From 480dd9d8662ba28b43027a0e909e859c45c5ccf0 Mon Sep 17 00:00:00 2001 From: Jonathan Rosser Date: Wed, 17 Mar 2021 09:28:09 +0000 Subject: [PATCH] Remove references to unsupported operating systems All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed. Conditional tasks, ternary operators and variables are simplified where possible OS specific variables files are generalised where possible Change-Id: Id3136a5eed068e317aa1a7b33a1149629dc76d77 --- README.md | 11 ++++------- defaults/main.yml | 9 ++++----- meta/main.yml | 13 ------------- tasks/rhel7stig/accounts.yml | 2 +- tasks/rhel7stig/aide.yml | 4 ++-- tasks/rhel7stig/auth.yml | 2 +- tasks/rhel7stig/file_perms.yml | 4 ++-- tasks/rhel7stig/kernel.yml | 4 ++-- tasks/rhel7stig/main.yml | 2 +- vars/main.yml | 12 ++++++------ vars/redhat-8.yml | 4 ++-- 11 files changed, 25 insertions(+), 42 deletions(-) diff --git a/README.md b/README.md index c00e314c..1ebff65d 100644 --- a/README.md +++ b/README.md @@ -7,13 +7,10 @@ The ansible-hardening role applies security hardening configurations from the [Security Technical Implementation Guide (STIG)](http://iase.disa.mil/stigs/Pages/index.aspx) to systems running the following distributions: -* CentOS 7 -* Debian Jessie -* Fedora 27 -* openSUSE Leap 42.2 and 42.3 -* Red Hat Enterprise Linux 7 -* SUSE Linux Enterprise 12 (*experimental*) -* Ubuntu 16.04 +* CentOS 8 +* Debian Buster +* Ubuntu Bionic +* Ubuntu Focal For more details, review the [ansible-hardening documentation](http://docs.openstack.org/developer/ansible-hardening/). diff --git a/defaults/main.yml b/defaults/main.yml index b709b018..ec2eda23 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -17,12 +17,11 @@ # The RHEL 7 STIG content first appeared in the Ocata release and is compatible # with the following operating systems: # -# * CentOS 7 -# * Debian Jessie +# * CentOS 8 +# * Debian Buster # * Fedora 27 -# * openSUSE Leap 42.x -# * SUSE Linux Enterprise 12 -# * Ubuntu 16.04 Xenial LTS +# * Ubuntu Bionic +# * Ubuntu Focal # # Valid options: rhel7 stig_version: rhel7 diff --git a/meta/main.yml b/meta/main.yml index b998252a..51e7aa3a 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -8,27 +8,14 @@ galaxy_info: platforms: - name: Debian versions: - - jessie - buster - - name: Fedora - versions: - - 25 - name: EL versions: - - 7 - 8 - name: Ubuntu versions: - - trusty - - xenial - bionic - focal - - name: opensuse - versions: - - 42.1 - - 42.2 - - 42.3 - - 15.0 categories: - cloud - security diff --git a/tasks/rhel7stig/accounts.yml b/tasks/rhel7stig/accounts.yml index fe005814..90551de4 100644 --- a/tasks/rhel7stig/accounts.yml +++ b/tasks/rhel7stig/accounts.yml @@ -145,7 +145,7 @@ state: present when: - item.value is truthy(convert_bool=True) - - item.ansible_os_family == 'all' or item.ansible_os_family == ansible_facts['os_family'] + - item.os_family == 'all' or item.os_family == ansible_facts['os_family'] with_items: "{{ shadow_utils_rhel7 }}" tags: - accounts diff --git a/tasks/rhel7stig/aide.yml b/tasks/rhel7stig/aide.yml index bdcca33a..4c66866d 100644 --- a/tasks/rhel7stig/aide.yml +++ b/tasks/rhel7stig/aide.yml @@ -116,7 +116,7 @@ changed_when: false when: - aide_init is not skipped - - ansible_facts['pkg_mgr'] in ['yum', 'zypper'] + - ansible_facts['pkg_mgr'] == 'dnf' tags: - medium - aide @@ -133,7 +133,7 @@ special_time: daily job: "/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root" when: - - ansible_facts['pkg_mgr'] in ['yum', 'zypper'] + - ansible_facts['pkg_mgr'] == 'dnf' tags: - medium - aide diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml index 6a085041..cfe3812c 100644 --- a/tasks/rhel7stig/auth.yml +++ b/tasks/rhel7stig/auth.yml @@ -90,7 +90,7 @@ insertbefore: EOF block: "{{ lookup('template', 'pam_faillock.j2') }}" when: - - ansible_facts['pkg_mgr'] in ['yum', 'zypper'] + - ansible_facts['pkg_mgr'] == 'dnf' - security_pam_faillock_enable | bool tags: - auth diff --git a/tasks/rhel7stig/file_perms.yml b/tasks/rhel7stig/file_perms.yml index ac540b0f..cd7bc807 100644 --- a/tasks/rhel7stig/file_perms.yml +++ b/tasks/rhel7stig/file_perms.yml @@ -21,7 +21,7 @@ changed_when: False when: - not check_mode | bool - - ansible_facts['pkg_mgr'] in ['yum', 'zypper'] + - ansible_facts['pkg_mgr'] == 'dnf' - security_reset_perm_ownership | bool tags: - file_perms @@ -38,7 +38,7 @@ - "{{ rpmverify_package_list.stdout_lines | default([]) }}" when: - not check_mode | bool - - ansible_facts['pkg_mgr'] in ['yum', 'zypper'] + - ansible_facts['pkg_mgr'] == 'dnf' - rpmverify_package_list is defined - rpmverify_package_list.stdout_lines | length > 0 async: 300 diff --git a/tasks/rhel7stig/kernel.yml b/tasks/rhel7stig/kernel.yml index 2882ef39..af4f362e 100644 --- a/tasks/rhel7stig/kernel.yml +++ b/tasks/rhel7stig/kernel.yml @@ -79,7 +79,7 @@ failed_when: False check_mode: no when: - - ansible_facts['pkg_mgr'] in ['yum', 'zypper'] + - ansible_facts['pkg_mgr'] == 'dnf' tags: - always @@ -89,7 +89,7 @@ FIPS is not enabled at boot time on this server. The STIG requires FIPS to be enabled at boot time. when: - - ansible_facts['pkg_mgr'] in ['yum', 'zypper'] + - ansible_facts['pkg_mgr'] == 'dnf' - fips_check is defined - fips_check.stdout != '1' tags: diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml index c82bbfa5..07a2e835 100644 --- a/tasks/rhel7stig/main.yml +++ b/tasks/rhel7stig/main.yml @@ -59,7 +59,7 @@ name: "{{ security_epel_release_package }}" state: "{{ security_package_state }}" when: - - ansible_facts['pkg_mgr'] == 'yum' + - ansible_facts['pkg_mgr'] == 'dnf' - security_epel_install_repository | bool - security_enable_virus_scanner | bool tags: diff --git a/vars/main.yml b/vars/main.yml index 6b5bca3b..5d21723c 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -287,27 +287,27 @@ shadow_utils_rhel7: - parameter: ENCRYPT_METHOD value: "{{ security_password_encrypt_method | default('') }}" stig_id: V-71921 - ansible_os_family: all + os_family: all - parameter: PASS_MIN_DAYS value: "{{ security_password_min_lifetime_days | default('') }}" stig_id: V-71925 - ansible_os_family: all + os_family: all - parameter: PASS_MAX_DAYS value: "{{ security_password_max_lifetime_days | default('') }}" stig_id: V-71929 - ansible_os_family: all + os_family: all - parameter: FAIL_DELAY value: "{{ security_shadow_utils_fail_delay | default('') }}" stig_id: V-71951 - ansible_os_family: RedHat + os_family: RedHat - parameter: UMASK value: "{{ security_shadow_utils_umask | default('') }}" stig_id: V-71995 - ansible_os_family: all + os_family: all - parameter: CREATE_HOME value: "{{ security_shadow_utils_create_home | default('') }}" stig_id: V-72013 - ansible_os_family: all + os_family: all ## sysctl settings # This variable is used in main/rhel7stig/kernel.yml to set sysctl diff --git a/vars/redhat-8.yml b/vars/redhat-8.yml index 79409456..a1bc4072 100644 --- a/vars/redhat-8.yml +++ b/vars/redhat-8.yml @@ -32,7 +32,7 @@ aide_database_out_file: /var/lib/aide/aide.db.new.gz chrony_conf_file: /etc/chrony.conf chrony_key_file: /etc/chrony.keys daemon_init_params_file: /etc/init.d/functions -pkg_mgr_config: "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}" +pkg_mgr_config: /etc/dnf/dnf.conf # Service names cron_service: crond @@ -90,7 +90,7 @@ stig_packages_rhel7: state: "{{ security_package_state }}" enabled: "{{ security_enable_firewalld }}" - packages: - - "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('yum-cron', 'dnf-automatic') }}" + - dnf-automatic state: "{{ security_package_state }}" enabled: "{{ security_rhel7_automatic_package_updates }}" - packages: