Merge "Configure AIDE before initial run"
This commit is contained in:
commit
27a3108770
|
@ -1,14 +0,0 @@
|
||||||
# Rules borrowed from CentOS/RHEL AIDE configuration
|
|
||||||
# (SELinux was removed for Ubuntu compatibility.)
|
|
||||||
FIPSR = p+i+n+u+g+s+m+c+acl+xattrs+sha256
|
|
||||||
NORMAL = FIPSR+sha512
|
|
||||||
|
|
||||||
# The following two lines apply the NORMAL rule (above this line) to the
|
|
||||||
# /bin and /sbin directories to meet the requirements of two STIG controls:
|
|
||||||
#
|
|
||||||
# RHEL-07-021600 - Verify ACLs
|
|
||||||
# RHEL-07-021610 - Verify extended attributes
|
|
||||||
#
|
|
||||||
/bin NORMAL
|
|
||||||
/sbin NORMAL
|
|
||||||
|
|
|
@ -31,6 +31,37 @@
|
||||||
- aide
|
- aide
|
||||||
- V-71973
|
- V-71973
|
||||||
|
|
||||||
|
# NOTE(mhayden): CentOS/RHEL already provide a very strict AIDE configuration
|
||||||
|
# that meets the requirements of V-72069 and V-72071. That config
|
||||||
|
# is borrowed for Ubuntu 16.04 here.
|
||||||
|
- name: Configure AIDE to verify additional properties
|
||||||
|
blockinfile:
|
||||||
|
dest: "{{ aide_conf }}"
|
||||||
|
insertbefore: EOF
|
||||||
|
marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
|
||||||
|
block: |
|
||||||
|
# Rules borrowed from CentOS/RHEL AIDE configuration
|
||||||
|
# (SELinux was removed for Ubuntu compatibility.)
|
||||||
|
FIPSR = p+i+n+u+g+s+m+c+acl+xattrs+sha256
|
||||||
|
NORMAL = FIPSR+sha512
|
||||||
|
|
||||||
|
# The following two lines apply the NORMAL rule (above this line) to the
|
||||||
|
# /bin and /sbin directories to meet the requirements of two STIG controls:
|
||||||
|
#
|
||||||
|
# RHEL-07-021600 - Verify ACLs
|
||||||
|
# RHEL-07-021610 - Verify extended attributes
|
||||||
|
#
|
||||||
|
/bin NORMAL
|
||||||
|
/sbin NORMAL
|
||||||
|
when:
|
||||||
|
- ansible_os_family | lower == 'ubuntu'
|
||||||
|
tags:
|
||||||
|
- low
|
||||||
|
- aide
|
||||||
|
- V-72069
|
||||||
|
- V-72071
|
||||||
|
- V-72073
|
||||||
|
|
||||||
- name: Check to see if AIDE database is already in place
|
- name: Check to see if AIDE database is already in place
|
||||||
stat:
|
stat:
|
||||||
path: "{{ aide_database_file }}"
|
path: "{{ aide_database_file }}"
|
||||||
|
@ -82,21 +113,3 @@
|
||||||
- medium
|
- medium
|
||||||
- aide
|
- aide
|
||||||
- V-71975
|
- V-71975
|
||||||
|
|
||||||
# NOTE(mhayden): CentOS/RHEL already provide a very strict AIDE configuration
|
|
||||||
# that meets the requirements of V-72069 and V-72071. That config
|
|
||||||
# is borrowed for Ubuntu 16.04 here.
|
|
||||||
- name: Configure AIDE to verify additional properties
|
|
||||||
blockinfile:
|
|
||||||
dest: "{{ aide_conf }}"
|
|
||||||
insertbefore: EOF
|
|
||||||
marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
|
|
||||||
block: "{{ lookup('file', 'aide_extra.conf') }}"
|
|
||||||
when:
|
|
||||||
- ansible_os_family | lower == 'ubuntu'
|
|
||||||
tags:
|
|
||||||
- low
|
|
||||||
- aide
|
|
||||||
- V-72069
|
|
||||||
- V-72071
|
|
||||||
- V-72073
|
|
||||||
|
|
Loading…
Reference in New Issue