ansible-hardening/tasks/rhel7stig/apt.yml

---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Ensure debsums is installed
  apt:
    name: debsums
    state: installed
  when: security_check_package_checksums | bool

- name: Gather debsums report
  shell: "debsums > {{ temp_dir }}/debsums.txt"
  changed_when: False
  failed_when: False
  when:
    - security_check_package_checksums | bool
    - not check_mode | bool

- name: V-71855 - Get files with invalid checksums (apt)
  shell: "grep -v OK$ {{ temp_dir }}/debsums.txt | awk '{ print $1 }'"
  register: invalid_checksum_files
  changed_when: False
  when:
    - security_check_package_checksums | bool
    - not check_mode | bool
    - ansible_os_family | lower == 'debian'
  tags:
    - high
    - V-71855

- name: V-71855 - Create comma-separated list
  set_fact:
    invalid_checksum_files_violations: "{{ invalid_checksum_files.stdout_lines | default([]) | join(', ') }}"
  when:
    - security_check_package_checksums | bool
    - invalid_checksum_files is defined
    - invalid_checksum_files.stdout is defined
  tags:
    - high
    - V-71855

- name: V-71855 - The cryptographic hash of system files and commands must match vendor values (apt)
  debug:
    msg: >
      The following files have checksums that differ from the checksum provided
      with their package. Each of these should be verified manually to ensure
      they have not been modified by an unauthorized user:
      {{ invalid_checksum_files_violations }}      
  when:
    - security_check_package_checksums | bool
    - ansible_os_family | lower == 'debian'
    - invalid_checksum_files is defined
    - invalid_checksum_files.stdout is defined
  tags:
    - high
    - V-71855

# See the documentation for V-71977 for more details on this check.
- name: Search for AllowUnauthenticated in /etc/apt/apt.conf.d/
  command: grep -r '^[^#].*AllowUnauthenticated \"true\"' /etc/apt/apt.conf.d/
  register: gpgcheck_result
  changed_when: False
  failed_when: False
  check_mode: no

- name: V-71977 - Package management tool must verify authenticity of packages
  debug:
    msg: "Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified."
  when:
    - security_enable_gpgcheck_packages | bool
    - gpgcheck_result.rc == 0
  tags:
    - high
    - V-71977

- name: V-71979 - Package management tool must verify authenticity of locally-installed packages
  lineinfile:
    dest: /etc/dpkg/dpkg.cfg
    regexp: "^(#)?no-debsig"
    line: "#no-debsig"
    state: present
  when:
    - security_enable_gpgcheck_packages_local | bool
  tags:
    - high
    - V-71979

- name: V-71987 - Clean requirements/dependencies when removing packages (dpkg)
  lineinfile:
    dest: /etc/apt/apt.conf.d/security-autoremove
    regexp: "^(#)?APT::Get::AutomaticRemove"
    line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";"
    state: present
    create: yes
  when:
    - security_package_clean_on_remove | bool
    - ansible_os_family | lower == 'debian'
  tags:
    - low
    - packages
    - V-71987

- name: Enable automatic package updates (apt)
  copy:
    src: 20auto-upgrades
    dest: /etc/apt/apt.conf.d/20auto-upgrades
  when:
    - ansible_os_family | lower == 'debian'
    - security_rhel7_automatic_package_updates | bool
  tags:
    - packages
    - cat2
    - V-71999