openstack
/
ansible-hardening
Code Issues Proposed changes

Rename vars/common.yml to vars/main.yml 

The file vars/main.yml is automatically loaded
so by using this file name we're able to get
rid of the task that loads vars/common.yml which
is a small optimisation.

Change-Id: I4e0a1b81c42a90b7cd28830f1c2e72c7bd62efaf
This commit is contained in:
Jesse Pretorius 2017-03-13 18:30:43 +00:00
parent 576af328d7
commit 78d844a008
3 changed files with 325 additions and 360 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
tasks/main.yml
View File

@ -24,11 +24,6 @@
tags:
- always
- name: Gather variables that apply to all operating systems
include_vars: common.yml
tags:
- always
- name: Check for check/audit mode
command: /bin/true
register: noop_result

343
vars/common.yml
View File

@ -1,343 +0,0 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## Common variables for all distributions
# This file contains variables that apply to all distributions that the
# security role supports. Distribution-specific variables should be placed in:
#
# - vars/redhat.yml
# - vars/ubuntu.yml
## auditd configuration
auditd_config:
- parameter: disk_full_action
value: "{{ security_rhel7_auditd_disk_full_action }}"
config: /etc/audisp/audisp-remote.conf
- parameter: network_failure_action
value: "{{ security_rhel7_auditd_network_failure_action }}"
config: /etc/audisp/audisp-remote.conf
- parameter: space_left
value: "{{ security_rhel7_auditd_space_left }}"
config: /etc/audit/auditd.conf
- parameter: space_left_action
value: "{{ security_rhel7_auditd_space_left_action }}"
config: /etc/audit/auditd.conf
- parameter: action_mail_acct
value: "{{ security_rhel7_auditd_action_mail_acct }}"
config: /etc/audit/auditd.conf
## auditd rules
# This variable is used in tasks/rhel7stig/auditd.yml to deploy auditd rules
# for various commands and syscalls.
#
# Each dictionary has this structure:
#
# command: the command/syscall to audit (required)
# stig_id: the number/ID from the STIG (required)
# arch_specific: 'yes' if the rule depends on the architecture type,
# otherwise 'no' (required)
# path: the path to the command (optional, default is '/usr/bin')
# distro: restrict deployment to a single Linux distribution (optional,
# should be equal to 'ansible_os_family | lower', such as 'redhat'
# or 'ubuntu')
#
audited_commands:
- command: chsh
stig_id: RHEL-07-030525
arch_specific: no
- command: chage
stig_id: RHEL-07-030513
arch_specific: no
- command: chcon
stig_id: RHEL-07-030443
arch_specific: no
- command: chmod
stig_id: RHEL-07-030390
arch_specific: yes
- command: chown
stig_id: RHEL-07-030380
arch_specific: yes
- command: creat
stig_id: RHEL-07-030420
arch_specific: yes
- command: crontab
stig_id: RHEL-07-030561
arch_specific: no
- command: delete_module
stig_id: RHEL-07-030671
arch_specific: yes
- command: fchmod
stig_id: RHEL-07-030391
arch_specific: yes
- command: fchmodat
stig_id: RHEL-07-030392
arch_specific: yes
- command: fchown
stig_id: RHEL-07-030381
arch_specific: yes
- command: fchownat
stig_id: RHEL-07-030383
arch_specific: yes
- command: fremovexattr
stig_id: RHEL-07-030404
arch_specific: yes
- command: fsetxattr
stig_id: RHEL-07-030401
arch_specific: yes
- command: ftruncate
stig_id: RHEL-07-030425
arch_specific: yes
- command: init_module
stig_id: RHEL-07-030670
arch_specific: yes
- command: gpasswd
stig_id: RHEL-07-030512
arch_specific: no
- command: lchown
stig_id: RHEL-07-030382
arch_specific: yes
- command: lremovexattr
stig_id: RHEL-07-030405
arch_specific: yes
- command: lsetxattr
stig_id: RHEL-07-030402
arch_specific: yes
- command: mount
path: /bin
stig_id: RHEL-07-030530
arch_specific: no
- command: newgrp
stig_id: RHEL-07-030524
arch_specific: no
- command: open
stig_id: RHEL-07-030421
arch_specific: yes
- command: openat
stig_id: RHEL-07-030422
arch_specific: yes
- command: open_by_handle_at
stig_id: RHEL-07-030423
arch_specific: yes
- command: pam_timestamp_check
path: /sbin
stig_id: RHEL-07-030630
arch_specific: no
- command: passwd
stig_id: RHEL-07-030510
arch_specific: no
- command: postdrop
path: /usr/sbin
stig_id: RHEL-07-030540
arch_specific: no
- command: postqueue
path: /usr/sbin
stig_id: RHEL-07-030541
arch_specific: no
- command: pt_chown
path: /usr/libexec
stig_id: RHEL-07-030560
arch_specific: no
distro: redhat
- command: removexattr
stig_id: RHEL-07-030403
arch_specific: yes
- command: rename
stig_id: RHEL-07-030750
arch_specific: yes
- command: renameat
stig_id: RHEL-07-030751
arch_specific: yes
- command: restorecon
path: /usr/sbin
stig_id: RHEL-07-030444
arch_specific: no
- command: rmdir
stig_id: RHEL-07-030752
arch_specific: yes
- command: semanage
path: /usr/sbin
stig_id: RHEL-07-030441
arch_specific: no
- command: setsebool
path: /usr/sbin
stig_id: RHEL-07-030442
arch_specific: no
- command: setxattr
stig_id: RHEL-07-030400
arch_specific: yes
- command: ssh-keysign
path: "{{ ssh_keysign_path }}"
stig_id: RHEL-07-030550
arch_specific: no
- command: su
path: /bin
stig_id: RHEL-07-030521
arch_specific: no
- command: sudo
stig_id: RHEL-07-030522
arch_specific: no
- command: sudoedit
path: /bin
stig_id: RHEL-07-030526
arch_specific: no
- command: truncate
stig_id: RHEL-07-030424
arch_specific: yes
- command: umount
path: /bin
stig_id: RHEL-07-030531
arch_specific: no
- command: unix_chkpwd
path: /sbin
stig_id: RHEL-07-030511
arch_specific: no
- command: unlink
stig_id: RHEL-07-030753
arch_specific: yes
- command: unlinkat
stig_id: RHEL-07-030754
arch_specific: yes
- command: userhelper
path: /usr/sbin
stig_id: RHEL-07-030514
arch_specific: no
## Password quality settings
# This variable is used in main/rhel7stig/auth.yml to set password quality
# requirements.
#
# Each dictionary has this structure:
#
# parameter: the pwquality parameter to set
# value: the value of the parameter
# stig_id: the STIG id number
# description: description of the control from the STIG
# enabled: whether the change should be applied
#
password_quality_rhel7:
- parameter: ucredit
value: -1
stig_id: RHEL-07-010090
description: "Password must contain at least one upper-case character"
enabled: "{{ security_pwquality_require_uppercase }}"
- parameter: lcredit
value: -1
stig_id: RHEL-07-010100
description: "Password must contain at least one lower-case character"
enabled: "{{ security_pwquality_require_lowercase }}"
- parameter: dcredit
value: -1
stig_id: RHEL-07-010110
description: "Password must contain at least one numeric character"
enabled: "{{ security_pwquality_require_numeric }}"
- parameter: ocredit
value: -1
stig_id: RHEL-07-010120
description: "Password must contain at least one special character"
enabled: "{{ security_pwquality_require_special }}"
- parameter: difok
value: 8
stig_id: RHEL-07-010130
description: "Password must have at least eight characters changed"
enabled: "{{ security_pwquality_require_characters_changed }}"
- parameter: minclass
value: 4
stig_id: RHEL-07-010140
description: "Password must have at least four character classes changed"
enabled: "{{ security_pwquality_require_character_classes_changed }}"
- parameter: maxrepeat
value: 4
stig_id: RHEL-07-010150
description: "Password must have at most four characters repeated consecutively"
enabled: "{{ security_pwquality_limit_repeated_characters }}"
- parameter: maxclassrepeat
value: 4
stig_id: RHEL-07-010160
description: "Password must have at most four characters in the same character class repeated consecutively"
enabled: "{{ security_pwquality_limit_repeated_character_classes }}"
- parameter: minlen
value: 15
stig_id: RHEL-07-010250
description: "Passwords must be a minimum of 15 characters in length"
enabled: "{{ security_pwquality_require_minimum_password_length }}"
## shadow-utils settings
# This variable is used in main/rhel7stig/auth.yml to set shadow file-related
# configurations in /etc/login.defs.
#
# Each dictionary has this structure:
#
# parameter: the parameter to set
# value: the value for the parameter
# stig_id: the STIG ID number for the requirement
#
shadow_utils_rhel7:
- parameter: ENCRYPT_METHOD
value: "{{ security_password_encrypt_method | default('') }}"
stig_id: RHEL-07-010180
ansible_os_family: all
- parameter: PASS_MIN_DAYS
value: "{{ security_password_min_lifetime_days | default('') }}"
stig_id: RHEL-07-010200
ansible_os_family: all
- parameter: PASS_MAX_DAYS
value: "{{ security_password_max_lifetime_days | default('') }}"
stig_id: RHEL-07-010220
ansible_os_family: all
- parameter: FAIL_DELAY
value: "{{ security_shadow_utils_fail_delay | default('') }}"
stig_id: RHEL-07-010420
ansible_os_family: RedHat
- parameter: UMASK
value: "{{ security_shadow_utils_umask | default('') }}"
stig_id: RHEL-07-020230
ansible_os_family: all
- parameter: CREATE_HOME
value: "{{ security_shadow_utils_create_home | default('') }}"
stig_id: RHEL-07-020630
ansible_os_family: all
## sysctl settings
# This variable is used in main/rhel7stig/kernel.yml to set sysctl
# configurations on hosts.
#
# Each dictionary has this structure:
#
# name: the sysctl configuration name
# value: the value to set for the sysctl configuration
# enabled: whether the variable should be set or not
#
sysctl_settings_rhel7:
- name: net.ipv4.conf.all.accept_source_route
value: 0
enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}"
- name: net.ipv4.conf.default.accept_source_route
value: 0
enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool}}"
- name: net.ipv4.icmp_echo_ignore_broadcasts
value: 1
enabled: "{{ security_disallow_echoes_broadcast_address | bool }}"
- name: net.ipv4.conf.all.send_redirects
value: 0
enabled: "{{ security_disallow_icmp_redirects | bool }}"
- name: net.ipv4.conf.default.send_redirects
value: 0
enabled: "{{ security_disallow_icmp_redirects | bool }}"
- name: net.ipv4.ip_forward
value: 0
enabled: "{{ security_disallow_ip_forwarding | bool }}"
- name: net.ipv6.conf.all.accept_source_route
value: 0
enabled: "{{ security_disallow_source_routed_packet_forward_ipv6 | bool }}"

337
vars/main.yml
View File

@ -13,18 +13,331 @@
# See the License for the specific language governing permissions and
# limitations under the License.
## Variables
# The variable files in the 'vars' directory are intended to hold variables
# that deployers should not override. These variables are used internally by
# the role to create templates, execute commands, or adjust configurations.
## Common variables for all distributions
# This file contains variables that apply to all distributions that the
# security role supports. Distribution-specific variables should be placed in:
#
# There are three main variable files:
# - vars/redhat.yml
# - vars/ubuntu.yml
## auditd configuration
auditd_config:
- parameter: disk_full_action
value: "{{ security_rhel7_auditd_disk_full_action }}"
config: /etc/audisp/audisp-remote.conf
- parameter: network_failure_action
value: "{{ security_rhel7_auditd_network_failure_action }}"
config: /etc/audisp/audisp-remote.conf
- parameter: space_left
value: "{{ security_rhel7_auditd_space_left }}"
config: /etc/audit/auditd.conf
- parameter: space_left_action
value: "{{ security_rhel7_auditd_space_left_action }}"
config: /etc/audit/auditd.conf
- parameter: action_mail_acct
value: "{{ security_rhel7_auditd_action_mail_acct }}"
config: /etc/audit/auditd.conf
## auditd rules
# This variable is used in tasks/rhel7stig/auditd.yml to deploy auditd rules
# for various commands and syscalls.
#
# common.yml: variables that apply to all distributions
# redhat.yml: variables that apply only to CentOS 7 and Red Hat Enterprise
# Linux 7
# ubuntu.yml: variables that apply only to Ubuntu 14.04 (trusty) and
# Ubuntu 16.04 (xenial)
# Each dictionary has this structure:
#
# All variables that enable or disable functionality, or variables that a
# deployer might want to override should be placed in 'defaults/main.yml'.
# command: the command/syscall to audit (required)
# stig_id: the number/ID from the STIG (required)
# arch_specific: 'yes' if the rule depends on the architecture type,
# otherwise 'no' (required)
# path: the path to the command (optional, default is '/usr/bin')
# distro: restrict deployment to a single Linux distribution (optional,
# should be equal to 'ansible_os_family | lower', such as 'redhat'
# or 'ubuntu')
#
audited_commands:
- command: chsh
stig_id: RHEL-07-030525
arch_specific: no
- command: chage
stig_id: RHEL-07-030513
arch_specific: no
- command: chcon
stig_id: RHEL-07-030443
arch_specific: no
- command: chmod
stig_id: RHEL-07-030390
arch_specific: yes
- command: chown
stig_id: RHEL-07-030380
arch_specific: yes
- command: creat
stig_id: RHEL-07-030420
arch_specific: yes
- command: crontab
stig_id: RHEL-07-030561
arch_specific: no
- command: delete_module
stig_id: RHEL-07-030671
arch_specific: yes
- command: fchmod
stig_id: RHEL-07-030391
arch_specific: yes
- command: fchmodat
stig_id: RHEL-07-030392
arch_specific: yes
- command: fchown
stig_id: RHEL-07-030381
arch_specific: yes
- command: fchownat
stig_id: RHEL-07-030383
arch_specific: yes
- command: fremovexattr
stig_id: RHEL-07-030404
arch_specific: yes
- command: fsetxattr
stig_id: RHEL-07-030401
arch_specific: yes
- command: ftruncate
stig_id: RHEL-07-030425
arch_specific: yes
- command: init_module
stig_id: RHEL-07-030670
arch_specific: yes
- command: gpasswd
stig_id: RHEL-07-030512
arch_specific: no
- command: lchown
stig_id: RHEL-07-030382
arch_specific: yes
- command: lremovexattr
stig_id: RHEL-07-030405
arch_specific: yes
- command: lsetxattr
stig_id: RHEL-07-030402
arch_specific: yes
- command: mount
path: /bin
stig_id: RHEL-07-030530
arch_specific: no
- command: newgrp
stig_id: RHEL-07-030524
arch_specific: no
- command: open
stig_id: RHEL-07-030421
arch_specific: yes
- command: openat
stig_id: RHEL-07-030422
arch_specific: yes
- command: open_by_handle_at
stig_id: RHEL-07-030423
arch_specific: yes
- command: pam_timestamp_check
path: /sbin
stig_id: RHEL-07-030630
arch_specific: no
- command: passwd
stig_id: RHEL-07-030510
arch_specific: no
- command: postdrop
path: /usr/sbin
stig_id: RHEL-07-030540
arch_specific: no
- command: postqueue
path: /usr/sbin
stig_id: RHEL-07-030541
arch_specific: no
- command: pt_chown
path: /usr/libexec
stig_id: RHEL-07-030560
arch_specific: no
distro: redhat
- command: removexattr
stig_id: RHEL-07-030403
arch_specific: yes
- command: rename
stig_id: RHEL-07-030750
arch_specific: yes
- command: renameat
stig_id: RHEL-07-030751
arch_specific: yes
- command: restorecon
path: /usr/sbin
stig_id: RHEL-07-030444
arch_specific: no
- command: rmdir
stig_id: RHEL-07-030752
arch_specific: yes
- command: semanage
path: /usr/sbin
stig_id: RHEL-07-030441
arch_specific: no
- command: setsebool
path: /usr/sbin
stig_id: RHEL-07-030442
arch_specific: no
- command: setxattr
stig_id: RHEL-07-030400
arch_specific: yes
- command: ssh-keysign
path: "{{ ssh_keysign_path }}"
stig_id: RHEL-07-030550
arch_specific: no
- command: su
path: /bin
stig_id: RHEL-07-030521
arch_specific: no
- command: sudo
stig_id: RHEL-07-030522
arch_specific: no
- command: sudoedit
path: /bin
stig_id: RHEL-07-030526
arch_specific: no
- command: truncate
stig_id: RHEL-07-030424
arch_specific: yes
- command: umount
path: /bin
stig_id: RHEL-07-030531
arch_specific: no
- command: unix_chkpwd
path: /sbin
stig_id: RHEL-07-030511
arch_specific: no
- command: unlink
stig_id: RHEL-07-030753
arch_specific: yes
- command: unlinkat
stig_id: RHEL-07-030754
arch_specific: yes
- command: userhelper
path: /usr/sbin
stig_id: RHEL-07-030514
arch_specific: no
## Password quality settings
# This variable is used in main/rhel7stig/auth.yml to set password quality
# requirements.
#
# Each dictionary has this structure:
#
# parameter: the pwquality parameter to set
# value: the value of the parameter
# stig_id: the STIG id number
# description: description of the control from the STIG
# enabled: whether the change should be applied
#
password_quality_rhel7:
- parameter: ucredit
value: -1
stig_id: RHEL-07-010090
description: "Password must contain at least one upper-case character"
enabled: "{{ security_pwquality_require_uppercase }}"
- parameter: lcredit
value: -1
stig_id: RHEL-07-010100
description: "Password must contain at least one lower-case character"
enabled: "{{ security_pwquality_require_lowercase }}"
- parameter: dcredit
value: -1
stig_id: RHEL-07-010110
description: "Password must contain at least one numeric character"
enabled: "{{ security_pwquality_require_numeric }}"
- parameter: ocredit
value: -1
stig_id: RHEL-07-010120
description: "Password must contain at least one special character"
enabled: "{{ security_pwquality_require_special }}"
- parameter: difok
value: 8
stig_id: RHEL-07-010130
description: "Password must have at least eight characters changed"
enabled: "{{ security_pwquality_require_characters_changed }}"
- parameter: minclass
value: 4
stig_id: RHEL-07-010140
description: "Password must have at least four character classes changed"
enabled: "{{ security_pwquality_require_character_classes_changed }}"
- parameter: maxrepeat
value: 4
stig_id: RHEL-07-010150
description: "Password must have at most four characters repeated consecutively"
enabled: "{{ security_pwquality_limit_repeated_characters }}"
- parameter: maxclassrepeat
value: 4
stig_id: RHEL-07-010160
description: "Password must have at most four characters in the same character class repeated consecutively"
enabled: "{{ security_pwquality_limit_repeated_character_classes }}"
- parameter: minlen
value: 15
stig_id: RHEL-07-010250
description: "Passwords must be a minimum of 15 characters in length"
enabled: "{{ security_pwquality_require_minimum_password_length }}"
## shadow-utils settings
# This variable is used in main/rhel7stig/auth.yml to set shadow file-related
# configurations in /etc/login.defs.
#
# Each dictionary has this structure:
#
# parameter: the parameter to set
# value: the value for the parameter
# stig_id: the STIG ID number for the requirement
#
shadow_utils_rhel7:
- parameter: ENCRYPT_METHOD
value: "{{ security_password_encrypt_method | default('') }}"
stig_id: RHEL-07-010180
ansible_os_family: all
- parameter: PASS_MIN_DAYS
value: "{{ security_password_min_lifetime_days | default('') }}"
stig_id: RHEL-07-010200
ansible_os_family: all
- parameter: PASS_MAX_DAYS
value: "{{ security_password_max_lifetime_days | default('') }}"
stig_id: RHEL-07-010220
ansible_os_family: all
- parameter: FAIL_DELAY
value: "{{ security_shadow_utils_fail_delay | default('') }}"
stig_id: RHEL-07-010420
ansible_os_family: RedHat
- parameter: UMASK
value: "{{ security_shadow_utils_umask | default('') }}"
stig_id: RHEL-07-020230
ansible_os_family: all
- parameter: CREATE_HOME
value: "{{ security_shadow_utils_create_home | default('') }}"
stig_id: RHEL-07-020630
ansible_os_family: all
## sysctl settings
# This variable is used in main/rhel7stig/kernel.yml to set sysctl
# configurations on hosts.
#
# Each dictionary has this structure:
#
# name: the sysctl configuration name
# value: the value to set for the sysctl configuration
# enabled: whether the variable should be set or not
#
sysctl_settings_rhel7:
- name: net.ipv4.conf.all.accept_source_route
value: 0
enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}"
- name: net.ipv4.conf.default.accept_source_route
value: 0
enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool}}"
- name: net.ipv4.icmp_echo_ignore_broadcasts
value: 1
enabled: "{{ security_disallow_echoes_broadcast_address | bool }}"
- name: net.ipv4.conf.all.send_redirects
value: 0
enabled: "{{ security_disallow_icmp_redirects | bool }}"
- name: net.ipv4.conf.default.send_redirects
value: 0
enabled: "{{ security_disallow_icmp_redirects | bool }}"
- name: net.ipv4.ip_forward
value: 0
enabled: "{{ security_disallow_ip_forwarding | bool }}"
- name: net.ipv6.conf.all.accept_source_route
value: 0
enabled: "{{ security_disallow_source_routed_packet_forward_ipv6 | bool }}"