From a957fb6245f65e6245a82b7938ed5006b4b1e453 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 4 Aug 2017 21:45:04 +0200 Subject: [PATCH 1/2] style update --- defaults/main.yml | 64 +++++++++++++++++++------------- tasks/apt.yml | 10 +++-- tasks/limits.yml | 22 ++++++++--- tasks/login_defs.yml | 9 ++++- tasks/main.yml | 2 +- tasks/minimize_access.yml | 23 +++++++++--- tasks/pam.yml | 69 ++++++++++++++++++++++++++++------- tasks/profile.yml | 7 +++- tasks/rhosts.yml | 14 ++++--- tasks/securetty.yml | 7 +++- tasks/suid_sgid.yml | 20 +++++++--- tasks/sysctl.yml | 34 +++++++++++++---- tasks/user_accounts.yml | 23 ++++++++---- tasks/yum.yml | 27 ++++++++++---- templates/login.defs.j2 | 13 ++++--- templates/rhel_system_auth.j2 | 1 - templates/ufw.j2 | 13 ++++--- vars/Debian.yml | 2 +- vars/Oracle Linux.yml | 2 +- vars/RedHat.yml | 2 +- 20 files changed, 254 insertions(+), 110 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 41df46383..91715adfe 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -59,61 +59,61 @@ ufw_manage_builtins: 'no' ufw_ipt_modules: 'nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns' sysctl_config: - # Disable IPv4 traffic forwarding. + # Disable IPv4 traffic forwarding. | sysctl-01 net.ipv4.ip_forward: 0 - # Disable IPv6 traffic forwarding. + # Disable IPv6 traffic forwarding. | sysctl-19 net.ipv6.conf.all.forwarding: 0 - # ignore RAs on Ipv6. + # ignore RAs on Ipv6. | sysctl-25 net.ipv6.conf.all.accept_ra: 0 net.ipv6.conf.default.accept_ra: 0 - # Enable RFC-recommended source validation feature. + # Enable RFC-recommended source validation feature. | sysctl-02 net.ipv4.conf.all.rp_filter: 1 net.ipv4.conf.default.rp_filter: 1 - # Reduce the surface on SMURF attacks. + # Reduce the surface on SMURF attacks. | sysctl-04 # Make sure to ignore ECHO broadcasts, which are only required in broad network analysis. net.ipv4.icmp_echo_ignore_broadcasts: 1 - # There is no reason to accept bogus error responses from ICMP, so ignore them instead. + # There is no reason to accept bogus error responses from ICMP, so ignore them instead. | sysctl-03 net.ipv4.icmp_ignore_bogus_error_responses: 1 - # Limit the amount of traffic the system uses for ICMP. + # Limit the amount of traffic the system uses for ICMP. | sysctl-05 net.ipv4.icmp_ratelimit: 100 # Adjust the ICMP ratelimit to include ping, dst unreachable, - # source quench, ime exceed, param problem, timestamp reply, information reply + # source quench, ime exceed, param problem, timestamp reply, information reply | sysctl-06 net.ipv4.icmp_ratemask: 88089 - # Disable IPv6 + # Disable IPv6 | sysctl-18 net.ipv6.conf.all.disable_ipv6: 1 - # Protect against wrapping sequence numbers at gigabit speeds + # Protect against wrapping sequence numbers at gigabit speeds | sysctl-07 net.ipv4.tcp_timestamps: 0 - # Define restriction level for announcing the local source IP + # Define restriction level for announcing the local source IP | sysctl-08 net.ipv4.conf.all.arp_ignore: 1 # Define mode for sending replies in response to - # received ARP requests that resolve local target IP addresses + # received ARP requests that resolve local target IP addresses | sysctl-09 net.ipv4.conf.all.arp_announce: 2 - # RFC 1337 fix F1 + # RFC 1337 fix F1 | sysctl-10 net.ipv4.tcp_rfc1337: 1 - # Send(router) or accept(host) RFC1620 shared media redirects + # Send(router) or accept(host) RFC1620 shared media redirects | sysctl-12 net.ipv4.conf.all.shared_media: 1 net.ipv4.conf.default.shared_media: 1 # Accepting source route can lead to malicious networking behavior, - # so disable it if not needed. + # so disable it if not needed. | sysctl-13 net.ipv4.conf.all.accept_source_route: 0 net.ipv4.conf.default.accept_source_route: 0 # Accepting redirects can lead to malicious networking behavior, so disable - # it if not needed. + # it if not needed. | sysctl-13 | sysctl-14 | sysctl-15 | sysctl-20 net.ipv4.conf.default.accept_redirects: 0 net.ipv4.conf.all.accept_redirects: 0 net.ipv4.conf.all.secure_redirects: 0 @@ -121,31 +121,43 @@ sysctl_config: net.ipv6.conf.default.accept_redirects: 0 net.ipv6.conf.all.accept_redirects: 0 - # For non-routers: don't send redirects, these settings are 0 + # For non-routers: don't send redirects, these settings are 0 | sysctl-16 net.ipv4.conf.all.send_redirects: 0 net.ipv4.conf.default.send_redirects: 0 - # log martian packets + # log martian packets | sysctl-17 net.ipv4.conf.all.log_martians: 1 # ipv6 config - # NSA 2.5.3.2.5 Limit Network-Transmitted Configuration + # Disable acceptance of IPv6 router solicitations messages | sysctl-21 net.ipv6.conf.default.router_solicitations: 0 + + # Disable Accept Router Preference from router advertisement | sysctl-22 net.ipv6.conf.default.accept_ra_rtr_pref: 0 + + # Disable learning Prefix Information from router advertisement | sysctl-23 net.ipv6.conf.default.accept_ra_pinfo: 0 + + # Disable learning Hop limit from router advertisement | sysctl-24 net.ipv6.conf.default.accept_ra_defrtr: 0 + + # Disable IPv6 autoconfiguration | sysctl-26 net.ipv6.conf.default.autoconf: 0 + + # Disable neighbor solicitations to send out per address | sysctl-27 net.ipv6.conf.default.dad_transmits: 0 + + # Assign one global unicast IPv6 addresses to each interface | sysctl-28 net.ipv6.conf.default.max_addresses: 1 # This settings controls how the kernel behaves towards module changes at # runtime. Setting to 1 will disable module loading at runtime. - # Setting it to 0 is actually never supported. + # Setting it to 0 is actually never supported. | sysctl-29 # kernel.modules_disabled: 1 # Magic Sysrq should be disabled, but can also be set to a safe value if so # desired for physical machines. It can allow a safe reboot if the system hangs - # and is a 'cleaner' alternative to hitting the reset button. + # and is a 'cleaner' alternative to hitting the reset button. | sysctl-30 # The following values are permitted: # * **0** - disable sysrq # * **1** - enable sysrq completely @@ -161,18 +173,18 @@ sysctl_config: kernel.sysrq: 0 # Prevent core dumps with SUID. These are usually only - # needed by developers and may contain sensitive information. + # needed by developers and may contain sensitive information. | sysctl-31 fs.suid_dumpable: 0 - # Virtual memory regions protection + # Virtual memory regions protection | sysctl-32 kernel.randomize_va_space: 2 # Do not delete the following line or otherwise the playbook will fail -# at task "create a combined sysctl-dict if overwrites are defined" +# at task 'create a combined sysctl-dict if overwrites are defined' sysctl_overwrite: sysctl_rhel_config: - # ExecShield protection against buffer overflows + # ExecShield protection against buffer overflows | sysctl-33 kernel.exec-shield: 1 - # Syncookies is used to prevent SYN-flooding attacks. + # Syncookies is used to prevent SYN-flooding attacks. | sysctl-11 net.ipv4.tcp_syncookies: 1 diff --git a/tasks/apt.yml b/tasks/apt.yml index 0ab78d82e..f489f4182 100644 --- a/tasks/apt.yml +++ b/tasks/apt.yml @@ -1,6 +1,8 @@ --- -- name: remove packages - apt: name='{{item}}' state=removed +- name: remove deprecated or insecure packages | package-01 - package-09 + apt: + name: '{{item}}' + state: 'absent' with_items: - - "{{os_security_packages_list}}" - when: os_security_packages_clean + - '{{os_security_packages_list}}' + when: 'os_security_packages_clean' diff --git a/tasks/limits.yml b/tasks/limits.yml index eedeab73b..826e85f27 100644 --- a/tasks/limits.yml +++ b/tasks/limits.yml @@ -1,9 +1,19 @@ --- -- name: create limits.d-directory if it does not exist - file: path='/etc/security/limits.d' owner=root group=root mode=0755 state=directory - when: os_security_kernel_enable_core_dump +- name: create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b + file: + path: '/etc/security/limits.d' + owner: 'root' + group: 'root' + mode: '0755' + state: 'directory' + when: 'os_security_kernel_enable_core_dump' -- name: create sane limits.conf - template: src='limits.conf.j2' dest='/etc/security/limits.d/10.hardcore.conf' owner=root group=root mode=0440 - when: os_security_kernel_enable_core_dump +- name: create sane limits.conf | sysctl-31a, sysctl-31b + template: + src: 'limits.conf.j2' + dest: '/etc/security/limits.d/10.hardcore.conf' + owner: 'root' + group: 'root' + mode: '0440' + when: 'os_security_kernel_enable_core_dump' diff --git a/tasks/login_defs.yml b/tasks/login_defs.yml index 9704b3886..02421a585 100644 --- a/tasks/login_defs.yml +++ b/tasks/login_defs.yml @@ -1,4 +1,9 @@ --- -- name: create login.defs - template: src='login.defs.j2' dest='/etc/login.defs' owner=root group=root mode=0444 +- name: create login.defs | os-05, os-05b + template: + src: 'login.defs.j2' + dest: '/etc/login.defs' + owner: 'root' + group: 'root' + mode: '0444' diff --git a/tasks/main.yml b/tasks/main.yml index e65a1797c..9fa614c56 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: add the OS specific variables - include_vars: "{{ ansible_os_family }}.yml" + include_vars: '{{ ansible_os_family }}.yml' tags: always - include: limits.yml diff --git a/tasks/minimize_access.yml b/tasks/minimize_access.yml index a03c6b474..c5afa8af0 100644 --- a/tasks/minimize_access.yml +++ b/tasks/minimize_access.yml @@ -2,7 +2,7 @@ # Using a two-pass approach for checking directories in order to support symlinks. - name: find directories for minimizing access stat: - path: "{{ item }}" + path: '{{ item }}' register: minimize_access_directories with_items: - '/usr/local/sbin' @@ -14,13 +14,24 @@ - '{{os_env_extra_user_paths}}' - name: minimize access - file: path='{{item.stat.path}}' mode='go-w' recurse=yes + file: + path: '{{item.stat.path}}' + mode: 'go-w' + recurse: 'yes' when: item.stat.isdir - with_items: "{{ minimize_access_directories.results }}" + with_items: '{{ minimize_access_directories.results }}' -- name: change shadow ownership to root and mode to 0600 | DTAG SEC Req 3.21-7 - file: dest='/etc/shadow' owner={{ os_shadow_perms.owner }} group={{ os_shadow_perms.group }} mode={{ os_shadow_perms.mode }} +- name: change shadow ownership to root and mode to 0600 | os-02 + file: + dest: '/etc/shadow' + owner: '{{ os_shadow_perms.owner }}' + group: '{{ os_shadow_perms.group }}' + mode: '{{ os_shadow_perms.mode }}' - name: change su-binary to only be accessible to user and group root - file: dest='/bin/su' owner=root group=root mode=0750 + file: + dest: '/bin/su' + owner: 'root' + group: 'root' + mode: '0750' when: os_security_users_allow != None diff --git a/tasks/pam.yml b/tasks/pam.yml index 94e2c155d..a1fb1b81a 100644 --- a/tasks/pam.yml +++ b/tasks/pam.yml @@ -7,55 +7,96 @@ DEBIAN_FRONTEND: noninteractive - name: remove pam ccreds on Debian systems - apt: name='{{os_packages_pam_ccreds}}' state=absent + apt: + name: '{{os_packages_pam_ccreds}}' + state: 'absent' when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' - name: remove pam ccreds on Redhat systems - yum: name='{{os_packages_pam_ccreds}}' state=absent + yum: + name: '{{os_packages_pam_ccreds}}' + state: 'absent' when: ansible_os_family == 'RedHat' - name: remove pam_cracklib, because it does not play nice with passwdqc - apt: name='{{os_packages_pam_cracklib}}' state=absent + apt: + name: '{{os_packages_pam_cracklib}}' + state: 'absent' when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable - name: install the package for strong password checking - apt: name='{{os_packages_pam_passwdqc}}' state='installed' update_cache='yes' + apt: + name: '{{os_packages_pam_passwdqc}}' + state: 'installed' + update_cache: 'yes' when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable - name: configure passwdqc - template: src='pam_passwdqd.j2' mode=0640 owner=root group=root dest='{{passwdqc_path}}' + template: + src: 'pam_passwdqd.j2' + dest: '{{passwdqc_path}}' + mode: '0640' + owner: 'root' + group: 'root' when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable - name: remove passwdqc - apt: name='{{os_packages_pam_passwdqc}}' state='absent' + apt: + name: '{{os_packages_pam_passwdqc}}' + state: 'absent' when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable - name: install tally2 - apt: name='libpam-modules' state='installed' + apt: + name: 'libpam-modules' + state: 'installed' when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0 - name: configure tally2 - template: src='pam_tally2.j2' dest='{{tally2_path}}' mode=0640 owner=root group=root + template: + src: 'pam_tally2.j2' + dest: '{{tally2_path}}' + mode: '0640' + owner: 'root' + group: 'root' when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0 - name: delete tally2 when retries is 0 - file: path='{{tally2_path}}' state=absent + file: + path: '{{tally2_path}}' + state: 'absent' when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries == 0 - name: remove pam_cracklib, because it does not play nice with passwdqc - yum: name='{{os_packages_pam_cracklib}}' state='absent' + yum: + name: '{{os_packages_pam_cracklib}}' + state: 'absent' when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7') and os_auth_pam_passwdqc_enable - name: install the package for strong password checking - yum: name='{{os_packages_pam_passwdqc}}' state='installed' + yum: + name: '{{os_packages_pam_passwdqc}}' + state: 'installed' when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7') and os_auth_pam_passwdqc_enable - name: remove passwdqc - yum: name='{{os_packages_pam_passwdqc}}' state='absent' + yum: + name: '{{os_packages_pam_passwdqc}}' + state: 'absent' when: ansible_os_family == 'RedHat' and not os_auth_pam_passwdqc_enable - name: configure passwdqc and tally via central system-auth confic - template: src='rhel_system_auth.j2' dest='/etc/pam.d/system-auth-ac' mode=0640 owner=root group=root + template: + src: 'rhel_system_auth.j2' + dest: '/etc/pam.d/system-auth-ac' + mode: '0640' + owner: 'root' + group: 'root' - name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 - template: src='rhel_libuser.conf.j2' dest='/etc/libuser.conf' mode=0640 owner=root group=root + template: + src: 'rhel_libuser.conf.j2' + dest: '/etc/libuser.conf' + mode: '0640' + owner: 'root' + group: 'root' diff --git a/tasks/profile.yml b/tasks/profile.yml index 4152cad66..4253dea46 100644 --- a/tasks/profile.yml +++ b/tasks/profile.yml @@ -1,4 +1,9 @@ --- - name: create profile.conf - template: src='profile.conf.j2' dest='/etc/profile.d/pinerolo_profile.sh' owner=root group=root mode=0750 + template: + src: 'profile.conf.j2' + dest: '/etc/profile.d/pinerolo_profile.sh' + owner: 'root' + group: 'root' + mode: '0750' when: not os_security_kernel_enable_core_dump diff --git a/tasks/rhosts.yml b/tasks/rhosts.yml index 12f966c87..050027b1c 100644 --- a/tasks/rhosts.yml +++ b/tasks/rhosts.yml @@ -1,13 +1,17 @@ --- -- name: Get user accounts | DTAG SEC Req 3.21-4 +- name: Get user accounts | os-09 command: "awk -F: '{print $1}' /etc/passwd" changed_when: False check_mode: no register: users -- name: delete rhosts-files from system | DTAG SEC Req 3.21-4 - file: dest='~{{ item }}/.rhosts' state=absent +- name: delete rhosts-files from system | os-09 + file: + dest: '~{{ item }}/.rhosts' + state: 'absent' with_flattened: '{{ users.stdout_lines | default([]) }}' -- name: delete hosts.equiv from system | DTAG SEC Req 3.21-4 - file: dest='/etc/hosts.equiv' state=absent +- name: delete hosts.equiv from system | os-01 + file: + dest: '/etc/hosts.equiv' + state: 'absent' diff --git a/tasks/securetty.yml b/tasks/securetty.yml index 27bcccf80..9f922e2f8 100644 --- a/tasks/securetty.yml +++ b/tasks/securetty.yml @@ -1,3 +1,8 @@ --- - name: create securetty - template: src='securetty.j2' dest='/etc/securetty' owner=root group=root mode=0400 + template: + src: 'securetty.j2' + dest: '/etc/securetty' + owner: 'root' + group: 'root' + mode: '0400' diff --git a/tasks/suid_sgid.yml b/tasks/suid_sgid.yml index 603c80c8c..6ea79a864 100644 --- a/tasks/suid_sgid.yml +++ b/tasks/suid_sgid.yml @@ -1,24 +1,32 @@ --- -- name: remove suid/sgid bit from binaries in blacklist - file: path='{{item}}' mode='a-s' state=file follow=yes +- name: remove suid/sgid bit from binaries in blacklist | os-06 + file: + path: '{{item}}' + mode: 'a-s' + state: 'file' + follow: 'yes' failed_when: false with_flattened: - '{{ os_security_suid_sgid_system_blacklist }}' - '{{ os_security_suid_sgid_blacklist }}' -- name: find binaries with suid/sgid set +- name: find binaries with suid/sgid set | os-06 shell: find / -xdev \( -perm -4000 -o -perm -2000 \) -type f ! -path '/proc/*' -print 2>/dev/null register: sbit_binaries when: os_security_suid_sgid_remove_from_unknown changed_when: False -- name: gather files from which to remove suids/sgids and remove system white-listed files +- name: gather files from which to remove suids/sgids and remove system white-listed files | os-06 set_fact: suid: '{{ sbit_binaries.stdout_lines | difference(os_security_suid_sgid_system_whitelist) }}' when: os_security_suid_sgid_remove_from_unknown -- name: remove suid/sgid bit from all binaries except in system and user whitelist - file: path='{{item}}' mode='a-s' state=file follow=yes +- name: remove suid/sgid bit from all binaries except in system and user whitelist | os-06 + file: + path: '{{item}}' + mode: 'a-s' + state: 'file' + follow: 'yes' with_flattened: - '{{ suid | default([]) | difference(os_security_suid_sgid_whitelist) }}' when: os_security_suid_sgid_remove_from_unknown diff --git a/tasks/sysctl.yml b/tasks/sysctl.yml index 46f8aa7df..c1443ad3d 100644 --- a/tasks/sysctl.yml +++ b/tasks/sysctl.yml @@ -1,17 +1,34 @@ --- - name: protect sysctl.conf - file: path='/etc/sysctl.conf' owner=root group=root mode=0440 + file: + path: '/etc/sysctl.conf' + owner: 'root' + group: 'root' + mode: '0440' -- name: NSA 2.2.4.1 Set Daemon umask, do config for rhel-family - template: src='rhel_sysconfig_init.j2' dest='/etc/sysconfig/init' owner=root group=root mode=0544 +- name: set Daemon umask, do config for rhel-family | NSA 2.2.4.1 + template: + src: 'rhel_sysconfig_init.j2' + dest: '/etc/sysconfig/init' + owner: 'root' + group: 'root' + mode: '0544' when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS' - name: install initramfs-tools - apt: name='initramfs-tools' state=installed update_cache=true + apt: + name: 'initramfs-tools' + state: 'installed' + update_cache: true when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading - name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled - template: src='modules.j2' dest='/etc/initramfs-tools/modules' owner=root group=root mode=0440 + template: + src: 'modules.j2' + dest: '/etc/initramfs-tools/modules' + owner: 'root' + group: 'root' + mode: '0440' when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading register: initramfs @@ -20,7 +37,8 @@ when: initramfs.changed - name: create a combined sysctl-dict if overwrites are defined - set_fact: sysctl_config="{{ sysctl_config | combine(sysctl_overwrite) }}" + set_fact: + sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}' when: sysctl_overwrite | default() - name: Change various sysctl-settings, look at the sysctl-vars file for documentation @@ -44,6 +62,8 @@ when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS' - name: Apply ufw defaults - template: src="ufw.j2" dest=/etc/default/ufw + template: + src: 'ufw.j2' + dest: '/etc/default/ufw' when: ufw_manage_defaults and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') tags: ufw diff --git a/tasks/user_accounts.yml b/tasks/user_accounts.yml index 1b456401a..657e1567a 100644 --- a/tasks/user_accounts.yml +++ b/tasks/user_accounts.yml @@ -1,25 +1,31 @@ --- - - name: get UID_MIN from login.defs - shell: awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs removes=/etc/login.defs + shell: awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs + args: + removes: /etc/login.defs register: uid_min check_mode: no changed_when: False - name: calculate UID_MAX from UID_MIN by substracting 1 - set_fact: uid_max='{{ uid_min.stdout | int - 1 }}' + set_fact: + uid_max: '{{ uid_min.stdout | int - 1 }}' when: uid_min is defined - name: set UID_MAX on Debian-systems if no login.defs exist - set_fact: uid_max='999' + set_fact: + uid_max: '999' when: ansible_os_family == 'Debian' and not uid_min - name: set UID_MAX on other systems if no login.defs exist - set_fact: uid_max='499' + set_fact: + uid_max: '499' when: not uid_min - name: get all system accounts - command: awk -F'':'' '{ if ( $3 <= {{uid_max|quote}} ) print $1}' /etc/passwd removes=/etc/passwd + command: awk -F'':'' '{ if ( $3 <= {{uid_max|quote}} ) print $1}' /etc/passwd + args: + removes: /etc/passwd changed_when: False check_mode: no register: sys_accs @@ -30,6 +36,9 @@ check_mode: no - name: change system accounts not on the user provided ignore-list - user: name='{{item}}' shell='{{os_nologin_shell_path}}' password='*' + user: + name: '{{item}}' + shell: '{{os_nologin_shell_path}}' + password: '*' with_flattened: - '{{sys_accs_cond | default([]) | difference(os_ignore_users) | list }}' diff --git a/tasks/yum.yml b/tasks/yum.yml index 2c3b9b47b..98694c1c2 100644 --- a/tasks/yum.yml +++ b/tasks/yum.yml @@ -1,6 +1,8 @@ --- - name: remove unused repositories - file: name='/etc/yum.repos.d/{{item}}.repo' state=absent + file: + name: '/etc/yum.repos.d/{{item}}.repo' + state: 'absent' with_items: - 'CentOS-Debuginfo' - 'CentOS-Media' @@ -13,24 +15,33 @@ register: yum_repos - name: check if rhnplugin.conf exists - stat: path='/etc/yum/pluginconf.d/rhnplugin.conf' + stat: + path: '/etc/yum/pluginconf.d/rhnplugin.conf' register: rhnplugin_file - # for the "default([])" see here: + # for the 'default([])' see here: # https://github.com/dev-sec/ansible-os-hardening/issues/99 and # https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause - name: activate gpg-check for yum-repos - replace: dest='{{item}}' regexp='^\s*gpgcheck=0' replace='gpgcheck=1' + replace: + dest: '{{item}}' + regexp: '^\s*gpgcheck: 0' + replace: 'gpgcheck: 1' with_flattened: - '/etc/yum.conf' - '{{ yum_repos.stdout_lines| default([]) }}' - name: activate gpg-check for yum rhn if it exists - replace: dest='/etc/yum/pluginconf.d/rhnplugin.conf' regexp='^\s*gpgcheck=0' replace='gpgcheck=1' + replace: + dest: '/etc/yum/pluginconf.d/rhnplugin.conf' + regexp: '^\s*gpgcheck: 0' + replace: 'gpgcheck: 1' when: rhnplugin_file.stat.exists -- name: remove packages - yum: name='{{item}}' state=removed +- name: remove deprecated or insecure packages | package-01 - package-09 + yum: + name: '{{item}}' + state: 'absent' with_items: - - "{{os_security_packages_list}}" + - '{{os_security_packages_list}}' when: os_security_packages_clean diff --git a/templates/login.defs.j2 b/templates/login.defs.j2 index 0fa8a3fc3..b0f69e030 100644 --- a/templates/login.defs.j2 +++ b/templates/login.defs.j2 @@ -1,21 +1,22 @@ +# {{ ansible_managed | comment }} # Configuration control definitions for the login package. -# +# # Three items must be defined: `MAIL_DIR`, `ENV_SUPATH`, and `ENV_PATH`. If unspecified, some arbitrary (and possibly incorrect) value will be assumed. All other items are optional - if not specified then the described action or option will be inhibited. -# +# # Comment lines (lines beginning with `#`) and blank lines are ignored. # #-- Modified for Linux. --marekm # *REQUIRED for useradd/userdel/usermod* -# +# # Directory where mailboxes reside, _or_ name of file, relative to the home directory. If you _do_ define `MAIL_DIR` and `MAIL_FILE`, `MAIL_DIR` takes precedence. # Essentially: -# +# # * `MAIL_DIR` defines the location of users mail spool files (for mbox use) by appending the username to `MAIL_DIR` as defined below. # * `MAIL_FILE` defines the location of the users mail spool files as the fully-qualified filename obtained by prepending the user home directory before `$MAIL_FILE` # # *NOTE*: This is no more used for setting up users MAIL environment variable which is, starting from shadow 4.0.12-1 in Debian, entirely the job of the pam_mail PAM modules. -# +# # See default PAM configuration files provided for login, su, etc. # This is a temporary situation: setting these variables will soon move to `/etc/default/useradd` and the variables will then be no more supported MAIL_DIR /var/mail @@ -25,7 +26,7 @@ MAIL_DIR /var/mail FAILLOG_ENAB yes # Enable display of unknown usernames when login failures are recorded. -# +# # *WARNING*: Unknown usernames may become world readable. See #290803 and #298773 for details about how this could become a security concern LOG_UNKFAIL_ENAB no diff --git a/templates/rhel_system_auth.j2 b/templates/rhel_system_auth.j2 index 6a4ca86fe..3e85da711 100644 --- a/templates/rhel_system_auth.j2 +++ b/templates/rhel_system_auth.j2 @@ -1,5 +1,4 @@ # {{ ansible_managed | comment }} -#--- #%PAM-1.0 {% if os_auth_retries > 0 %} diff --git a/templates/ufw.j2 b/templates/ufw.j2 index 60434654c..fad5bd505 100644 --- a/templates/ufw.j2 +++ b/templates/ufw.j2 @@ -1,3 +1,4 @@ +# {{ ansible_managed | comment }} # /etc/default/ufw # @@ -8,25 +9,25 @@ IPV6={{ 'no' if sysctl_config['net.ipv6.conf.all.disable_ipv6'] is defined and s # Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if # you change this you will most likely want to adjust your rules. -DEFAULT_INPUT_POLICY="{{ ufw_default_input_policy }}" +DEFAULT_INPUT_POLICY='{{ ufw_default_input_policy }}' # Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if # you change this you will most likely want to adjust your rules. -DEFAULT_OUTPUT_POLICY="{{ ufw_default_output_policy }}" +DEFAULT_OUTPUT_POLICY='{{ ufw_default_output_policy }}' # Set the default forward policy to ACCEPT, DROP or REJECT. Please note that # if you change this you will most likely want to adjust your rules -DEFAULT_FORWARD_POLICY="{{ ufw_default_forward_policy }}" +DEFAULT_FORWARD_POLICY='{{ ufw_default_forward_policy }}' # Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please # note that setting this to ACCEPT may be a security risk. See 'man ufw' for # details -DEFAULT_APPLICATION_POLICY="{{ ufw_default_application_policy }}" +DEFAULT_APPLICATION_POLICY='{{ ufw_default_application_policy }}' # By default, ufw only touches its own chains. Set this to 'yes' to have ufw # manage the built-in chains too. Warning: setting this to 'yes' will break # non-ufw managed firewall rules -MANAGE_BUILTINS="{{ ufw_manage_builtins }}" +MANAGE_BUILTINS='{{ ufw_manage_builtins }}' # # IPT backend @@ -41,4 +42,4 @@ MANAGE_BUILTINS="{{ ufw_manage_builtins }}" # nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT # nf_conntrack_ftp, nf_nat_ftp: active FTP support # nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side) -IPT_MODULES="{{ ufw_ipt_modules }}" +IPT_MODULES='{{ ufw_ipt_modules }}' diff --git a/vars/Debian.yml b/vars/Debian.yml index c1a98e090..ff590bd84 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -11,4 +11,4 @@ os_nologin_shell_path: '/usr/sbin/nologin' os_shadow_perms: owner: root group: shadow - mode: "0640" + mode: '0640' diff --git a/vars/Oracle Linux.yml b/vars/Oracle Linux.yml index 39625e180..1140ba58a 100644 --- a/vars/Oracle Linux.yml +++ b/vars/Oracle Linux.yml @@ -9,4 +9,4 @@ os_nologin_shell_path: '/sbin/nologin' os_shadow_perms: owner: root group: root - mode: "0600" + mode: '0600' diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 6874ef769..266e08202 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -9,4 +9,4 @@ os_nologin_shell_path: '/sbin/nologin' os_shadow_perms: owner: root group: root - mode: "0600" + mode: '0600' From 8df021d3b5434ae609326950bf77e80181fccdf2 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 5 Aug 2017 21:43:28 +0200 Subject: [PATCH 2/2] update spaces, bools, trues --- tasks/apt.yml | 4 ++-- tasks/minimize_access.yml | 4 ++-- tasks/modprobe.yml | 3 +++ tasks/pam.yml | 22 +++++++++++----------- tasks/rhosts.yml | 2 +- tasks/suid_sgid.yml | 4 ++-- tasks/user_accounts.yml | 16 ++++++++-------- tasks/yum.yml | 8 ++++---- templates/login.defs.j2 | 22 +++++++++++----------- templates/modprobe.j2 | 9 +++++++++ templates/pam_passwdqd.j2 | 2 +- templates/pam_tally2.j2 | 2 +- templates/rhel_sysconfig_init.j2 | 2 +- templates/rhel_system_auth.j2 | 8 ++++---- 14 files changed, 60 insertions(+), 48 deletions(-) create mode 100644 tasks/modprobe.yml create mode 100644 templates/modprobe.j2 diff --git a/tasks/apt.yml b/tasks/apt.yml index f489f4182..b3ceff3e4 100644 --- a/tasks/apt.yml +++ b/tasks/apt.yml @@ -1,8 +1,8 @@ --- - name: remove deprecated or insecure packages | package-01 - package-09 apt: - name: '{{item}}' + name: '{{ item }}' state: 'absent' with_items: - - '{{os_security_packages_list}}' + - '{{ os_security_packages_list }}' when: 'os_security_packages_clean' diff --git a/tasks/minimize_access.yml b/tasks/minimize_access.yml index c5afa8af0..bc0b2f708 100644 --- a/tasks/minimize_access.yml +++ b/tasks/minimize_access.yml @@ -11,11 +11,11 @@ - '/usr/bin' - '/sbin' - '/bin' - - '{{os_env_extra_user_paths}}' + - '{{ os_env_extra_user_paths }}' - name: minimize access file: - path: '{{item.stat.path}}' + path: '{{ item.stat.path }}' mode: 'go-w' recurse: 'yes' when: item.stat.isdir diff --git a/tasks/modprobe.yml b/tasks/modprobe.yml new file mode 100644 index 000000000..de492ea69 --- /dev/null +++ b/tasks/modprobe.yml @@ -0,0 +1,3 @@ +--- + +# modprobe diff --git a/tasks/pam.yml b/tasks/pam.yml index a1fb1b81a..1be55e5b3 100644 --- a/tasks/pam.yml +++ b/tasks/pam.yml @@ -8,25 +8,25 @@ - name: remove pam ccreds on Debian systems apt: - name: '{{os_packages_pam_ccreds}}' + name: '{{ os_packages_pam_ccreds }}' state: 'absent' when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' - name: remove pam ccreds on Redhat systems yum: - name: '{{os_packages_pam_ccreds}}' + name: '{{ os_packages_pam_ccreds }}' state: 'absent' when: ansible_os_family == 'RedHat' - name: remove pam_cracklib, because it does not play nice with passwdqc apt: - name: '{{os_packages_pam_cracklib}}' + name: '{{ os_packages_pam_cracklib }}' state: 'absent' when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable - name: install the package for strong password checking apt: - name: '{{os_packages_pam_passwdqc}}' + name: '{{ os_packages_pam_passwdqc }}' state: 'installed' update_cache: 'yes' when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable @@ -34,7 +34,7 @@ - name: configure passwdqc template: src: 'pam_passwdqd.j2' - dest: '{{passwdqc_path}}' + dest: '{{ passwdqc_path }}' mode: '0640' owner: 'root' group: 'root' @@ -42,7 +42,7 @@ - name: remove passwdqc apt: - name: '{{os_packages_pam_passwdqc}}' + name: '{{ os_packages_pam_passwdqc }}' state: 'absent' when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable @@ -55,7 +55,7 @@ - name: configure tally2 template: src: 'pam_tally2.j2' - dest: '{{tally2_path}}' + dest: '{{ tally2_path }}' mode: '0640' owner: 'root' group: 'root' @@ -63,25 +63,25 @@ - name: delete tally2 when retries is 0 file: - path: '{{tally2_path}}' + path: '{{ tally2_path }}' state: 'absent' when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries == 0 - name: remove pam_cracklib, because it does not play nice with passwdqc yum: - name: '{{os_packages_pam_cracklib}}' + name: '{{ os_packages_pam_cracklib }}' state: 'absent' when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7') and os_auth_pam_passwdqc_enable - name: install the package for strong password checking yum: - name: '{{os_packages_pam_passwdqc}}' + name: '{{ os_packages_pam_passwdqc }}' state: 'installed' when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7') and os_auth_pam_passwdqc_enable - name: remove passwdqc yum: - name: '{{os_packages_pam_passwdqc}}' + name: '{{ os_packages_pam_passwdqc }}' state: 'absent' when: ansible_os_family == 'RedHat' and not os_auth_pam_passwdqc_enable diff --git a/tasks/rhosts.yml b/tasks/rhosts.yml index 050027b1c..b20cd269e 100644 --- a/tasks/rhosts.yml +++ b/tasks/rhosts.yml @@ -2,7 +2,7 @@ - name: Get user accounts | os-09 command: "awk -F: '{print $1}' /etc/passwd" changed_when: False - check_mode: no + check_mode: False register: users - name: delete rhosts-files from system | os-09 diff --git a/tasks/suid_sgid.yml b/tasks/suid_sgid.yml index 6ea79a864..625b7ff99 100644 --- a/tasks/suid_sgid.yml +++ b/tasks/suid_sgid.yml @@ -1,7 +1,7 @@ --- - name: remove suid/sgid bit from binaries in blacklist | os-06 file: - path: '{{item}}' + path: '{{ item }}' mode: 'a-s' state: 'file' follow: 'yes' @@ -23,7 +23,7 @@ - name: remove suid/sgid bit from all binaries except in system and user whitelist | os-06 file: - path: '{{item}}' + path: '{{ item }}' mode: 'a-s' state: 'file' follow: 'yes' diff --git a/tasks/user_accounts.yml b/tasks/user_accounts.yml index 657e1567a..e672270c1 100644 --- a/tasks/user_accounts.yml +++ b/tasks/user_accounts.yml @@ -4,7 +4,7 @@ args: removes: /etc/login.defs register: uid_min - check_mode: no + check_mode: False changed_when: False - name: calculate UID_MAX from UID_MIN by substracting 1 @@ -23,22 +23,22 @@ when: not uid_min - name: get all system accounts - command: awk -F'':'' '{ if ( $3 <= {{uid_max|quote}} ) print $1}' /etc/passwd + command: awk -F'':'' '{ if ( $3 <= {{ uid_max|quote }} ) print $1}' /etc/passwd args: removes: /etc/passwd changed_when: False - check_mode: no + check_mode: False register: sys_accs - name: remove always ignored system accounts from list set_fact: - sys_accs_cond: '{{sys_accs.stdout_lines | difference(os_always_ignore_users) }}' - check_mode: no + sys_accs_cond: '{{ sys_accs.stdout_lines | difference(os_always_ignore_users) }}' + check_mode: False - name: change system accounts not on the user provided ignore-list user: - name: '{{item}}' - shell: '{{os_nologin_shell_path}}' + name: '{{ item }}' + shell: '{{ os_nologin_shell_path }}' password: '*' with_flattened: - - '{{sys_accs_cond | default([]) | difference(os_ignore_users) | list }}' + - '{{ sys_accs_cond | default([]) | difference(os_ignore_users) | list }}' diff --git a/tasks/yum.yml b/tasks/yum.yml index 98694c1c2..2f4000f71 100644 --- a/tasks/yum.yml +++ b/tasks/yum.yml @@ -1,7 +1,7 @@ --- - name: remove unused repositories file: - name: '/etc/yum.repos.d/{{item}}.repo' + name: '/etc/yum.repos.d/{{ item }}.repo' state: 'absent' with_items: - 'CentOS-Debuginfo' @@ -24,7 +24,7 @@ # https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause - name: activate gpg-check for yum-repos replace: - dest: '{{item}}' + dest: '{{ item }}' regexp: '^\s*gpgcheck: 0' replace: 'gpgcheck: 1' with_flattened: @@ -40,8 +40,8 @@ - name: remove deprecated or insecure packages | package-01 - package-09 yum: - name: '{{item}}' + name: '{{ item }}' state: 'absent' with_items: - - '{{os_security_packages_list}}' + - '{{ os_security_packages_list }}' when: os_security_packages_clean diff --git a/templates/login.defs.j2 b/templates/login.defs.j2 index b0f69e030..f2ceb329b 100644 --- a/templates/login.defs.j2 +++ b/templates/login.defs.j2 @@ -85,7 +85,7 @@ KILLCHAR 025 # Prefix these values with `0` to get octal, `0x` to get hexadecimal. # `022` is the "historical" value in Debian for UMASK # `027`, or even `077`, could be considered better for privacy. -UMASK {{os_env_umask}} +UMASK {{ os_env_umask }} # Enable setting of the umask group bits to be the same as owner bits (examples: `022` -> `002`, `077` -> `007`) for non-root users, if the uid is the same as gid, and username is the same as the primary group name. # If set to yes, userdel will remove the userĀ“s group if it contains no more members, and useradd will create by default a group with the name of the user. @@ -96,33 +96,33 @@ USERGROUPS_ENAB yes # ----------------------- # Maximum number of days a password may be used. -PASS_MAX_DAYS {{os_auth_pw_max_age}} +PASS_MAX_DAYS {{ os_auth_pw_max_age }} # Minimum number of days allowed between password changes. -PASS_MIN_DAYS {{os_auth_pw_min_age}} +PASS_MIN_DAYS {{ os_auth_pw_min_age }} # Number of days warning given before a password expires. PASS_WARN_AGE 7 # Min/max values for automatic uid selection in useradd -UID_MIN {{os_auth_uid_min}} +UID_MIN {{ os_auth_uid_min }} UID_MAX 60000 # System accounts -SYS_UID_MIN {{os_auth_sys_uid_min}} -SYS_UID_MAX {{os_auth_sys_uid_max}} +SYS_UID_MIN {{ os_auth_sys_uid_min }} +SYS_UID_MAX {{ os_auth_sys_uid_max }} # Min/max values for automatic gid selection in groupadd -GID_MIN {{os_auth_gid_min}} +GID_MIN {{ os_auth_gid_min }} GID_MAX 60000 # System accounts -SYS_GID_MIN {{os_auth_sys_gid_min}} -SYS_GID_MAX {{os_auth_sys_gid_max}} +SYS_GID_MIN {{ os_auth_sys_gid_min }} +SYS_GID_MAX {{ os_auth_sys_gid_max }} # Max number of login retries if password is bad. This will most likely be overriden by PAM, since the default pam_unix module has it's own built in of 3 retries. However, this is a safe fallback in case you are using an authentication module that does not enforce PAM_MAXTRIES. -LOGIN_RETRIES {{os_auth_retries}} +LOGIN_RETRIES {{ os_auth_retries }} # Max time in seconds for login -LOGIN_TIMEOUT {{os_auth_timeout}} +LOGIN_TIMEOUT {{ os_auth_timeout }} # Which fields may be changed by regular users using chfn - use any combination of letters "frwh" (full name, room number, work phone, home phone). If not defined, no changes are allowed. # For backward compatibility, "yes" = "rwh" and "no" = "frwh". diff --git a/templates/modprobe.j2 b/templates/modprobe.j2 new file mode 100644 index 000000000..570468310 --- /dev/null +++ b/templates/modprobe.j2 @@ -0,0 +1,9 @@ +install cramfs /bin/true +install freevxfs /bin/true +install jffs2 /bin/true +install hfs /bin/true +install hfsplus /bin/true +install squashfs /bin/true +install udf /bin/true +install vfat /bin/true + diff --git a/templates/pam_passwdqd.j2 b/templates/pam_passwdqd.j2 index 3cb23752f..bbfaedf64 100644 --- a/templates/pam_passwdqd.j2 +++ b/templates/pam_passwdqd.j2 @@ -4,4 +4,4 @@ Priority: 1024 Conflicts: cracklib Password-Type: Primary Password: - requisite pam_passwdqc.so {{os_auth_pam_passwdqc_options}} + requisite pam_passwdqc.so {{ os_auth_pam_passwdqc_options }} diff --git a/templates/pam_tally2.j2 b/templates/pam_tally2.j2 index 649fac21a..2b6195077 100644 --- a/templates/pam_tally2.j2 +++ b/templates/pam_tally2.j2 @@ -4,7 +4,7 @@ Priority: 1024 Conflicts: cracklib Auth-Type: Primary Auth-Initial: - required pam_tally2.so deny={{os_auth_retries}} onerr=fail unlock_time={{os_auth_lockout_time}} + required pam_tally2.so deny={{ os_auth_retries }} onerr=fail unlock_time={{ os_auth_lockout_time }} Account-Type: Primary Account-Initial: required pam_tally2.so diff --git a/templates/rhel_sysconfig_init.j2 b/templates/rhel_sysconfig_init.j2 index f3f76f47b..1d2e46620 100644 --- a/templates/rhel_sysconfig_init.j2 +++ b/templates/rhel_sysconfig_init.j2 @@ -18,7 +18,7 @@ SETCOLOR_WARNING="echo -en \\033[0;33m" # terminal sequence to reset to the default color. SETCOLOR_NORMAL="echo -en \\033[0;39m" # Set to anything other than 'no' to allow hotkey interactive startup... -PROMPT={{ 'yes' if os_security_init_prompt else 'no' }} +PROMPT={{ 'yes' if (os_security_init_prompt|bool) else 'no' }} # Set to 'yes' to allow probing for devices with swap signatures AUTOSWAP=no # What ttys should gettys be started on? diff --git a/templates/rhel_system_auth.j2 b/templates/rhel_system_auth.j2 index 3e85da711..05ba7d766 100644 --- a/templates/rhel_system_auth.j2 +++ b/templates/rhel_system_auth.j2 @@ -2,7 +2,7 @@ #%PAM-1.0 {% if os_auth_retries > 0 %} -auth required pam_tally2.so deny={{os_auth_retries}} onerr=fail unlock_time={{os_auth_lockout_time}} +auth required pam_tally2.so deny={{ os_auth_retries }} onerr=fail unlock_time={{ os_auth_lockout_time }} {% endif %} auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass @@ -17,11 +17,11 @@ account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so -{% if os_auth_pam_passwdqc_enable %} +{% if (os_auth_pam_passwdqc_enable|bool) %} {%- if ansible_os_family == 'RedHat' and ansible_distribution_version >= '7' %} -password required pam_pwquality.so {{os_auth_pam_pwquality_options}} +password required pam_pwquality.so {{ os_auth_pam_pwquality_options }} {%- else %} -password requisite pam_passwdqc.so {{os_auth_pam_passwdqc_options}} +password requisite pam_passwdqc.so {{ os_auth_pam_passwdqc_options }} {%- endif %} {% else %} password requisite pam_cracklib.so try_first_pass retry=3 type=