Fix linters and metadata

With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Change-Id: I1920cd05ac5b4d32ad12bce42d9161a568f288b6
This commit is contained in:
Dmitriy Rabotyagov 2023-07-17 14:25:21 +02:00
parent 2c7889852c
commit db5c6f2d66
23 changed files with 131 additions and 117 deletions

View File

@ -82,16 +82,17 @@ security_aide_exclude_dirs:
## Audit daemon (auditd)
# Send audit records to a different system using audisp.
#security_audisp_remote_server: '10.0.21.1' # V-72083
# security_audisp_remote_server: '10.0.21.1' # V-72083
# Encrypt audit records when they are transmitted over the network.
#security_audisp_enable_krb5: yes # V-72085
# security_audisp_enable_krb5: yes # V-72085
# Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING!
security_rhel7_audit_failure_flag: 1 # V-72081
# Set the action to take when the disk is full or network events cannot be sent.
security_rhel7_auditd_disk_full_action: syslog # V-72087
security_rhel7_auditd_network_failure_action: syslog # V-72087
# Size of remaining disk space (in MB) that triggers alerts.
security_rhel7_auditd_space_left: "{{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # V-72089
security_rhel7_auditd_space_left: >- # V-72089
{{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}
# Action to take when the space_left threshold is reached.
security_rhel7_auditd_space_left_action: email # V-72091
# Send auditd email alerts to this user.
@ -179,8 +180,8 @@ security_password_encrypt_method: SHA512 # V-71921
# Ensure user/group admin utilities only store encrypted passwords.
security_libuser_crypt_style_sha512: yes # V-71923
# Set a minimum/maximum lifetime limit for user passwords.
#security_password_min_lifetime_days: 1 # V-71925
#security_password_max_lifetime_days: 60 # V-71929
# security_password_min_lifetime_days: 1 # V-71925
# security_password_max_lifetime_days: 60 # V-71929
# Set a delay (in seconds) between failed login attempts.
security_shadow_utils_fail_delay: 4 # V-71951
# Set a umask for all authenticated users.
@ -188,7 +189,7 @@ security_shadow_utils_fail_delay: 4 # V-71951
# Create home directories for new users by default.
security_shadow_utils_create_home: yes # V-72013
# How many old user password to remember to prevent password re-use.
#security_password_remember_password: 5 # V-71933
# security_password_remember_password: 5 # V-71933
# Disable user accounts if the password expires.
security_disable_account_if_password_expires: no # V-71941
# Lock user accounts with excessive login failures. See documentation.
@ -198,7 +199,7 @@ security_pam_faillock_attempts: 3
security_pam_faillock_deny_root: yes # RHEL-07-010373
security_pam_faillock_unlock_time: 604800 # V-71943
# Limit the number of concurrent connections per account.
#security_rhel7_concurrent_session_limit: 10 # V-72217
# security_rhel7_concurrent_session_limit: 10 # V-72217
# Remove .shosts and shosts.equiv files.
security_rhel7_remove_shosts_files: no # V-72277
# Exclude these directories from the shosts files find
@ -263,7 +264,7 @@ security_enable_grub_update: yes
# Require authentication in GRUB to boot into single-user or maintenance modes.
security_require_grub_authentication: no # V-71961 / V-71963
# The default password for grub authentication is 'secrete'.
security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B
security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B # noqa: yaml[line-length]
# Set session timeout.
security_rhel7_session_timeout: 600 # V-72223
# Enable chrony for NTP time synchronization.

View File

@ -17,76 +17,48 @@
#
# NOTE(mhayden): It's not possible to use systemd to restart auditd on CentOS
# since it's a special service. Using the old service scripts is required.
- name: restart auditd
- name: Restart auditd
command: service auditd restart # noqa: command-instead-of-module
changed_when: false
- name: restart chrony
- name: Restart chrony
service:
name: "{{ chrony_service }}"
state: restarted
- name: restart fail2ban
service:
name: fail2ban
state: restarted
- name: restart postfix
service:
name: postfix
state: restarted
- name: restart rsyslog
service:
name: rsyslog
state: restarted
- name: restart samba
service:
name: smbd
state: restarted
- name: restart ssh
- name: Restart ssh
service:
name: "{{ ssh_service }}"
state: restarted
- name: restart vsftpd
service:
name: vsftpd
state: restarted
- name: restart clamav
- name: Restart clamav
service:
name: "{{ clamav_service }}"
state: restarted
# Miscellaneous ##############################################################
- name: generate auditd rules
- name: Generate auditd rules
command: augenrules --load
changed_when: false
notify: restart auditd
- name: rehash aliases
command: newaliases
- name: update grub config
- name: Update grub config
command: "{{ grub_update_cmd }}"
changed_when: false
when:
- security_enable_grub_update | bool
- grub_update_binary.stat.exists | bool
- grub_update_binary.stat.executable | bool
notify:
- set bootloader file permissions after updating grub config
- Set bootloader file permissions after updating grub config
# NOTE(mhayden): Running `update-grub` causes the bootloader permissions to
# change, which breaks V-38583.
- name: set bootloader file permissions after updating grub config
- name: Set bootloader file permissions after updating grub config
file:
path: "{{ grub_config_file_boot }}"
mode: "0644"
- name: dconf update
- name: Dconf update
command: dconf update
- name: reload systemd
systemd:
daemon-reload: yes
changed_when: false

View File

@ -4,19 +4,22 @@ galaxy_info:
description: Security hardening role for OpenStack-Ansible
company: OpenStack
license: Apache
min_ansible_version: 2.10
role_name: hardening
namespace: openstack
min_ansible_version: "2.10"
platforms:
- name: Debian
versions:
- buster
- bullseye
- name: EL
versions:
- 8
- "8"
- "9"
- name: Ubuntu
versions:
- bionic
- focal
categories:
- jammy
galaxy_tags:
- cloud
- security
- system

View File

@ -44,8 +44,8 @@
- name: Set facts
set_fact:
check_mode: "{{ noop_result is skipped }}"
linux_security_module: "{{ (ansible_facts['os_family'] == 'Debian') | ternary('apparmor','selinux') }}"
check_mode: "{{ noop_result is skipped }}" # noqa: var-naming[no-reserved]
linux_security_module: "{{ (ansible_facts['os_family'] == 'Debian') | ternary('apparmor', 'selinux') }}"
grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}"
tags:
- always
@ -57,8 +57,10 @@
tags:
- always
- import_tasks: "{{ stig_version }}stig/main.yml"
- name: Importing STIG tasks
import_tasks: "{{ stig_version }}stig/main.yml"
- include_tasks: contrib/main.yml
- name: Including contrib tasks
include_tasks: contrib/main.yml
when:
- security_contrib_enabled | bool

View File

@ -71,6 +71,7 @@
option: crypt_style
value: sha512
backup: yes
mode: "0644"
when:
- security_libuser_crypt_style_sha512 | bool
- ansible_facts['os_family'] | lower == 'redhat'
@ -84,6 +85,7 @@
# system. See bug 1659232 for more details.
- name: Set minimum password lifetime limit to 24 hours for interactive accounts
command: "chage -m 1 {{ item.name }}"
changed_when: false
when:
- item.shadow is mapping
- item.shadow.min_days != 1
@ -100,6 +102,7 @@
# system. See bug 1659232 for more details.
- name: Set maximum password lifetime limit to 60 days for interactive accounts
command: "chage -M 60 {{ item.name }}"
changed_when: false
when:
- item.shadow is mapping
- item.shadow.max_days > 60
@ -245,5 +248,3 @@
- accounts
- medium
- V-73159

View File

@ -28,6 +28,7 @@
template:
src: ZZ_aide_exclusions.j2
dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions
mode: "0644"
when: aide_conf.results[0].stat.exists | bool
tags:
- medium

View File

@ -103,6 +103,7 @@
line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";"
state: present
create: yes
mode: "0644"
when:
- security_package_clean_on_remove | bool
- ansible_facts['os_family'] | lower == 'debian'
@ -115,6 +116,7 @@
copy:
src: 20auto-upgrades
dest: /etc/apt/apt.conf.d/20auto-upgrades
mode: "0644"
when:
- ansible_facts['os_family'] | lower == 'debian'
- security_rhel7_automatic_package_updates | bool

View File

@ -38,7 +38,7 @@
- security_audisp_remote_server is defined
- audisp_remote_conf.stat.exists
notify:
- restart auditd
- Restart auditd
tags:
- medium
- auditd
@ -53,7 +53,7 @@
- security_audisp_enable_krb5 is defined
- audisp_remote_conf.stat.exists
notify:
- restart auditd
- Restart auditd
tags:
- medium
- auditd
@ -73,7 +73,7 @@
when:
- auditd_conf.stat.exists
notify:
- generate auditd rules
- Generate auditd rules
tags:
- always
@ -84,7 +84,7 @@
when:
- auditd_conf.stat.exists
notify:
- generate auditd rules
- Generate auditd rules
tags:
- always
@ -92,10 +92,11 @@
template:
src: osas-auditd-rhel7.j2
dest: /etc/audit/rules.d/osas-auditd-rhel7.rules
mode: "0644"
when:
- auditd_conf.stat.exists
notify:
- generate auditd rules
- Generate auditd rules
tags:
- auditd
- V-72167
@ -163,7 +164,7 @@
- auditd_conf.stat.exists
- audisp_remote_conf.stat.exists
notify:
- restart auditd
- Restart auditd
tags:
- high
- auditd

View File

@ -54,7 +54,7 @@
line: '\1\2'
backup: yes
backrefs: yes
loop: "{{ ['auth', 'password'] |product(['{{ pam_auth_file }}', '{{ pam_password_file }}'])|list }}"
loop: "{{ ['auth', 'password'] | product(['{{ pam_auth_file }}', '{{ pam_password_file }}']) | list }}"
when:
- ansible_facts['os_family'] == 'RedHat'
- security_disallow_blank_password_login | bool
@ -185,7 +185,7 @@
password_pbkdf2 root {{ security_grub_password_hash }}
state: present
notify:
- update grub config
- Update grub config
- name: Set CLASS for grub file
lineinfile:
path: "{{ grub_linux_file }}"
@ -194,7 +194,7 @@
state: present
backrefs: yes
notify:
- update grub config
- Update grub config
when:
- grub_custom_file_check.stat.exists | bool
- security_require_grub_authentication | bool
@ -208,6 +208,7 @@
blockinfile:
dest: /etc/security/limits.d/ansible-hardening-maxlogins.conf
create: yes
mode: "0644"
block: |
# Deployed by the ansible-hardening role
# V-72217 - Limit concurrent sessions for all accounts/types

View File

@ -13,7 +13,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- include_tasks: rpm.yml
- name: Including rpm tasks
include_tasks: rpm.yml
- name: Check if /etc/dnf/automatic.conf exists
stat:

View File

@ -56,6 +56,7 @@
copy:
src: dconf-user-profile
dest: /etc/dconf/profile/user
mode: "0644"
when:
- dconf_check.stat.exists
tags:
@ -69,6 +70,7 @@
file:
path: "{{ item }}"
state: directory
mode: "0755"
with_items:
- /etc/dconf/db/local.d/
- /etc/dconf/db/local.d/locks
@ -87,10 +89,11 @@
template:
src: dconf-screensaver-lock.j2
dest: /etc/dconf/db/local.d/00-screensaver
mode: "0644"
when:
- dconf_check.stat.exists
notify:
- dconf update
- Dconf update
tags:
- graphical
- medium
@ -102,10 +105,11 @@
template:
src: dconf-session-user-config-lockout.j2
dest: /etc/dconf/db/local.d/locks/session
mode: "0644"
when:
- dconf_check.stat.exists
notify:
- dconf update
- Dconf update
tags:
- graphical
- medium
@ -117,10 +121,11 @@
copy:
src: dconf-profile-gdm
dest: /etc/dconf/profile/gdm
mode: "0644"
when:
- dconf_check.stat.exists
notify:
- dconf update
- Dconf update
tags:
- graphical
- medium
@ -130,13 +135,14 @@
template:
src: dconf-gdm-banner-message.j2
dest: "{{ item }}"
mode: "0644"
with_items:
- /etc/dconf/db/gdm.d/01-banner-message
- /etc/dconf/db/local.d/01-banner-message
when:
- dconf_check.stat.exists
notify:
- dconf update
- Dconf update
tags:
- graphical
- medium

View File

@ -18,6 +18,7 @@
dest: /etc/modprobe.d/ansible-hardening-disable-usb-storage.conf
line: install usb-storage /bin/true
create: yes
mode: "0644"
when:
- security_rhel7_disable_usb_storage | bool
tags:
@ -49,7 +50,7 @@
- C-00001
- name: Check kdump service
command: systemctl status kdump # noqa 303
command: systemctl status kdump # noqa: command-instead-of-module
register: kdump_service_check
failed_when: kdump_service_check.rc not in [0,3,4]
changed_when: False
@ -101,6 +102,7 @@
copy:
src: ansible-hardening-disable-dccp.conf
dest: /etc/modprobe.d/ansible-hardening-disable-dccp.conf
mode: "0644"
when:
- security_rhel7_disable_dccp | bool
tags:

View File

@ -32,7 +32,7 @@
# started apparmor each time. This breaks idempotency and we check
# systemd's status directly as an alternative.
- name: Check if apparmor is running
command: "systemctl status apparmor" # noqa 303
command: "systemctl status apparmor" # noqa: command-instead-of-module
register: systemctl_apparmor_status
check_mode: no
changed_when: false
@ -96,6 +96,7 @@
file:
path: /.autorelabel
state: touch
mode: "0644"
when:
- ansible_facts['os_family'] == "RedHat"
- security_rhel7_enable_linux_security_module | bool

View File

@ -34,7 +34,8 @@
# Some of the tasks in the role may take a long time to run. Let's start them
# as early as possible so they have time to finish.
- import_tasks: async_tasks.yml
- name: Importing async_tasks tasks
import_tasks: async_tasks.yml
- name: Get user data for all users on the system
get_users:
@ -67,29 +68,41 @@
# Package installations and removals must come first so that configuration
# changes can be made later.
- import_tasks: packages.yml
- name: Importing packages tasks
import_tasks: packages.yml
tags:
- always
# Package managers are managed first since the changes in these tasks will
# affect the remainder of the tasks in the role.
- include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml"
- name: Including OS-specific tasks
include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml"
# The bulk of the security changes are applied in these tasks. The tasks in
# each file are tagged with the same name (for example, tasks in `auth.yml`
# are tagged with `auth`). Also, the tag name matches up with the "STIG
# Controls by Tag" section of the role documentation.
- import_tasks: accounts.yml
- import_tasks: aide.yml
- name: Importing accounts tasks
import_tasks: accounts.yml
- name: Importing aide tasks
import_tasks: aide.yml
when: security_rhel7_enable_aide | bool
- import_tasks: auditd.yml
- import_tasks: auth.yml
- import_tasks: file_perms.yml
- import_tasks: graphical.yml
- import_tasks: kernel.yml
- import_tasks: lsm.yml
- import_tasks: misc.yml
- import_tasks: sshd.yml
- name: Importing auditd tasks
import_tasks: auditd.yml
- name: Importing auth tasks
import_tasks: auth.yml
- name: Importing file_perms tasks
import_tasks: file_perms.yml
- name: Importing graphical tasks
import_tasks: graphical.yml
- name: Importing kernel tasks
import_tasks: kernel.yml
- name: Importing lsm tasks
import_tasks: lsm.yml
- name: Importing misc tasks
import_tasks: misc.yml
- name: Importing sshd tasks
import_tasks: sshd.yml
- name: Remove the temporary directory
file:

View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Check autofs service
command: systemctl status autofs # noqa 303
command: systemctl status autofs # noqa: command-instead-of-module
register: autofs_check
failed_when: autofs_check.rc not in [0,3,4]
changed_when: False
@ -150,7 +150,7 @@
- security_enable_virus_scanner | bool
- ansible_facts['os_family'] | lower == 'redhat'
notify:
- restart clamav
- Restart clamav
tags:
- misc
- V-72213
@ -166,7 +166,7 @@
- security_enable_virus_scanner | bool
- ansible_facts['os_family'] | lower == 'redhat'
notify:
- restart clamav
- Restart clamav
tags:
- misc
- V-72213
@ -174,7 +174,7 @@
- name: Ensure ClamAV socket directory exists
file:
path: "{{ clamav_service_details['socket_path'] | dirname }}"
user: "{{ clamav_service_details['user'] }}"
owner: "{{ clamav_service_details['user'] }}"
group: "{{ clamav_service_details['group'] }}"
mode: "{{ clamav_service_details['mode'] }}"
when:
@ -182,7 +182,7 @@
- security_enable_virus_scanner | bool
- ansible_facts['os_family'] | lower == 'redhat'
notify:
- restart clamav
- Restart clamav
tags:
- misc
- V-72213
@ -197,7 +197,7 @@
- security_enable_virus_scanner | bool
- ansible_facts['os_family'] | lower == 'redhat'
notify:
- restart clamav
- Restart clamav
tags:
- misc
- V-72213
@ -293,11 +293,12 @@
template:
src: chrony.conf.j2
dest: "{{ chrony_conf_file }}"
mode: "0644"
when:
- chrony_conf_check.stat.exists | bool
- security_rhel7_enable_chrony | bool
notify:
- restart chrony
- Restart chrony
tags:
- medium
- misc
@ -305,7 +306,7 @@
# Returns 0 if installed, 3 if not installed
- name: Check firewalld status
command: systemctl status firewalld # noqa 303
command: systemctl status firewalld # noqa: command-instead-of-module
register: firewalld_status_check
failed_when: firewalld_status_check.rc not in [0,3,4]
changed_when: False
@ -327,7 +328,9 @@
- V-72273
- name: Limit new TCP connections to 25/minute and allow bursting to 100
command: "firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{ security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT"
command: >-
firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{
security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT
register: add_rate_limit_firewalld_rule
changed_when: "'ALREADY_ENABLED' not in add_rate_limit_firewalld_rule.stdout"
when:

View File

@ -19,6 +19,7 @@
dest: "{{ security_sshd_banner_file }}"
owner: root
group: root
mode: "0644"
tags:
- high
- sshd
@ -33,7 +34,7 @@
validate: '/usr/sbin/sshd -T -f %s'
with_items: "{{ sshd_settings_rhel7 | selectattr('enabled') }}"
notify:
- restart ssh
- Restart ssh
tags:
- high
- sshd
@ -71,7 +72,7 @@
{{ option['name'] ~ ' ' ~ option['value'] }}
{% endfor %}
notify:
- restart ssh
- Restart ssh
tags:
- high
- sshd

View File

@ -13,7 +13,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- include_tasks: rpm.yml
- name: Including rpm tasks
include_tasks: rpm.yml
- name: Check if /etc/yum/yum-cron.conf exists
stat:

View File

@ -100,6 +100,7 @@
copy:
src: zypper-autoupdates
dest: /etc/cron.daily/zypper-autoupdates
mode: "0750"
when:
- security_rhel7_automatic_package_updates | bool
tags:

View File

@ -327,7 +327,7 @@ sysctl_settings_rhel7:
enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}"
- name: net.ipv4.conf.default.accept_source_route
value: 0
enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool}}"
enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}"
- name: net.ipv4.icmp_echo_ignore_broadcasts
value: 1
enabled: "{{ security_disallow_echoes_broadcast_address | bool }}"
@ -407,7 +407,7 @@ sshd_settings_rhel7:
enabled: yes
stig_id: V-72251
- name: MACs
value: "{{security_sshd_allowed_macs }}"
value: "{{ security_sshd_allowed_macs }}"
enabled: yes
stig_id: V-72253
- name: UsePrivilegeSeparation

View File

@ -45,7 +45,7 @@ clamav_service_details:
user: clamscan
group: virusgroup
socket_path: /run/clamd.scan/clamd.sock
mode: 0710
mode: "0710"
# Commands
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"

View File

@ -45,7 +45,7 @@ clamav_service_details:
user: clamscan
group: virusgroup
socket_path: /run/clamd.scan/clamd.sock
mode: 0710
mode: "0710"
# Commands
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"

View File

@ -45,7 +45,7 @@ clamav_service_details:
user: clamscan
group: virusgroup
socket_path: /run/clamd.scan/clamd.sock
mode: 0710
mode: "0710"
# Commands
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"

View File

@ -27,7 +27,8 @@ grub_conf_file: /boot/grub2/grub.cfg
# NOTE(hwoarang) SUSE seems to be using the ID field from /etc/os-release to
# create the EFI distro directory. Since this information is not available on
# Ansible, we have to improvise a bit...
grub_conf_file_efi: "{% set os_id = ansible_facts['distribution'].split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg"
grub_conf_file_efi: >-
{% set os_id = ansible_facts['distribution'].split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse', 'sles') }}/grub.cfg
aide_cron_job_path: /etc/cron.daily/aide
aide_database_file: /var/lib/aide/aide.db
aide_database_out_file: /var/lib/aide/aide.db.new