tasks: "{{ ansible_pkg_mgr }}.yml" - include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml"
# The bulk of the security changes are applied in these tasks. The tasks in # The bulk of the security changes are applied in these tasks. The tasks in
# each file are tagged with the same name (for example, tasks in `auth.yml` # each file are tagged with the same name (for example, tasks in `auth.yml`

14
tasks/rhel7stig/misc.yml
View File

@ -67,7 +67,7 @@
The STIG requires that /home is on its own filesystem, but this system The STIG requires that /home is on its own filesystem, but this system
does not appear to be following the requirement. does not appear to be following the requirement.
when: when:
- ansible_mounts | selectattr('mount', 'equalto', '/home') | list | length == 0 - ansible_facts['mounts'] | selectattr('mount', 'equalto', '/home') | list | length == 0
tags: tags:
- low - low
- misc - misc
@ -79,7 +79,7 @@
The STIG requires that /var is on its own filesystem, but this system The STIG requires that /var is on its own filesystem, but this system
does not appear to be following the requirement. does not appear to be following the requirement.
when: when:
- ansible_mounts | selectattr('mount', 'equalto', '/var') | list | length == 0 - ansible_facts['mounts'] | selectattr('mount', 'equalto', '/var') | list | length == 0
tags: tags:
- low - low
- misc - misc
@ -91,7 +91,7 @@
The STIG requires that /var/log/audit is on its own filesystem, but this system The STIG requires that /var/log/audit is on its own filesystem, but this system
does not appear to be following the requirement. does not appear to be following the requirement.
when: when:
- ansible_mounts | selectattr('mount', 'equalto', '/var/log/audit') | list | length == 0 - ansible_facts['mounts'] | selectattr('mount', 'equalto', '/var/log/audit') | list | length == 0
tags: tags:
- low - low
- misc - misc
@ -103,7 +103,7 @@
The STIG requires that /tmp is on its own filesystem, but this system The STIG requires that /tmp is on its own filesystem, but this system
does not appear to be following the requirement. does not appear to be following the requirement.
when: when:
- ansible_mounts | selectattr('mount', 'equalto', '/tmp') | list | length == 0 - ansible_facts['mounts'] | selectattr('mount', 'equalto', '/tmp') | list | length == 0
tags: tags:
- low - low
- misc - misc
@ -148,7 +148,7 @@
when: when:
- clamav_install_check.stat.exists - clamav_install_check.stat.exists
- security_enable_virus_scanner | bool - security_enable_virus_scanner | bool
- ansible_os_family | lower == 'redhat' - ansible_facts['os_family'] | lower == 'redhat'
notify: notify:
- restart clamav - restart clamav
tags: tags:
@ -164,7 +164,7 @@
when: when:
- clamav_install_check.stat.exists - clamav_install_check.stat.exists
- security_enable_virus_scanner | bool - security_enable_virus_scanner | bool
- ansible_os_family | lower == 'redhat' - ansible_facts['os_family'] | lower == 'redhat'
notify: notify:
- restart clamav - restart clamav
tags: tags:
@ -179,7 +179,7 @@
when: when:
- clamav_install_check.stat.exists - clamav_install_check.stat.exists
- security_enable_virus_scanner | bool - security_enable_virus_scanner | bool
- ansible_os_family | lower == 'redhat' - ansible_facts['os_family'] | lower == 'redhat'
notify: notify:
- restart clamav - restart clamav
tags: tags:

6
tasks/rhel7stig/rpm.yml
View File

@ -35,7 +35,7 @@
when: when:
- security_check_package_checksums | bool - security_check_package_checksums | bool
- not check_mode | bool - not check_mode | bool
- ansible_os_family | lower == 'redhat' - ansible_facts['os_family'] | lower == 'redhat'
tags: tags:
- rpm - rpm
- high - high
@ -54,7 +54,7 @@
when: when:
- security_check_package_checksums | bool - security_check_package_checksums | bool
- not check_mode | bool - not check_mode | bool
- ansible_os_family | lower == 'redhat' - ansible_facts['os_family'] | lower == 'redhat'
- invalid_checksum_files is defined - invalid_checksum_files is defined
- invalid_checksum_files.stdout is defined - invalid_checksum_files.stdout is defined
tags: tags:
@ -84,7 +84,7 @@
state: present state: present
when: when:
- security_package_clean_on_remove | bool - security_package_clean_on_remove | bool
- ansible_os_family | lower == 'redhat' - ansible_facts['os_family'] | lower == 'redhat'
tags: tags:
- low - low
- packages - packages

4
tasks/rhel7stig/yum.yml
View File

@ -21,7 +21,7 @@
check_mode: no check_mode: no
register: yum_cron_config_check register: yum_cron_config_check
when: when:
- ansible_os_family | lower == 'redhat' - ansible_facts['os_family'] | lower == 'redhat'
tags: tags:
- always - always
@ -32,7 +32,7 @@
line: "apply_updates = yes" line: "apply_updates = yes"
state: present state: present
when: when:
- ansible_os_family | lower == 'redhat' - ansible_facts['os_family'] | lower == 'redhat'
- yum_cron_config_check.stat.exists | bool - yum_cron_config_check.stat.exists | bool
- security_rhel7_automatic_package_updates | bool - security_rhel7_automatic_package_updates | bool
tags: tags:

2
templates/osas-auditd-rhel7.j2
View File

@ -31,7 +31,7 @@
{# Verify that the variable controlling the rule is enabled and any distro- #} {# Verify that the variable controlling the rule is enabled and any distro- #}
{# specific requirements are met. #} {# specific requirements are met. #}
{# #} {# #}
{% if vars['security_rhel7_audit_' + command_sanitized ] | bool and (audited_command['distro'] | default(ansible_os_family | lower) == ansible_os_family | lower) %} {% if vars['security_rhel7_audit_' + command_sanitized ] | bool and (audited_command['distro'] | default(ansible_facts['os_family'] | lower) == ansible_facts['os_family'] | lower) %}
# {{ audited_command['stig_id'] }} - All uses of the {{ audited_command['command'] }} command must be audited. # {{ audited_command['stig_id'] }} - All uses of the {{ audited_command['command'] }} command must be audited.
{# #} {# #}
{# Some audit rules are specific to syscalls. Different rules are needed for #} {# Some audit rules are specific to syscalls. Different rules are needed for #}

6
tests/test.yml
View File

@ -22,7 +22,7 @@
cache_valid_time: "{{ cache_timeout }}" cache_valid_time: "{{ cache_timeout }}"
changed_when: False changed_when: False
when: when:
- ansible_pkg_mgr == 'apt' - ansible_facts['pkg_mgr'] == 'apt'
register: refresh_cache register: refresh_cache
until: refresh_cache is success until: refresh_cache is success
retries: 5 retries: 5
@ -31,7 +31,7 @@
file: file:
path: /etc/cron.daily/logrotate path: /etc/cron.daily/logrotate
state: touch state: touch
when: ansible_os_family == 'RedHat' when: ansible_facts['os_family'] == 'RedHat'
changed_when: False changed_when: False
- name: Install dconf package to test graphical session locks - name: Install dconf package to test graphical session locks
package: package:
@ -39,7 +39,7 @@
state: installed state: installed
changed_when: False changed_when: False
when: when:
- ansible_os_family == 'RedHat' - ansible_facts['os_family'] == 'RedHat'
register: install_packages register: install_packages
until: install_packages is success until: install_packages is success
retries: 5 retries: 5

2
vars/main.yml
View File

@ -55,7 +55,7 @@ auditd_config:
# otherwise 'no' (required) # otherwise 'no' (required)
# path: the path to the command (optional, default is '/usr/bin') # path: the path to the command (optional, default is '/usr/bin')
# distro: restrict deployment to a single Linux distribution (optional, # distro: restrict deployment to a single Linux distribution (optional,
# should be equal to 'ansible_os_family | lower', such as 'redhat' # should be equal to 'ansible_facts['os_family'] | lower', such as 'redhat'
# or 'ubuntu') # or 'ubuntu')
# #
audited_commands: audited_commands:

6
vars/redhat-7.yml
View File

@ -25,14 +25,14 @@ pam_password_file: /etc/pam.d/password-auth
pam_postlogin_file: /etc/pam.d/postlogin pam_postlogin_file: /etc/pam.d/postlogin
vsftpd_conf_file: /etc/vsftpd/vsftpd.conf vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
grub_conf_file: /boot/grub2/grub.cfg grub_conf_file: /boot/grub2/grub.cfg
grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg" grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_facts['distribution'] | lower | replace(' ', '') }}/grub.cfg"
aide_cron_job_path: /etc/cron.d/aide aide_cron_job_path: /etc/cron.d/aide
aide_database_file: /var/lib/aide/aide.db.gz aide_database_file: /var/lib/aide/aide.db.gz
aide_database_out_file: /var/lib/aide/aide.db.new.gz aide_database_out_file: /var/lib/aide/aide.db.new.gz
chrony_conf_file: /etc/chrony.conf chrony_conf_file: /etc/chrony.conf
chrony_key_file: /etc/chrony.keys chrony_key_file: /etc/chrony.keys
daemon_init_params_file: /etc/init.d/functions daemon_init_params_file: /etc/init.d/functions
pkg_mgr_config: "{{ (ansible_pkg_mgr == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}" pkg_mgr_config: "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}"
# Service names # Service names
cron_service: crond cron_service: crond
@ -91,7 +91,7 @@ stig_packages_rhel7:
state: "{{ security_package_state }}" state: "{{ security_package_state }}"
enabled: "{{ security_enable_firewalld }}" enabled: "{{ security_enable_firewalld }}"
- packages: - packages:
- "{{ (ansible_pkg_mgr == 'yum') | ternary('yum-cron', 'dnf-automatic') }}" - "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('yum-cron', 'dnf-automatic') }}"
state: "{{ security_package_state }}" state: "{{ security_package_state }}"
enabled: "{{ security_rhel7_automatic_package_updates }}" enabled: "{{ security_rhel7_automatic_package_updates }}"
- packages: - packages:

6
vars/redhat-8.yml
View File

@ -25,14 +25,14 @@ pam_password_file: /etc/pam.d/password-auth
pam_postlogin_file: /etc/pam.d/postlogin pam_postlogin_file: /etc/pam.d/postlogin
vsftpd_conf_file: /etc/vsftpd/vsftpd.conf vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
grub_conf_file: /boot/grub2/grub.cfg grub_conf_file: /boot/grub2/grub.cfg
grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg" grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_facts['distribution'] | lower | replace(' ', '') }}/grub.cfg"
aide_cron_job_path: /etc/cron.d/aide aide_cron_job_path: /etc/cron.d/aide
aide_database_file: /var/lib/aide/aide.db.gz aide_database_file: /var/lib/aide/aide.db.gz
aide_database_out_file: /var/lib/aide/aide.db.new.gz aide_database_out_file: /var/lib/aide/aide.db.new.gz
chrony_conf_file: /etc/chrony.conf chrony_conf_file: /etc/chrony.conf
chrony_key_file: /etc/chrony.keys chrony_key_file: /etc/chrony.keys
daemon_init_params_file: /etc/init.d/functions daemon_init_params_file: /etc/init.d/functions
pkg_mgr_config: "{{ (ansible_pkg_mgr == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}" pkg_mgr_config: "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}"
# Service names # Service names
cron_service: crond cron_service: crond
@ -90,7 +90,7 @@ stig_packages_rhel7:
state: "{{ security_package_state }}" state: "{{ security_package_state }}"
enabled: "{{ security_enable_firewalld }}" enabled: "{{ security_enable_firewalld }}"
- packages: - packages:
- "{{ (ansible_pkg_mgr == 'yum') | ternary('yum-cron', 'dnf-automatic') }}" - "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('yum-cron', 'dnf-automatic') }}"
state: "{{ security_package_state }}" state: "{{ security_package_state }}"
enabled: "{{ security_rhel7_automatic_package_updates }}" enabled: "{{ security_rhel7_automatic_package_updates }}"
- packages: - packages:

2
vars/suse.yml
View File

@ -27,7 +27,7 @@ grub_conf_file: /boot/grub2/grub.cfg
# NOTE(hwoarang) SUSE seems to be using the ID field from /etc/os-release to # NOTE(hwoarang) SUSE seems to be using the ID field from /etc/os-release to
# create the EFI distro directory. Since this information is not available on # create the EFI distro directory. Since this information is not available on
# Ansible, we have to improvise a bit... # Ansible, we have to improvise a bit...
grub_conf_file_efi: "{% set os_id = ansible_distribution.split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg" grub_conf_file_efi: "{% set os_id = ansible_facts['distribution'].split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg"
aide_cron_job_path: /etc/cron.daily/aide aide_cron_job_path: /etc/cron.daily/aide
aide_database_file: /var/lib/aide/aide.db aide_database_file: /var/lib/aide/aide.db
aide_database_out_file: /var/lib/aide/aide.db.new aide_database_out_file: /var/lib/aide/aide.db.new