SHARE
TWEET

Untitled

a guest Sep 22nd, 2019 136 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ---
  2. - name: NIST 800-171 Security Configuration
  3.   hosts: all
  4.   become: true
  5.  
  6.   #  Vars
  7.   #########
  8.   vars:
  9.     sshd_idle_timeout_value: "600"
  10.     sshd_approved_macs: "hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com"
  11.     sysctl_net_ipv6_conf_default_accept_source_route_value: "0"
  12.     sysctl_net_ipv6_conf_all_accept_source_route_value: "0"
  13.     sysctl_net_ipv6_conf_all_forwarding_value: "0"
  14.     sysctl_net_ipv6_conf_all_accept_redirects_value: "0"
  15.     sysctl_net_ipv6_conf_default_accept_ra_value: "0"
  16.     sysctl_net_ipv6_conf_all_accept_ra_value: "0"
  17.     sysctl_net_ipv6_conf_default_accept_redirects_value: "0"
  18.     sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: "1"
  19.     sysctl_net_ipv4_conf_default_log_martians_value: "1"
  20.     sysctl_net_ipv4_conf_all_secure_redirects_value: "0"
  21.     sysctl_net_ipv4_conf_default_secure_redirects_value: "0"
  22.     sysctl_net_ipv4_conf_all_accept_redirects_value: "0"
  23.     sysctl_net_ipv4_conf_all_log_martians_value: "1"
  24.     sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: "1"
  25.     sysctl_net_ipv4_ip_forward: "0"
  26.     var_account_disable_post_pw_expiration: "35"
  27.     var_accounts_password_minlen_login_defs: "15"
  28.     var_accounts_minimum_age_login_defs: "7"
  29.     var_accounts_maximum_age_login_defs: "60"
  30.     var_accounts_passwords_pam_faillock_deny: "3"
  31.     var_accounts_passwords_pam_faillock_unlock_time: never
  32.     var_accounts_passwords_pam_faillock_fail_interval: "900"
  33.     var_password_pam_unix_remember: "5"
  34.     var_password_pam_minlen: "{{ var_accounts_password_minlen_login_defs }}"
  35.     var_password_pam_maxclassrepeat: "4"
  36.     var_password_pam_dcredit: "-1"
  37.     var_password_pam_minclass: "4"
  38.     var_password_pam_difok: "8"
  39.     var_password_pam_ocredit: "-1"
  40.     var_password_pam_lcredit: "-1"
  41.     var_password_pam_ucredit: "-1"
  42.     var_accounts_tmout: "600"
  43.     var_accounts_fail_delay: "4"
  44.     var_accounts_max_concurrent_login_sessions: "10"
  45.     var_auditd_admin_space_left_action: "single"
  46.     var_auditd_space_left_action: "email"
  47.     sshd_listening_port: "22"
  48.     audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
  49.     combined_audit_file: "/etc/audit/rules.d/all.rules"
  50.  
  51.   #  Pre-Tasks
  52.   ############
  53.   pre_tasks:
  54.     - name: "Install and enable firewalld"
  55.       yum:
  56.         name: "firewalld"
  57.         state: "installed"
  58.  
  59.     - name: "Update system"
  60.       yum:
  61.         name: "*"
  62.         state: "latest"
  63.  
  64.   #  Tasks
  65.   ##########
  66.   tasks:
  67.     # Kernel
  68.     - name: Disable service kdump
  69.       service:
  70.         name: "{{item}}"
  71.         enabled: "no"
  72.         state: "stopped"
  73.       register: service_result
  74.       failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)"
  75.       with_items:
  76.         - kdump
  77.  
  78.     - name: Disable socket of service kdump if applicable
  79.       service:
  80.         name: "{{item}}"
  81.         enabled: "no"
  82.         state: "stopped"
  83.       register: socket_result
  84.       failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)"
  85.       with_items:
  86.         - kdump.socket
  87.  
  88.     # IPv6 sysctl values
  89.     - name: Ensure sysctl values are set
  90.       sysctl:
  91.         name: "{{ item.name }}"
  92.         value: "{{ item.value }}"
  93.         state: present
  94.         reload: yes
  95.       with_items:
  96.         - name: net.ipv6.conf.default.accept_source_route
  97.           value: "{{ sysctl_net_ipv6_conf_default_accept_source_route_value }}"
  98.         - name: net.ipv6.conf.all.accept_source_route
  99.           value: "{{ sysctl_net_ipv6_conf_all_accept_source_route_value }}"
  100.         - name: net.ipv6.conf.all.forwarding
  101.           value: "{{ sysctl_net_ipv6_conf_all_forwarding_value }}"
  102.         - name: net.ipv6.conf.all.accept_redirects
  103.           value: "{{ sysctl_net_ipv6_conf_all_accept_redirects_value }}"
  104.         - name: net.ipv6.conf.default.accept_ra
  105.           value: "{{ sysctl_net_ipv6_conf_default_accept_ra_value }}"
  106.         - name: net.ipv6.conf.all.accept_ra
  107.           value: "{{ sysctl_net_ipv6_conf_all_accept_ra_value }}"
  108.         - name: net.ipv6.conf.default.accept_redirects
  109.           value: "{{ sysctl_net_ipv6_conf_default_accept_redirects_value }}"
  110.         - name: net.ipv6.conf.all.disable_ipv6
  111.           value: "1"
  112.  
  113.     # IPv4 kernel networking values
  114.     - name: Ensure sysctl values are set
  115.       sysctl:
  116.         name: "{{ item.name }}"
  117.         value: "{{ item.value }}"
  118.         state: present
  119.         reload: yes
  120.       with_items:
  121.         - name: net.ipv4.icmp_ignore_bogus_error_responses
  122.           value: "{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}"
  123.         - name: net.ipv4.conf.default.log_martians
  124.           value: "{{ sysctl_net_ipv4_conf_default_log_martians_value }}"
  125.         - name: net.ipv4.conf.all.secure_redirects
  126.           value: "{{ sysctl_net_ipv4_conf_all_secure_redirects_value }}"
  127.         - name: net.ipv4.conf.default.secure_redirects
  128.           value: "{{ sysctl_net_ipv4_conf_default_secure_redirects_value }}"
  129.         - name: net.ipv4.conf.all.accept_redirects
  130.           value: "{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}"
  131.         - name: net.ipv4.conf.all.log_martians
  132.           value: "{{ sysctl_net_ipv4_conf_all_log_martians_value }}"
  133.         - name: net.ipv4.icmp_echo_ignore_broadcasts
  134.           value: "{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}"
  135.         - name: net.ipv4.ip_forward
  136.           value: "{{ sysctl_net_ipv4_ip_forward }}"
  137.         - name: net.ipv4.conf.all.send_redirects
  138.           value: 0
  139.         - name: net.ipv4.conf.default.send_redirects
  140.           value: 0
  141.  
  142.       # Other values
  143.     - name: Ensure sysctl values are set
  144.       sysctl:
  145.         name: "{{ item.name }}"
  146.         value: "{{ item.value }}"
  147.         state: present
  148.         reload: yes
  149.       with_items:
  150.         - name: fs.suid_dumpable
  151.           value: "0"
  152.         - name: kernel.randomize_va_space
  153.           value: "2"
  154.         - name: kernel.dmesg_restrict
  155.           value: "1"
  156.         - name: kernel.kptr_restrict
  157.           value: "1"
  158.         - name: kernel.kexec_load_disabled
  159.           value: "1"
  160.  
  161.     #
  162.     # Disable uncommon Network Protocols and Bluetooth
  163.     #
  164.     - name: Ensure unnecessary kernel modules are disabled
  165.       lineinfile:
  166.         create: yes
  167.         dest: "/etc/modprobe.d/{{item}}.conf"
  168.         regexp: '{{item}}'
  169.         line: "install {{item}} /bin/true"
  170.       with_items:
  171.         - dccp
  172.         - sctp
  173.         - bluetooth
  174.         - hfs
  175.         - usb-storage
  176.         - freevxfs
  177.         - squashfs
  178.         - hfsplus
  179.         - jffs2
  180.         - cramfs
  181.  
  182.     #
  183.     # OpenSSH
  184.     #
  185.     - name: "Disable SSH Root Login"
  186.       lineinfile:
  187.         create: yes
  188.         dest: "/etc/ssh/sshd_config"
  189.         regexp: "^PermitRootLogin"
  190.         line: "PermitRootLogin no"
  191.         insertafter: '(?i)^#?authentication'
  192.         validate: sshd -t -f %s
  193.  
  194.     - name: "Disable SSH Support for User Known Hosts"
  195.       lineinfile:
  196.         create: yes
  197.         dest: /etc/ssh/sshd_config
  198.         regexp: ^IgnoreUserKnownHosts
  199.         line: IgnoreUserKnownHosts yes
  200.         validate: sshd -t -f %s
  201.      
  202.     - name: Disable SSH Access via Empty Passwords
  203.       lineinfile:
  204.         create: yes
  205.         dest: /etc/ssh/sshd_config
  206.         regexp: ^PermitEmptyPasswords
  207.         line: PermitEmptyPasswords no
  208.         validate: sshd -t -f %s
  209.  
  210.     - name: Set SSH Client Alive Count
  211.       lineinfile:
  212.         create: yes
  213.         dest: /etc/ssh/sshd_config
  214.         regexp: ^ClientAliveCountMax
  215.         line: ClientAliveCountMax 0
  216.         validate: sshd -t -f %s
  217.  
  218.     - name: Set SSH Idle Timeout Interval
  219.       lineinfile:
  220.         create: yes
  221.         dest: /etc/ssh/sshd_config
  222.         regexp: ^ClientAliveInterval
  223.         line: "ClientAliveInterval {{ sshd_idle_timeout_value }}"
  224.         validate: sshd -t -f %s
  225.  
  226.     - name: Use Only Approved Ciphers
  227.       lineinfile:
  228.         create: yes
  229.         dest: /etc/ssh/sshd_config
  230.         regexp: ^Ciphers
  231.         line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
  232.         validate: sshd -t -f %s
  233.      
  234.     - name: "Enable use of Privilege Separation"
  235.       lineinfile:
  236.         create: yes
  237.         dest: /etc/ssh/sshd_config
  238.         regexp: (?i)^#?useprivilegeseparation
  239.         line: UsePrivilegeSeparation sandbox
  240.         validate: sshd -t -f %s
  241.      
  242.     - name: "Disable GSSAPI Authentication"
  243.       lineinfile:
  244.         create: yes
  245.         dest: /etc/ssh/sshd_config
  246.         regexp: (?i)^#?gssapiauthentication
  247.         line: GSSAPIAuthentication no
  248.         validate: sshd -t -f %s
  249.      
  250.     - name: "Disable Compression or Set Compression to delayed"
  251.       lineinfile:
  252.         create: yes
  253.         dest: /etc/ssh/sshd_config
  254.         regexp: (?i)^#?compression
  255.         line: Compression delayed
  256.         validate: sshd -t -f %s
  257.  
  258.     - name: Do Not Allow SSH Environment Options
  259.       lineinfile:
  260.         create: yes
  261.         dest: /etc/ssh/sshd_config
  262.         regexp: ^PermitUserEnvironment
  263.         line: PermitUserEnvironment no
  264.         validate: sshd -t -f %s
  265.  
  266.     - name: "Use Only Approved MACs"
  267.       lineinfile:
  268.         create: yes
  269.         dest: /etc/ssh/sshd_config
  270.         regexp: ^MACs
  271.         line: "MACs {{ sshd_approved_macs }}"
  272.         validate: sshd -t -f %s
  273.  
  274.     - name: Enable SSH Warning Banner
  275.       lineinfile:
  276.         create: yes
  277.         dest: /etc/ssh/sshd_config
  278.         regexp: ^Banner
  279.         line: Banner /etc/issue
  280.         validate: sshd -t -f %s
  281.  
  282.     - name: Ensure permission 0644 on /etc/ssh/*.pub
  283.       file:
  284.         path: "{{ item }}"
  285.         mode: 0644
  286.       with_fileglob:
  287.         - "/etc/ssh/*.pub"
  288.  
  289.     # Because of Systemd, we need to use permissions of 0640, so that
  290.     #  the group ssh_keys can read the generated ssh private keys for
  291.     #  access to the system.
  292.     - name: Ensure permission 0600 on /etc/ssh/*_key
  293.       file:
  294.         path: "{{ item }}"
  295.         mode: 0600
  296.       with_fileglob:
  297.         - "/etc/ssh/*_key"
  298.  
  299.     #
  300.     # AIDE package
  301.     #
  302.     - name: Ensure aide is installed
  303.       package:
  304.         name: "{{item}}"
  305.         state: present
  306.       with_items:
  307.         - aide
  308.  
  309.     - name: "Build and Test AIDE Database"
  310.       shell: /usr/sbin/aide --init
  311.    
  312.     - name: "Check whether the stock AIDE Database exists"
  313.       stat:
  314.         path: /var/lib/aide/aide.db.new.gz
  315.       register: aide_database
  316.  
  317.     - name: "Stage AIDE Database"
  318.       copy:
  319.         src: /var/lib/aide/aide.db.new.gz
  320.         dest: /var/lib/aide/aide.db.gz
  321.         backup: yes
  322.         remote_src: yes
  323.       when: aide_database.stat.exists is defined and not aide_database.stat.exists
  324.  
  325.     - name: "Configure Periodic Execution of AIDE"
  326.       cron:
  327.         name: "run AIDE check"
  328.         minute: "05"
  329.         hour: "04"
  330.         weekday: "0"
  331.         user: root
  332.         job: "/usr/sbin/aide --check | /bin/mail -s \"$(hostname) - AIDE Integrity Check\" root@localhost"
  333.    
  334.     #
  335.     # YUM
  336.     #
  337.     - name: Check existence of yum on Fedora
  338.       stat:
  339.         path: /etc/yum.conf
  340.       register: yum_config_file
  341.       check_mode: no
  342.       when: ansible_distribution == "Fedora"
  343.  
  344.     - name: "Ensure YUM Removes Previous Package Versions"
  345.       lineinfile:
  346.         dest: /etc/yum.conf
  347.         regexp: ^#?clean_requirements_on_remove
  348.         line: clean_requirements_on_remove=1
  349.         insertafter: '\[main\]'
  350.    
  351.     - name: Ensure GPG check Enabled for Local Packages (Yum)
  352.       ini_file:
  353.         dest: "{{item}}"
  354.         section: main
  355.         option: localpkg_gpgcheck
  356.         value: "1"
  357.         create: True
  358.       with_items: "/etc/yum.conf"
  359.       when: ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or yum_config_file.stat.exists
  360.    
  361.     - name: Ensure GPG check Enabled for Local Packages (DNF)
  362.       ini_file:
  363.         dest: "{{item}}"
  364.         section: main
  365.         option: localpkg_gpgcheck
  366.         value: 1
  367.         create: True
  368.       with_items: "/etc/dnf/dnf.conf"
  369.       when: ansible_distribution == "Fedora"
  370.  
  371.     #
  372.     # Firewall
  373.     #
  374.     - name: Enable service firewalld
  375.       service:
  376.         name: "{{ item }}"
  377.         enabled: "yes"
  378.         state: "started"
  379.       with_items:
  380.         - firewalld
  381.  
  382.     - name: Enable SSHD in firewalld (default port)
  383.       firewalld:
  384.         service: ssh
  385.         permanent: yes
  386.         state: enabled
  387.       when: sshd_listening_port == 22
  388.  
  389.     - name: Set work zone in firewalld
  390.       firewalld:
  391.         zone: work
  392.         source: "10.0.0.0/8"
  393.         permanent: yes
  394.         state: enabled
  395.  
  396.     - name: Update log denied settings for firewalld
  397.       shell: firewall-cmd --set-log-denied=all
  398.  
  399.     - name: "Set Default Firewall zone to DROP"
  400.       lineinfile:
  401.         dest: /etc/firewalld/firewalld.conf
  402.         regexp: '^DefaultZone'
  403.         line: 'DefaultZone=drop'
  404.         state: present
  405.  
  406.     #
  407.     # Access Control
  408.     #
  409.     - name: "Restrict Serial Port Root Logins"
  410.       lineinfile:
  411.         dest: /etc/securetty
  412.         regexp: 'ttyS[0-9]'
  413.         state: absent
  414.  
  415.     - name: "Direct root Logins Not Allowed"
  416.       shell: echo > /etc/securetty
  417.       changed_when: false
  418.  
  419.     - name: "Restrict Virtual Console Root Logins"
  420.       lineinfile:
  421.         dest: /etc/securetty
  422.         regexp: '^vc'
  423.         state: absent
  424.  
  425.     - name: Set Account Expiration Following Inactivity
  426.       lineinfile:
  427.         create: yes
  428.         dest: /etc/default/useradd
  429.         regexp: ^INACTIVE
  430.         line: "INACTIVE={{ var_account_disable_post_pw_expiration }}"
  431.  
  432.     - name: "Set Password Minimum Length in login.defs"
  433.       lineinfile:
  434.         dest: /etc/login.defs
  435.         regexp: "^PASS_MIN_LEN *[0-9]*"
  436.         state: present
  437.         line: "PASS_MIN_LEN        {{ var_accounts_password_minlen_login_defs }}"
  438.  
  439.     - name: Set Password Minimum Age
  440.       lineinfile:
  441.         create: yes
  442.         dest: /etc/login.defs
  443.         regexp: ^#?PASS_MIN_DAYS
  444.         line: "PASS_MIN_DAYS {{ var_accounts_minimum_age_login_defs }}"
  445.  
  446.     - name: Set Password Maximum Age
  447.       lineinfile:
  448.         create: yes
  449.         dest: /etc/login.defs
  450.         regexp: ^#?PASS_MAX_DAYS
  451.         line: "PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }}"
  452.  
  453.     - name: "Prevent Log In to Accounts With Empty Password - system-auth"
  454.       replace:
  455.         dest: /etc/pam.d/system-auth
  456.         follow: yes
  457.         regexp: 'nullok'
  458.    
  459.     - name: "Prevent Log In to Accounts With Empty Password - password-auth"
  460.       replace:
  461.         dest: /etc/pam.d/password-auth
  462.         follow: yes
  463.         regexp: 'nullok'
  464.  
  465.     #
  466.     # PAM Configuration
  467.     #
  468.     - name: set auth pam_faillock before pam_unix.so
  469.       pamd:
  470.         name: system-auth
  471.         type: auth
  472.         control: sufficient
  473.         module_path: pam_unix.so
  474.         new_type: auth
  475.         new_control: required
  476.         new_module_path: pam_faillock.so
  477.         module_arguments: 'preauth
  478.             silent
  479.             even_deny_root
  480.             deny: {{ var_accounts_passwords_pam_faillock_deny }}
  481.             unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }}
  482.             fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}'
  483.         state: before
  484.    
  485.     - name: set auth pam_faillock after pam_unix.so
  486.       pamd:
  487.         name: system-auth
  488.         type: auth
  489.         control: sufficient
  490.         module_path: pam_unix.so
  491.         new_type: auth
  492.         new_control: '[default=die]'
  493.         new_module_path: pam_faillock.so
  494.         module_arguments: 'preauth
  495.             silent
  496.             even_deny_root
  497.             deny: {{ var_accounts_passwords_pam_faillock_deny }}
  498.             unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }}
  499.             fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}'
  500.         state: after
  501.    
  502.     - name: set account pam_faillock before pam_unix.so
  503.       pamd:
  504.         name: system-auth
  505.         type: account
  506.         control: required
  507.         module_path: pam_unix.so
  508.         new_type: account
  509.         new_control: required
  510.         new_module_path: pam_faillock.so
  511.         state: before
  512.  
  513.     - name: "Do not allow users to reuse recent passwords - system-auth (change)"
  514.       replace:
  515.         dest: /etc/pam.d/system-auth
  516.         follow: yes
  517.         regexp: '^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$'
  518.         replace: '\g<1>{{ var_password_pam_unix_remember }}\g<3>'
  519.    
  520.     - name: "Do not allow users to reuse recent passwords - system-auth (add)"
  521.       replace:
  522.         dest: /etc/pam.d/system-auth
  523.         follow: yes
  524.         regexp: '^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$'
  525.         replace: '\g<0> remember={{ var_password_pam_unix_remember }}'
  526.  
  527.     - name: Ensure PAM variable minlen is set accordingly
  528.       lineinfile:
  529.         create: yes
  530.         dest: "/etc/security/pwquality.conf"
  531.         regexp: '^#?\s*minlen'
  532.         line: "minlen = {{ var_password_pam_minlen }}"
  533.  
  534.     - name: Ensure PAM variable maxclassrepeat is set accordingly
  535.       lineinfile:
  536.         create: yes
  537.         dest: "/etc/security/pwquality.conf"
  538.         regexp: '^#?\s*maxclassrepeat'
  539.         line: "maxclassrepeat = {{ var_password_pam_maxclassrepeat }}"
  540.  
  541.     - name: Ensure PAM variable dcredit is set accordingly
  542.       lineinfile:
  543.         create: yes
  544.         dest: "/etc/security/pwquality.conf"
  545.         regexp: '^#?\s*dcredit'
  546.         line: "dcredit = {{ var_password_pam_dcredit }}"
  547.  
  548.     - name: Ensure PAM variable minclass is set accordingly
  549.       lineinfile:
  550.         create: yes
  551.         dest: "/etc/security/pwquality.conf"
  552.         regexp: '^#?\s*minclass'
  553.         line: "minclass = {{ var_password_pam_minclass }}"
  554.  
  555.     - name: Ensure PAM variable difok is set accordingly
  556.       lineinfile:
  557.         create: yes
  558.         dest: "/etc/security/pwquality.conf"
  559.         regexp: '^#?\s*difok'
  560.         line: "difok = {{ var_password_pam_difok }}"
  561.  
  562.     - name: Ensure PAM variable ocredit is set accordingly
  563.       lineinfile:
  564.         create: yes
  565.         dest: "/etc/security/pwquality.conf"
  566.         regexp: '^#?\s*ocredit'
  567.         line: "ocredit = {{ var_password_pam_ocredit }}"
  568.  
  569.     - name: Ensure PAM variable ocredit is set accordingly
  570.       lineinfile:
  571.         create: yes
  572.         dest: "/etc/security/pwquality.conf"
  573.         regexp: '^#?\s*lcredit'
  574.         line: "lcredit = {{ var_password_pam_lcredit }}"
  575.  
  576.     - name: Ensure PAM variable ocredit is set accordingly
  577.       lineinfile:
  578.         create: yes
  579.         dest: "/etc/security/pwquality.conf"
  580.         regexp: '^#?\s*ucredit'
  581.         line: "ucredit = {{ var_password_pam_ucredit }}"
  582.  
  583.     #
  584.     # Protect Physical Console Access
  585.     #
  586.     - name: Ensure screen is installed
  587.       package:
  588.         name: "{{item}}"
  589.         state: present
  590.       with_items:
  591.         - screen
  592.  
  593.     - name: Set Interactive Session Timeout
  594.       lineinfile:
  595.         create: yes
  596.         dest: /etc/profile
  597.         regexp: ^#?TMOUT
  598.         line: "TMOUT={{ var_accounts_tmout }}"
  599.  
  600.     - name: Set accounts logon fail delay
  601.       lineinfile:
  602.         dest: /etc/login.defs
  603.         regexp: ^FAIL_DELAY
  604.         line: "FAIL_DELAY {{ var_accounts_fail_delay }}"
  605.  
  606.     - name: "Limit the Number of Concurrent Login Sessions Allowed Per User"
  607.       lineinfile:
  608.         state: present
  609.         dest: /etc/security/limits.conf
  610.         insertbefore: "^# End of file"
  611.         regexp: "^#?\\*.*maxlogins"
  612.         line: "*           hard    maxlogins     {{ var_accounts_max_concurrent_login_sessions }}"
  613.  
  614.     #
  615.     # Auditd
  616.     #
  617.     - name: Configure auditd Flush Priority
  618.       lineinfile:
  619.         dest: /etc/audit/auditd.conf
  620.         regexp: '.*flush.*'
  621.         line: flush = data
  622.  
  623.     - name: Configure auditd Flush Priority
  624.       lineinfile:
  625.         dest: /etc/audisp/plugins.d/syslog.conf
  626.         regexp: '^active'
  627.         line: "active = yes"
  628.  
  629.     - name: Configure auditd admin_space_left Action on Low Disk Space
  630.       lineinfile:
  631.         dest: /etc/audit/auditd.conf
  632.         line: "admin_space_left_action = {{ var_auditd_admin_space_left_action }}"
  633.         regexp: "^admin_space_left_action*"
  634.  
  635.     - name: Configure auditd space_left Action on Low Disk Space
  636.       lineinfile:
  637.         dest: /etc/audit/auditd.conf
  638.         line: "space_left_action = {{ var_auditd_space_left_action }}"
  639.         regexp: ^space_left_action*
  640.  
  641.     - name: Update audit files
  642.       lineinfile:
  643.         dest: "{{ combined_audit_file }}"
  644.         line: "{{ item }}"
  645.         create: yes
  646.       with_items:
  647.         - "-D"
  648.         - "-b 8192"
  649.         - "-f 2"
  650.         - "-w /usr/sbin/rmmod -p x -k modules"
  651.         - "-a always,exit -F arch=b32 -S delete_module -k modules"
  652.         - "-a always,exit -F arch=b64 -S delete_module -k modules"
  653.         - "-w /usr/sbin/modprobe -p x -k modules"
  654.         - "-w /usr/sbin/insmod -p x -k modules"
  655.         - "-a always,exit -F arch=b32 -S init_module -k modules"
  656.         - "-a always,exit -F arch=b64 -S init_module -k modules"
  657.         - "-w /var/log/lastlog -p wa -k logins"
  658.         - "-w /var/run/faillock/ -p wa -k logins"
  659.         - "-w /var/log/tallylog -p wa -k logins"
  660.         - "-w /etc/localtime -p wa -k audit_time_rules"
  661.         - "-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules"
  662.         - "-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules"
  663.         - "-a always,exit -F arch=b32 -S stime -F key=audit_time_rules"
  664.         - "-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules"
  665.         - "-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules"
  666.         - "-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change"
  667.         - "-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change"
  668.         - "-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  669.         - "-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  670.         - "-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  671.         - "-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  672.         - "-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  673.         - "-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  674.         - "-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  675.         - "-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  676.         - "-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  677.         - "-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  678.         - "-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  679.         - "-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  680.         - "-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  681.         - "-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  682.         - "-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  683.         - "-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  684.         - "-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  685.         - "-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  686.         - "-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  687.         - "-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  688.         - "-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  689.         - "-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  690.         - "-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  691.         - "-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  692.         - "-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  693.         - "-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  694.         - "-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change"
  695.         - "-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change"
  696.         - "-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change"
  697.         - "-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change"
  698.         - "-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change"
  699.         - "-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete"
  700.         - "-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete"
  701.         - "-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete"
  702.         - "-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete"
  703.         - "-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete"        
  704.         - "-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  705.         - "-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  706.         - "-a always,exit -F path=/usr/bin/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  707.         - "-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  708.         - "-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  709.         - "-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  710.         - "-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  711.         - "-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  712.         - "-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  713.         - "-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  714.         - "-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  715.         - "-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  716.         - "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  717.         - "-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  718.         - "-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  719.         - "-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  720.         - "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  721.         - "-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  722.         - "-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  723.         - "-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  724.         - "-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  725.         - "-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  726.         - "-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  727.         - "-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  728.         - "-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  729.         - "-a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  730.         - "-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  731.         - "-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  732.         - "-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  733.         - "-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  734.         - "-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  735.         - "-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  736.         - "-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  737.         - "-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  738.         - "-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  739.         - "-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  740.         - "-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  741.         - "-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  742.         - "-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  743.         - "-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  744.         - "-a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  745.         - "-a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  746.         - "-a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  747.         - "-a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  748.         - "-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  749.         - "-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  750.         - "-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  751.         - "-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  752.         - "-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  753.         - "-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  754.         - "-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  755.         - "-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  756.         - "-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  757.         - "-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  758.         - "-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  759.         - "-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  760.         - "-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  761.         - "-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  762.         - "-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  763.         - "-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  764.         - "-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  765.         - "-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  766.         - "-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  767.         - "-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  768.         - "-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  769.         - "-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  770.         - "-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  771.         - "-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  772.         - "-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  773.         - "-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  774.         - "-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  775.         - "-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  776.         - "-a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  777.         - "-a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  778.         - "-a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  779.         - "-a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  780.         - "-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  781.         - "-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  782.         - "-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  783.         - "-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  784.         - "-w /etc/sudoers -p wa -k actions"
  785.         - "-w /etc/sudoers.d/ -p wa -k actions"
  786.         - "-a always,exit -F arch=b64 -S sethostname -F key=audit_rules_networkconfig_modification"
  787.         - "-a always,exit -F arch=b64 -S setdomainname -F key=audit_rules_networkconfig_modification"
  788.         - "-w /etc/issue -p wa -k audit_rules_networkconfig_modification"
  789.         - "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification"
  790.         - "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification"
  791.         - "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification"
  792.         - "-w /var/run/utmp -p wa -k session"
  793.         - "-w /var/log/btmp -p wa -k session"
  794.         - "-w /var/log/wtmp -p wa -k session"
  795.         - "-w /etc/shadow -p wa -k audit_rules_usergroup_modification"
  796.         - "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export"
  797.         - "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification"
  798.         - "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification"
  799.         - "-w /etc/passwd -p wa -k audit_rules_usergroup_modification"
  800.         - "-w /etc/group -p wa -k audit_rules_usergroup_modification"
  801.         - "-w /etc/selinux/ -p wa -k MAC-policy"
  802.         - "-e 2"
  803.  
  804.     #
  805.     # Secure Grub configuration
  806.     #
  807.     # - name: Install dracut-fips
  808.     #   yum:
  809.     #     name: dracut-fips
  810.     #     state: installed
  811.  
  812.     # - name: Grub configuration
  813.     #   lineinfile:
  814.     #     create: yes
  815.     #     dest: /etc/default/grub
  816.     #     regexp: ^GRUB_CMDLINE_LINUX
  817.     #     line: GRUB_CMDLINE_LINUX="console=tty0 crashkernel=auto console=ttyS0,115200 slub_debug=P page_poison=1 vsyscall=none fips=1 audit=1 fips=1 audit_backlog_limit=8192"
  818.  
  819.     # - name: Update initrd and bootloader
  820.     #   shell: |
  821.     #     dracut -f
  822.     #     grub2-mkconfig -o /etc/grub2.cfg
  823.  
  824.     #
  825.     # Update /dev/shm in /etc/fstab
  826.     #
  827.     - name: get back device associated to mountpoint
  828.       shell: mount | grep ' /dev/shm ' |cut -d ' ' -f 1
  829.       register: device_name
  830.       check_mode: no
  831.  
  832.     - name: get back device previous mount option
  833.       shell: mount | grep ' /dev/shm ' | sed -re 's:.*\((.*)\):\1:'
  834.       register: device_cur_mountoption
  835.       check_mode: no
  836.    
  837.     - name: get back device fstype
  838.       shell: mount | grep ' /dev/shm ' | cut -d ' ' -f 5
  839.       register: device_fstype
  840.       check_mode: no
  841.    
  842.     - name: Ensure permission noexec are set on /dev/shm
  843.       mount:
  844.         path: "/dev/shm"
  845.         src: "{{device_name.stdout}}"
  846.         opts: "{{device_cur_mountoption.stdout}},noexec"
  847.         state: "mounted"
  848.         fstype: "{{device_fstype.stdout}}"
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top