openstack
/
ansible-hardening
Code Issues Proposed changes

Remove references to unsupported operating systems 

All references to Gentoo, SUSE, Debian stretch and Centos-7  are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: Id3136a5eed068e317aa1a7b33a1149629dc76d77
This commit is contained in:
Jonathan Rosser 2021-03-17 09:28:09 +00:00 committed by Dmitriy Rabotyagov
parent 6f354a7a4b
commit 480dd9d866
11 changed files with 25 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@ -7,13 +7,10 @@ The ansible-hardening role applies security hardening configurations
from the [Security Technical Implementation Guide (STIG)](http://iase.disa.mil/stigs/Pages/index.aspx)
to systems running the following distributions:
* CentOS 7
* Debian Jessie
* Fedora 27
* openSUSE Leap 42.2 and 42.3
* Red Hat Enterprise Linux 7
* SUSE Linux Enterprise 12 (*experimental*)
* Ubuntu 16.04
* CentOS 8
* Debian Buster
* Ubuntu Bionic
* Ubuntu Focal
For more details, review the
[ansible-hardening documentation](http://docs.openstack.org/developer/ansible-hardening/).

9
defaults/main.yml
View File

@ -17,12 +17,11 @@
# The RHEL 7 STIG content first appeared in the Ocata release and is compatible
# with the following operating systems:
#
# * CentOS 7
# * Debian Jessie
# * CentOS 8
# * Debian Buster
# * Fedora 27
# * openSUSE Leap 42.x
# * SUSE Linux Enterprise 12
# * Ubuntu 16.04 Xenial LTS
# * Ubuntu Bionic
# * Ubuntu Focal
#
# Valid options: rhel7
stig_version: rhel7

13
meta/main.yml
View File

@ -8,27 +8,14 @@ galaxy_info:
platforms:
- name: Debian
versions:
- jessie
- buster
- name: Fedora
versions:
- 25
- name: EL
versions:
- 7
- 8
- name: Ubuntu
versions:
- trusty
- xenial
- bionic
- focal
- name: opensuse
versions:
- 42.1
- 42.2
- 42.3
- 15.0
categories:
- cloud
- security

2
tasks/rhel7stig/accounts.yml
View File

@ -145,7 +145,7 @@
state: present
when:
- item.value is truthy(convert_bool=True)
- item.ansible_os_family == 'all' or item.ansible_os_family == ansible_facts['os_family']
- item.os_family == 'all' or item.os_family == ansible_facts['os_family']
with_items: "{{ shadow_utils_rhel7 }}"
tags:
- accounts

4
tasks/rhel7stig/aide.yml
View File

@ -116,7 +116,7 @@
changed_when: false
when:
- aide_init is not skipped
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
- ansible_facts['pkg_mgr'] == 'dnf'
tags:
- medium
- aide
@ -133,7 +133,7 @@
special_time: daily
job: "/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root"
when:
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
- ansible_facts['pkg_mgr'] == 'dnf'
tags:
- medium
- aide

2
tasks/rhel7stig/auth.yml
View File

@ -90,7 +90,7 @@
insertbefore: EOF
block: "{{ lookup('template', 'pam_faillock.j2') }}"
when:
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
- ansible_facts['pkg_mgr'] == 'dnf'
- security_pam_faillock_enable | bool
tags:
- auth

4
tasks/rhel7stig/file_perms.yml
View File

@ -21,7 +21,7 @@
changed_when: False
when:
- not check_mode | bool
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
- ansible_facts['pkg_mgr'] == 'dnf'
- security_reset_perm_ownership | bool
tags:
- file_perms
@ -38,7 +38,7 @@
- "{{ rpmverify_package_list.stdout_lines | default([]) }}"
when:
- not check_mode | bool
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
- ansible_facts['pkg_mgr'] == 'dnf'
- rpmverify_package_list is defined
- rpmverify_package_list.stdout_lines | length > 0
async: 300

4
tasks/rhel7stig/kernel.yml
View File

@ -79,7 +79,7 @@
failed_when: False
check_mode: no
when:
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
- ansible_facts['pkg_mgr'] == 'dnf'
tags:
- always
@ -89,7 +89,7 @@
FIPS is not enabled at boot time on this server.
The STIG requires FIPS to be enabled at boot time.
when:
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
- ansible_facts['pkg_mgr'] == 'dnf'
- fips_check is defined
- fips_check.stdout != '1'
tags:

2
tasks/rhel7stig/main.yml
View File

@ -59,7 +59,7 @@
name: "{{ security_epel_release_package }}"
state: "{{ security_package_state }}"
when:
- ansible_facts['pkg_mgr'] == 'yum'
- ansible_facts['pkg_mgr'] == 'dnf'
- security_epel_install_repository | bool
- security_enable_virus_scanner | bool
tags:

12
vars/main.yml
View File

@ -287,27 +287,27 @@ shadow_utils_rhel7:
- parameter: ENCRYPT_METHOD
value: "{{ security_password_encrypt_method | default('') }}"
stig_id: V-71921
ansible_os_family: all
os_family: all
- parameter: PASS_MIN_DAYS
value: "{{ security_password_min_lifetime_days | default('') }}"
stig_id: V-71925
ansible_os_family: all
os_family: all
- parameter: PASS_MAX_DAYS
value: "{{ security_password_max_lifetime_days | default('') }}"
stig_id: V-71929
ansible_os_family: all
os_family: all
- parameter: FAIL_DELAY
value: "{{ security_shadow_utils_fail_delay | default('') }}"
stig_id: V-71951
ansible_os_family: RedHat
os_family: RedHat
- parameter: UMASK
value: "{{ security_shadow_utils_umask | default('') }}"
stig_id: V-71995
ansible_os_family: all
os_family: all
- parameter: CREATE_HOME
value: "{{ security_shadow_utils_create_home | default('') }}"
stig_id: V-72013
ansible_os_family: all
os_family: all
## sysctl settings
# This variable is used in main/rhel7stig/kernel.yml to set sysctl

4
vars/redhat-8.yml
View File

@ -32,7 +32,7 @@ aide_database_out_file: /var/lib/aide/aide.db.new.gz
chrony_conf_file: /etc/chrony.conf
chrony_key_file: /etc/chrony.keys
daemon_init_params_file: /etc/init.d/functions
pkg_mgr_config: "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}"
pkg_mgr_config: /etc/dnf/dnf.conf
# Service names
cron_service: crond
@ -90,7 +90,7 @@ stig_packages_rhel7:
state: "{{ security_package_state }}"
enabled: "{{ security_enable_firewalld }}"
- packages:
- "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('yum-cron', 'dnf-automatic') }}"
- dnf-automatic
state: "{{ security_package_state }}"
enabled: "{{ security_rhel7_automatic_package_updates }}"
- packages: