Merge pull request #134 from dev-sec/style

style update

defaults/main.yml

@@ -59,93 +59,105 @@ ufw_manage_builtins: 'no'
 ufw_ipt_modules: 'nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns'
 
 sysctl_config:
-  # Disable IPv4 traffic forwarding.
+  # Disable IPv4 traffic forwarding. | sysctl-01
   net.ipv4.ip_forward: 0
 
-  # Disable IPv6 traffic forwarding.
+  # Disable IPv6 traffic forwarding. | sysctl-19
   net.ipv6.conf.all.forwarding: 0
 
-  # ignore RAs on Ipv6.
+  # ignore RAs on Ipv6. | sysctl-25
   net.ipv6.conf.all.accept_ra: 0
   net.ipv6.conf.default.accept_ra: 0
 
-  # Enable RFC-recommended source validation feature.
+  # Enable RFC-recommended source validation feature. | sysctl-02
   net.ipv4.conf.all.rp_filter: 1
   net.ipv4.conf.default.rp_filter: 1
 
-  # Reduce the surface on SMURF attacks.
+  # Reduce the surface on SMURF attacks. | sysctl-04
   # Make sure to ignore ECHO broadcasts, which are only required in broad network analysis.
   net.ipv4.icmp_echo_ignore_broadcasts: 1
 
-  # There is no reason to accept bogus error responses from ICMP, so ignore them instead.
+  # There is no reason to accept bogus error responses from ICMP, so ignore them instead. | sysctl-03
   net.ipv4.icmp_ignore_bogus_error_responses: 1
 
-  # Limit the amount of traffic the system uses for ICMP.
+  # Limit the amount of traffic the system uses for ICMP. | sysctl-05
   net.ipv4.icmp_ratelimit: 100
 
   # Adjust the ICMP ratelimit to include ping, dst unreachable,
-  # source quench, ime exceed, param problem, timestamp reply, information reply
+  # source quench, ime exceed, param problem, timestamp reply, information reply | sysctl-06
   net.ipv4.icmp_ratemask: 88089
 
-  # Disable IPv6
+  # Disable IPv6 | sysctl-18
   net.ipv6.conf.all.disable_ipv6: 1
 
-  # Protect against wrapping sequence numbers at gigabit speeds
+  # Protect against wrapping sequence numbers at gigabit speeds | sysctl-07
   net.ipv4.tcp_timestamps: 0
 
-  # Define restriction level for announcing the local source IP
+  # Define restriction level for announcing the local source IP | sysctl-08
   net.ipv4.conf.all.arp_ignore: 1
 
   # Define mode for sending replies in response to
-  # received ARP requests that resolve local target IP addresses
+  # received ARP requests that resolve local target IP addresses | sysctl-09
   net.ipv4.conf.all.arp_announce: 2
 
-  # RFC 1337 fix F1
+  # RFC 1337 fix F1 | sysctl-10
   net.ipv4.tcp_rfc1337: 1
 
-  # Send(router) or accept(host) RFC1620 shared media redirects
+  # Send(router) or accept(host) RFC1620 shared media redirects | sysctl-12
   net.ipv4.conf.all.shared_media: 1
   net.ipv4.conf.default.shared_media: 1
 
   # Accepting source route can lead to malicious networking behavior,
-  # so disable it if not needed.
+  # so disable it if not needed. | sysctl-13
   net.ipv4.conf.all.accept_source_route: 0
   net.ipv4.conf.default.accept_source_route: 0
 
   # Accepting redirects can lead to malicious networking behavior, so disable
-  # it if not needed.
+  # it if not needed. | sysctl-13 | sysctl-14 | sysctl-15 | sysctl-20
   net.ipv4.conf.default.accept_redirects: 0
   net.ipv4.conf.all.accept_redirects: 0
   net.ipv4.conf.all.secure_redirects: 0
   net.ipv4.conf.default.secure_redirects: 0
   net.ipv6.conf.default.accept_redirects: 0
   net.ipv6.conf.all.accept_redirects: 0
 
-  # For non-routers: don't send redirects, these settings are 0
+  # For non-routers: don't send redirects, these settings are 0 | sysctl-16
   net.ipv4.conf.all.send_redirects: 0
   net.ipv4.conf.default.send_redirects: 0
 
-  # log martian packets
+  # log martian packets | sysctl-17
   net.ipv4.conf.all.log_martians: 1
 
   # ipv6 config
-  # NSA 2.5.3.2.5 Limit Network-Transmitted Configuration
+  # Disable acceptance of IPv6 router solicitations messages | sysctl-21
   net.ipv6.conf.default.router_solicitations: 0
+
+  # Disable Accept Router Preference from router advertisement | sysctl-22
   net.ipv6.conf.default.accept_ra_rtr_pref: 0
+
+  # Disable learning Prefix Information from router advertisement | sysctl-23
   net.ipv6.conf.default.accept_ra_pinfo: 0
+
+  # Disable learning Hop limit from router advertisement | sysctl-24
   net.ipv6.conf.default.accept_ra_defrtr: 0
+
+  # Disable IPv6 autoconfiguration | sysctl-26
   net.ipv6.conf.default.autoconf: 0
+
+  # Disable neighbor solicitations to send out per address | sysctl-27
   net.ipv6.conf.default.dad_transmits: 0
+
+  # Assign one global unicast IPv6 addresses to each interface | sysctl-28
   net.ipv6.conf.default.max_addresses: 1
 
   # This settings controls how the kernel behaves towards module changes at
   # runtime. Setting to 1 will disable module loading at runtime.
-  # Setting it to 0 is actually never supported.
+  # Setting it to 0 is actually never supported. | sysctl-29
   # kernel.modules_disabled: 1
 
   # Magic Sysrq should be disabled, but can also be set to a safe value if so
   # desired for physical machines. It can allow a safe reboot if the system hangs
-  # and is a 'cleaner' alternative to hitting the reset button.
+  # and is a 'cleaner' alternative to hitting the reset button. | sysctl-30
   # The following values are permitted:
   # * **0**   - disable sysrq
   # * **1**   - enable sysrq completely
@@ -161,18 +173,18 @@ sysctl_config:
   kernel.sysrq: 0
 
   # Prevent core dumps with SUID. These are usually only
-  # needed by developers and may contain sensitive information.
+  # needed by developers and may contain sensitive information. | sysctl-31
   fs.suid_dumpable: 0
 
-  # Virtual memory regions protection
+  # Virtual memory regions protection | sysctl-32
   kernel.randomize_va_space: 2
 
 # Do not delete the following line or otherwise the playbook will fail
-# at task "create a combined sysctl-dict if overwrites are defined"
+# at task 'create a combined sysctl-dict if overwrites are defined'
 sysctl_overwrite:
 
 sysctl_rhel_config:
-  # ExecShield protection against buffer overflows
+  # ExecShield protection against buffer overflows | sysctl-33
   kernel.exec-shield: 1
-  # Syncookies is used to prevent SYN-flooding attacks.
+  # Syncookies is used to prevent SYN-flooding attacks. | sysctl-11
   net.ipv4.tcp_syncookies: 1

tasks/apt.yml

@@ -1,6 +1,8 @@
 ---
-- name: remove packages
-  apt: name='{{item}}' state=removed
+- name: remove deprecated or insecure packages | package-01 - package-09
+  apt:
+    name: '{{ item }}'
+    state: 'absent'
   with_items:
-    - "{{os_security_packages_list}}"
-  when: os_security_packages_clean
+    - '{{ os_security_packages_list }}'
+  when: 'os_security_packages_clean'

tasks/limits.yml

@@ -1,9 +1,19 @@
 ---
 
-- name: create limits.d-directory if it does not exist
-  file: path='/etc/security/limits.d' owner=root group=root mode=0755 state=directory
-  when: os_security_kernel_enable_core_dump
+- name: create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b
+  file:
+    path: '/etc/security/limits.d'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+    state: 'directory'
+  when: 'os_security_kernel_enable_core_dump'
 
-- name: create sane limits.conf
-  template: src='limits.conf.j2' dest='/etc/security/limits.d/10.hardcore.conf' owner=root group=root mode=0440
-  when: os_security_kernel_enable_core_dump
+- name: create sane limits.conf | sysctl-31a, sysctl-31b
+  template:
+    src: 'limits.conf.j2'
+    dest: '/etc/security/limits.d/10.hardcore.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0440'
+  when: 'os_security_kernel_enable_core_dump'

tasks/login_defs.yml

@@ -1,4 +1,9 @@
 ---
-- name: create login.defs
-  template: src='login.defs.j2' dest='/etc/login.defs' owner=root group=root mode=0444
+- name: create login.defs | os-05, os-05b
+  template:
+    src: 'login.defs.j2'
+    dest: '/etc/login.defs'
+    owner: 'root'
+    group: 'root'
+    mode: '0444'
 

tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: add the OS specific variables
-  include_vars: "{{ ansible_os_family }}.yml"
+  include_vars: '{{ ansible_os_family }}.yml'
   tags: always
 
 - include: limits.yml

tasks/minimize_access.yml

@@ -2,7 +2,7 @@
 # Using a two-pass approach for checking directories in order to support symlinks.
 - name: find directories for minimizing access
   stat:
-    path: "{{ item }}"
+    path: '{{ item }}'
   register: minimize_access_directories
   with_items:
     - '/usr/local/sbin'
@@ -11,16 +11,27 @@
     - '/usr/bin'
     - '/sbin'
     - '/bin'
-    - '{{os_env_extra_user_paths}}'
+    - '{{ os_env_extra_user_paths }}'
 
 - name: minimize access
-  file: path='{{item.stat.path}}' mode='go-w' recurse=yes
+  file:
+    path: '{{ item.stat.path }}'
+    mode: 'go-w'
+    recurse: 'yes'
   when: item.stat.isdir
-  with_items: "{{ minimize_access_directories.results }}"
+  with_items: '{{ minimize_access_directories.results }}'
 
-- name: change shadow ownership to root and mode to 0600 | DTAG SEC Req 3.21-7
-  file: dest='/etc/shadow' owner={{ os_shadow_perms.owner }} group={{ os_shadow_perms.group }} mode={{ os_shadow_perms.mode }}
+- name: change shadow ownership to root and mode to 0600 | os-02
+  file:
+    dest: '/etc/shadow'
+    owner: '{{ os_shadow_perms.owner }}'
+    group: '{{ os_shadow_perms.group }}'
+    mode: '{{ os_shadow_perms.mode }}'
 
 - name: change su-binary to only be accessible to user and group root
-  file: dest='/bin/su' owner=root group=root mode=0750
+  file:
+    dest: '/bin/su'
+    owner: 'root'
+    group: 'root'
+    mode: '0750'
   when: os_security_users_allow != None

tasks/modprobe.yml

@@ -0,0 +1,3 @@
+---
+
+# modprobe

tasks/pam.yml

@@ -7,55 +7,96 @@
     DEBIAN_FRONTEND: noninteractive
 
 - name: remove pam ccreds on Debian systems
-  apt: name='{{os_packages_pam_ccreds}}' state=absent
+  apt:
+    name: '{{ os_packages_pam_ccreds }}'
+    state: 'absent'
   when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
 
 - name: remove pam ccreds on Redhat systems
-  yum: name='{{os_packages_pam_ccreds}}' state=absent
+  yum:
+    name: '{{ os_packages_pam_ccreds }}'
+    state: 'absent'
   when: ansible_os_family == 'RedHat'
 
 - name: remove pam_cracklib, because it does not play nice with passwdqc
-  apt: name='{{os_packages_pam_cracklib}}' state=absent
+  apt:
+    name: '{{ os_packages_pam_cracklib }}'
+    state: 'absent'
   when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
 
 - name: install the package for strong password checking
-  apt: name='{{os_packages_pam_passwdqc}}' state='installed' update_cache='yes'
+  apt:
+    name: '{{ os_packages_pam_passwdqc }}'
+    state: 'installed'
+    update_cache: 'yes'
   when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
 
 - name: configure passwdqc
-  template: src='pam_passwdqd.j2' mode=0640 owner=root group=root dest='{{passwdqc_path}}'
+  template:
+    src: 'pam_passwdqd.j2'
+    dest: '{{ passwdqc_path }}'
+    mode: '0640'
+    owner: 'root'
+    group: 'root'
   when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
 
 - name: remove passwdqc
-  apt: name='{{os_packages_pam_passwdqc}}' state='absent'
+  apt:
+    name: '{{ os_packages_pam_passwdqc }}'
+    state: 'absent'
   when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable
 
 - name: install tally2
-  apt: name='libpam-modules' state='installed'
+  apt:
+    name: 'libpam-modules'
+    state: 'installed'
   when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
 
 - name: configure tally2
-  template: src='pam_tally2.j2' dest='{{tally2_path}}' mode=0640 owner=root group=root
+  template:
+    src: 'pam_tally2.j2'
+    dest: '{{ tally2_path }}'
+    mode: '0640'
+    owner: 'root'
+    group: 'root'
   when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
 
 - name: delete tally2 when retries is 0
-  file: path='{{tally2_path}}' state=absent
+  file:
+    path: '{{ tally2_path }}'
+    state: 'absent'
   when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries == 0
 
 - name: remove pam_cracklib, because it does not play nice with passwdqc
-  yum: name='{{os_packages_pam_cracklib}}' state='absent'
+  yum:
+    name: '{{ os_packages_pam_cracklib }}'
+    state: 'absent'
   when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7') and os_auth_pam_passwdqc_enable
 
 - name: install the package for strong password checking
-  yum: name='{{os_packages_pam_passwdqc}}' state='installed'
+  yum:
+    name: '{{ os_packages_pam_passwdqc }}'
+    state: 'installed'
   when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7') and os_auth_pam_passwdqc_enable
 
 - name: remove passwdqc
-  yum: name='{{os_packages_pam_passwdqc}}' state='absent'
+  yum:
+    name: '{{ os_packages_pam_passwdqc }}'
+    state: 'absent'
   when: ansible_os_family == 'RedHat' and not os_auth_pam_passwdqc_enable
 
 - name: configure passwdqc and tally via central system-auth confic
-  template: src='rhel_system_auth.j2' dest='/etc/pam.d/system-auth-ac' mode=0640 owner=root group=root
+  template:
+    src: 'rhel_system_auth.j2'
+    dest: '/etc/pam.d/system-auth-ac'
+    mode: '0640'
+    owner: 'root'
+    group: 'root'
 
 - name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
-  template: src='rhel_libuser.conf.j2' dest='/etc/libuser.conf' mode=0640 owner=root group=root
+  template:
+    src: 'rhel_libuser.conf.j2'
+    dest: '/etc/libuser.conf'
+    mode: '0640'
+    owner: 'root'
+    group: 'root'

tasks/profile.yml

@@ -1,4 +1,9 @@
 ---
 - name: create profile.conf
-  template: src='profile.conf.j2' dest='/etc/profile.d/pinerolo_profile.sh' owner=root group=root mode=0750
+  template:
+    src: 'profile.conf.j2'
+    dest: '/etc/profile.d/pinerolo_profile.sh'
+    owner: 'root'
+    group: 'root'
+    mode: '0750'
   when: not os_security_kernel_enable_core_dump