Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ---
- - name: NIST 800-171 Security Configuration
- hosts: all
- become: true
- # Vars
- #########
- vars:
- sshd_idle_timeout_value: "600"
- sshd_approved_macs: "hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com"
- sysctl_net_ipv6_conf_default_accept_source_route_value: "0"
- sysctl_net_ipv6_conf_all_accept_source_route_value: "0"
- sysctl_net_ipv6_conf_all_forwarding_value: "0"
- sysctl_net_ipv6_conf_all_accept_redirects_value: "0"
- sysctl_net_ipv6_conf_default_accept_ra_value: "0"
- sysctl_net_ipv6_conf_all_accept_ra_value: "0"
- sysctl_net_ipv6_conf_default_accept_redirects_value: "0"
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: "1"
- sysctl_net_ipv4_conf_default_log_martians_value: "1"
- sysctl_net_ipv4_conf_all_secure_redirects_value: "0"
- sysctl_net_ipv4_conf_default_secure_redirects_value: "0"
- sysctl_net_ipv4_conf_all_accept_redirects_value: "0"
- sysctl_net_ipv4_conf_all_log_martians_value: "1"
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: "1"
- sysctl_net_ipv4_ip_forward: "0"
- var_account_disable_post_pw_expiration: "35"
- var_accounts_password_minlen_login_defs: "15"
- var_accounts_minimum_age_login_defs: "7"
- var_accounts_maximum_age_login_defs: "60"
- var_accounts_passwords_pam_faillock_deny: "3"
- var_accounts_passwords_pam_faillock_unlock_time: never
- var_accounts_passwords_pam_faillock_fail_interval: "900"
- var_password_pam_unix_remember: "5"
- var_password_pam_minlen: "{{ var_accounts_password_minlen_login_defs }}"
- var_password_pam_maxclassrepeat: "4"
- var_password_pam_dcredit: "-1"
- var_password_pam_minclass: "4"
- var_password_pam_difok: "8"
- var_password_pam_ocredit: "-1"
- var_password_pam_lcredit: "-1"
- var_password_pam_ucredit: "-1"
- var_accounts_tmout: "600"
- var_accounts_fail_delay: "4"
- var_accounts_max_concurrent_login_sessions: "10"
- var_auditd_admin_space_left_action: "single"
- var_auditd_space_left_action: "email"
- sshd_listening_port: "22"
- audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
- combined_audit_file: "/etc/audit/rules.d/all.rules"
- # Pre-Tasks
- ############
- pre_tasks:
- - name: "Install and enable firewalld"
- yum:
- name: "firewalld"
- state: "installed"
- - name: "Update system"
- yum:
- name: "*"
- state: "latest"
- # Tasks
- ##########
- tasks:
- # Kernel
- - name: Disable service kdump
- service:
- name: "{{item}}"
- enabled: "no"
- state: "stopped"
- register: service_result
- failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)"
- with_items:
- - kdump
- - name: Disable socket of service kdump if applicable
- service:
- name: "{{item}}"
- enabled: "no"
- state: "stopped"
- register: socket_result
- failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)"
- with_items:
- - kdump.socket
- # IPv6 sysctl values
- - name: Ensure sysctl values are set
- sysctl:
- name: "{{ item.name }}"
- value: "{{ item.value }}"
- state: present
- reload: yes
- with_items:
- - name: net.ipv6.conf.default.accept_source_route
- value: "{{ sysctl_net_ipv6_conf_default_accept_source_route_value }}"
- - name: net.ipv6.conf.all.accept_source_route
- value: "{{ sysctl_net_ipv6_conf_all_accept_source_route_value }}"
- - name: net.ipv6.conf.all.forwarding
- value: "{{ sysctl_net_ipv6_conf_all_forwarding_value }}"
- - name: net.ipv6.conf.all.accept_redirects
- value: "{{ sysctl_net_ipv6_conf_all_accept_redirects_value }}"
- - name: net.ipv6.conf.default.accept_ra
- value: "{{ sysctl_net_ipv6_conf_default_accept_ra_value }}"
- - name: net.ipv6.conf.all.accept_ra
- value: "{{ sysctl_net_ipv6_conf_all_accept_ra_value }}"
- - name: net.ipv6.conf.default.accept_redirects
- value: "{{ sysctl_net_ipv6_conf_default_accept_redirects_value }}"
- - name: net.ipv6.conf.all.disable_ipv6
- value: "1"
- # IPv4 kernel networking values
- - name: Ensure sysctl values are set
- sysctl:
- name: "{{ item.name }}"
- value: "{{ item.value }}"
- state: present
- reload: yes
- with_items:
- - name: net.ipv4.icmp_ignore_bogus_error_responses
- value: "{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}"
- - name: net.ipv4.conf.default.log_martians
- value: "{{ sysctl_net_ipv4_conf_default_log_martians_value }}"
- - name: net.ipv4.conf.all.secure_redirects
- value: "{{ sysctl_net_ipv4_conf_all_secure_redirects_value }}"
- - name: net.ipv4.conf.default.secure_redirects
- value: "{{ sysctl_net_ipv4_conf_default_secure_redirects_value }}"
- - name: net.ipv4.conf.all.accept_redirects
- value: "{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}"
- - name: net.ipv4.conf.all.log_martians
- value: "{{ sysctl_net_ipv4_conf_all_log_martians_value }}"
- - name: net.ipv4.icmp_echo_ignore_broadcasts
- value: "{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}"
- - name: net.ipv4.ip_forward
- value: "{{ sysctl_net_ipv4_ip_forward }}"
- - name: net.ipv4.conf.all.send_redirects
- value: 0
- - name: net.ipv4.conf.default.send_redirects
- value: 0
- # Other values
- - name: Ensure sysctl values are set
- sysctl:
- name: "{{ item.name }}"
- value: "{{ item.value }}"
- state: present
- reload: yes
- with_items:
- - name: fs.suid_dumpable
- value: "0"
- - name: kernel.randomize_va_space
- value: "2"
- - name: kernel.dmesg_restrict
- value: "1"
- - name: kernel.kptr_restrict
- value: "1"
- - name: kernel.kexec_load_disabled
- value: "1"
- #
- # Disable uncommon Network Protocols and Bluetooth
- #
- - name: Ensure unnecessary kernel modules are disabled
- lineinfile:
- create: yes
- dest: "/etc/modprobe.d/{{item}}.conf"
- regexp: '{{item}}'
- line: "install {{item}} /bin/true"
- with_items:
- - dccp
- - sctp
- - bluetooth
- - hfs
- - usb-storage
- - freevxfs
- - squashfs
- - hfsplus
- - jffs2
- - cramfs
- #
- # OpenSSH
- #
- - name: "Disable SSH Root Login"
- lineinfile:
- create: yes
- dest: "/etc/ssh/sshd_config"
- regexp: "^PermitRootLogin"
- line: "PermitRootLogin no"
- insertafter: '(?i)^#?authentication'
- validate: sshd -t -f %s
- - name: "Disable SSH Support for User Known Hosts"
- lineinfile:
- create: yes
- dest: /etc/ssh/sshd_config
- regexp: ^IgnoreUserKnownHosts
- line: IgnoreUserKnownHosts yes
- validate: sshd -t -f %s
- - name: Disable SSH Access via Empty Passwords
- lineinfile:
- create: yes
- dest: /etc/ssh/sshd_config
- regexp: ^PermitEmptyPasswords
- line: PermitEmptyPasswords no
- validate: sshd -t -f %s
- - name: Set SSH Client Alive Count
- lineinfile:
- create: yes
- dest: /etc/ssh/sshd_config
- regexp: ^ClientAliveCountMax
- line: ClientAliveCountMax 0
- validate: sshd -t -f %s
- - name: Set SSH Idle Timeout Interval
- lineinfile:
- create: yes
- dest: /etc/ssh/sshd_config
- regexp: ^ClientAliveInterval
- line: "ClientAliveInterval {{ sshd_idle_timeout_value }}"
- validate: sshd -t -f %s
- - name: Use Only Approved Ciphers
- lineinfile:
- create: yes
- dest: /etc/ssh/sshd_config
- regexp: ^Ciphers
- line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
- validate: sshd -t -f %s
- - name: "Enable use of Privilege Separation"
- lineinfile:
- create: yes
- dest: /etc/ssh/sshd_config
- regexp: (?i)^#?useprivilegeseparation
- line: UsePrivilegeSeparation sandbox
- validate: sshd -t -f %s
- - name: "Disable GSSAPI Authentication"
- lineinfile:
- create: yes
- dest: /etc/ssh/sshd_config
- regexp: (?i)^#?gssapiauthentication
- line: GSSAPIAuthentication no
- validate: sshd -t -f %s
- - name: "Disable Compression or Set Compression to delayed"
- lineinfile:
- create: yes
- dest: /etc/ssh/sshd_config
- regexp: (?i)^#?compression
- line: Compression delayed
- validate: sshd -t -f %s
- - name: Do Not Allow SSH Environment Options
- lineinfile:
- create: yes
- dest: /etc/ssh/sshd_config
- regexp: ^PermitUserEnvironment
- line: PermitUserEnvironment no
- validate: sshd -t -f %s
- - name: "Use Only Approved MACs"
- lineinfile:
- create: yes
- dest: /etc/ssh/sshd_config
- regexp: ^MACs
- line: "MACs {{ sshd_approved_macs }}"
- validate: sshd -t -f %s
- - name: Enable SSH Warning Banner
- lineinfile:
- create: yes
- dest: /etc/ssh/sshd_config
- regexp: ^Banner
- line: Banner /etc/issue
- validate: sshd -t -f %s
- - name: Ensure permission 0644 on /etc/ssh/*.pub
- file:
- path: "{{ item }}"
- mode: 0644
- with_fileglob:
- - "/etc/ssh/*.pub"
- # Because of Systemd, we need to use permissions of 0640, so that
- # the group ssh_keys can read the generated ssh private keys for
- # access to the system.
- - name: Ensure permission 0600 on /etc/ssh/*_key
- file:
- path: "{{ item }}"
- mode: 0600
- with_fileglob:
- - "/etc/ssh/*_key"
- #
- # AIDE package
- #
- - name: Ensure aide is installed
- package:
- name: "{{item}}"
- state: present
- with_items:
- - aide
- - name: "Build and Test AIDE Database"
- shell: /usr/sbin/aide --init
- - name: "Check whether the stock AIDE Database exists"
- stat:
- path: /var/lib/aide/aide.db.new.gz
- register: aide_database
- - name: "Stage AIDE Database"
- copy:
- src: /var/lib/aide/aide.db.new.gz
- dest: /var/lib/aide/aide.db.gz
- backup: yes
- remote_src: yes
- when: aide_database.stat.exists is defined and not aide_database.stat.exists
- - name: "Configure Periodic Execution of AIDE"
- cron:
- name: "run AIDE check"
- minute: "05"
- hour: "04"
- weekday: "0"
- user: root
- job: "/usr/sbin/aide --check | /bin/mail -s \"$(hostname) - AIDE Integrity Check\" root@localhost"
- #
- # YUM
- #
- - name: Check existence of yum on Fedora
- stat:
- path: /etc/yum.conf
- register: yum_config_file
- check_mode: no
- when: ansible_distribution == "Fedora"
- - name: "Ensure YUM Removes Previous Package Versions"
- lineinfile:
- dest: /etc/yum.conf
- regexp: ^#?clean_requirements_on_remove
- line: clean_requirements_on_remove=1
- insertafter: '\[main\]'
- - name: Ensure GPG check Enabled for Local Packages (Yum)
- ini_file:
- dest: "{{item}}"
- section: main
- option: localpkg_gpgcheck
- value: "1"
- create: True
- with_items: "/etc/yum.conf"
- when: ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or yum_config_file.stat.exists
- - name: Ensure GPG check Enabled for Local Packages (DNF)
- ini_file:
- dest: "{{item}}"
- section: main
- option: localpkg_gpgcheck
- value: 1
- create: True
- with_items: "/etc/dnf/dnf.conf"
- when: ansible_distribution == "Fedora"
- #
- # Firewall
- #
- - name: Enable service firewalld
- service:
- name: "{{ item }}"
- enabled: "yes"
- state: "started"
- with_items:
- - firewalld
- - name: Enable SSHD in firewalld (default port)
- firewalld:
- service: ssh
- permanent: yes
- state: enabled
- when: sshd_listening_port == 22
- - name: Set work zone in firewalld
- firewalld:
- zone: work
- source: "10.0.0.0/8"
- permanent: yes
- state: enabled
- - name: Update log denied settings for firewalld
- shell: firewall-cmd --set-log-denied=all
- - name: "Set Default Firewall zone to DROP"
- lineinfile:
- dest: /etc/firewalld/firewalld.conf
- regexp: '^DefaultZone'
- line: 'DefaultZone=drop'
- state: present
- #
- # Access Control
- #
- - name: "Restrict Serial Port Root Logins"
- lineinfile:
- dest: /etc/securetty
- regexp: 'ttyS[0-9]'
- state: absent
- - name: "Direct root Logins Not Allowed"
- shell: echo > /etc/securetty
- changed_when: false
- - name: "Restrict Virtual Console Root Logins"
- lineinfile:
- dest: /etc/securetty
- regexp: '^vc'
- state: absent
- - name: Set Account Expiration Following Inactivity
- lineinfile:
- create: yes
- dest: /etc/default/useradd
- regexp: ^INACTIVE
- line: "INACTIVE={{ var_account_disable_post_pw_expiration }}"
- - name: "Set Password Minimum Length in login.defs"
- lineinfile:
- dest: /etc/login.defs
- regexp: "^PASS_MIN_LEN *[0-9]*"
- state: present
- line: "PASS_MIN_LEN {{ var_accounts_password_minlen_login_defs }}"
- - name: Set Password Minimum Age
- lineinfile:
- create: yes
- dest: /etc/login.defs
- regexp: ^#?PASS_MIN_DAYS
- line: "PASS_MIN_DAYS {{ var_accounts_minimum_age_login_defs }}"
- - name: Set Password Maximum Age
- lineinfile:
- create: yes
- dest: /etc/login.defs
- regexp: ^#?PASS_MAX_DAYS
- line: "PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }}"
- - name: "Prevent Log In to Accounts With Empty Password - system-auth"
- replace:
- dest: /etc/pam.d/system-auth
- follow: yes
- regexp: 'nullok'
- - name: "Prevent Log In to Accounts With Empty Password - password-auth"
- replace:
- dest: /etc/pam.d/password-auth
- follow: yes
- regexp: 'nullok'
- #
- # PAM Configuration
- #
- - name: set auth pam_faillock before pam_unix.so
- pamd:
- name: system-auth
- type: auth
- control: sufficient
- module_path: pam_unix.so
- new_type: auth
- new_control: required
- new_module_path: pam_faillock.so
- module_arguments: 'preauth
- silent
- even_deny_root
- deny: {{ var_accounts_passwords_pam_faillock_deny }}
- unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }}
- fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}'
- state: before
- - name: set auth pam_faillock after pam_unix.so
- pamd:
- name: system-auth
- type: auth
- control: sufficient
- module_path: pam_unix.so
- new_type: auth
- new_control: '[default=die]'
- new_module_path: pam_faillock.so
- module_arguments: 'preauth
- silent
- even_deny_root
- deny: {{ var_accounts_passwords_pam_faillock_deny }}
- unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }}
- fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}'
- state: after
- - name: set account pam_faillock before pam_unix.so
- pamd:
- name: system-auth
- type: account
- control: required
- module_path: pam_unix.so
- new_type: account
- new_control: required
- new_module_path: pam_faillock.so
- state: before
- - name: "Do not allow users to reuse recent passwords - system-auth (change)"
- replace:
- dest: /etc/pam.d/system-auth
- follow: yes
- regexp: '^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$'
- replace: '\g<1>{{ var_password_pam_unix_remember }}\g<3>'
- - name: "Do not allow users to reuse recent passwords - system-auth (add)"
- replace:
- dest: /etc/pam.d/system-auth
- follow: yes
- regexp: '^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$'
- replace: '\g<0> remember={{ var_password_pam_unix_remember }}'
- - name: Ensure PAM variable minlen is set accordingly
- lineinfile:
- create: yes
- dest: "/etc/security/pwquality.conf"
- regexp: '^#?\s*minlen'
- line: "minlen = {{ var_password_pam_minlen }}"
- - name: Ensure PAM variable maxclassrepeat is set accordingly
- lineinfile:
- create: yes
- dest: "/etc/security/pwquality.conf"
- regexp: '^#?\s*maxclassrepeat'
- line: "maxclassrepeat = {{ var_password_pam_maxclassrepeat }}"
- - name: Ensure PAM variable dcredit is set accordingly
- lineinfile:
- create: yes
- dest: "/etc/security/pwquality.conf"
- regexp: '^#?\s*dcredit'
- line: "dcredit = {{ var_password_pam_dcredit }}"
- - name: Ensure PAM variable minclass is set accordingly
- lineinfile:
- create: yes
- dest: "/etc/security/pwquality.conf"
- regexp: '^#?\s*minclass'
- line: "minclass = {{ var_password_pam_minclass }}"
- - name: Ensure PAM variable difok is set accordingly
- lineinfile:
- create: yes
- dest: "/etc/security/pwquality.conf"
- regexp: '^#?\s*difok'
- line: "difok = {{ var_password_pam_difok }}"
- - name: Ensure PAM variable ocredit is set accordingly
- lineinfile:
- create: yes
- dest: "/etc/security/pwquality.conf"
- regexp: '^#?\s*ocredit'
- line: "ocredit = {{ var_password_pam_ocredit }}"
- - name: Ensure PAM variable ocredit is set accordingly
- lineinfile:
- create: yes
- dest: "/etc/security/pwquality.conf"
- regexp: '^#?\s*lcredit'
- line: "lcredit = {{ var_password_pam_lcredit }}"
- - name: Ensure PAM variable ocredit is set accordingly
- lineinfile:
- create: yes
- dest: "/etc/security/pwquality.conf"
- regexp: '^#?\s*ucredit'
- line: "ucredit = {{ var_password_pam_ucredit }}"
- #
- # Protect Physical Console Access
- #
- - name: Ensure screen is installed
- package:
- name: "{{item}}"
- state: present
- with_items:
- - screen
- - name: Set Interactive Session Timeout
- lineinfile:
- create: yes
- dest: /etc/profile
- regexp: ^#?TMOUT
- line: "TMOUT={{ var_accounts_tmout }}"
- - name: Set accounts logon fail delay
- lineinfile:
- dest: /etc/login.defs
- regexp: ^FAIL_DELAY
- line: "FAIL_DELAY {{ var_accounts_fail_delay }}"
- - name: "Limit the Number of Concurrent Login Sessions Allowed Per User"
- lineinfile:
- state: present
- dest: /etc/security/limits.conf
- insertbefore: "^# End of file"
- regexp: "^#?\\*.*maxlogins"
- line: "* hard maxlogins {{ var_accounts_max_concurrent_login_sessions }}"
- #
- # Auditd
- #
- - name: Configure auditd Flush Priority
- lineinfile:
- dest: /etc/audit/auditd.conf
- regexp: '.*flush.*'
- line: flush = data
- - name: Configure auditd Flush Priority
- lineinfile:
- dest: /etc/audisp/plugins.d/syslog.conf
- regexp: '^active'
- line: "active = yes"
- - name: Configure auditd admin_space_left Action on Low Disk Space
- lineinfile:
- dest: /etc/audit/auditd.conf
- line: "admin_space_left_action = {{ var_auditd_admin_space_left_action }}"
- regexp: "^admin_space_left_action*"
- - name: Configure auditd space_left Action on Low Disk Space
- lineinfile:
- dest: /etc/audit/auditd.conf
- line: "space_left_action = {{ var_auditd_space_left_action }}"
- regexp: ^space_left_action*
- - name: Update audit files
- lineinfile:
- dest: "{{ combined_audit_file }}"
- line: "{{ item }}"
- create: yes
- with_items:
- - "-D"
- - "-b 8192"
- - "-f 2"
- - "-w /usr/sbin/rmmod -p x -k modules"
- - "-a always,exit -F arch=b32 -S delete_module -k modules"
- - "-a always,exit -F arch=b64 -S delete_module -k modules"
- - "-w /usr/sbin/modprobe -p x -k modules"
- - "-w /usr/sbin/insmod -p x -k modules"
- - "-a always,exit -F arch=b32 -S init_module -k modules"
- - "-a always,exit -F arch=b64 -S init_module -k modules"
- - "-w /var/log/lastlog -p wa -k logins"
- - "-w /var/run/faillock/ -p wa -k logins"
- - "-w /var/log/tallylog -p wa -k logins"
- - "-w /etc/localtime -p wa -k audit_time_rules"
- - "-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules"
- - "-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules"
- - "-a always,exit -F arch=b32 -S stime -F key=audit_time_rules"
- - "-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules"
- - "-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules"
- - "-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change"
- - "-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change"
- - "-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
- - "-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change"
- - "-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change"
- - "-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change"
- - "-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change"
- - "-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change"
- - "-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete"
- - "-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete"
- - "-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete"
- - "-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete"
- - "-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete"
- - "-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/bin/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
- - "-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
- - "-w /etc/sudoers -p wa -k actions"
- - "-w /etc/sudoers.d/ -p wa -k actions"
- - "-a always,exit -F arch=b64 -S sethostname -F key=audit_rules_networkconfig_modification"
- - "-a always,exit -F arch=b64 -S setdomainname -F key=audit_rules_networkconfig_modification"
- - "-w /etc/issue -p wa -k audit_rules_networkconfig_modification"
- - "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification"
- - "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification"
- - "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification"
- - "-w /var/run/utmp -p wa -k session"
- - "-w /var/log/btmp -p wa -k session"
- - "-w /var/log/wtmp -p wa -k session"
- - "-w /etc/shadow -p wa -k audit_rules_usergroup_modification"
- - "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export"
- - "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification"
- - "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification"
- - "-w /etc/passwd -p wa -k audit_rules_usergroup_modification"
- - "-w /etc/group -p wa -k audit_rules_usergroup_modification"
- - "-w /etc/selinux/ -p wa -k MAC-policy"
- - "-e 2"
- #
- # Secure Grub configuration
- #
- # - name: Install dracut-fips
- # yum:
- # name: dracut-fips
- # state: installed
- # - name: Grub configuration
- # lineinfile:
- # create: yes
- # dest: /etc/default/grub
- # regexp: ^GRUB_CMDLINE_LINUX
- # line: GRUB_CMDLINE_LINUX="console=tty0 crashkernel=auto console=ttyS0,115200 slub_debug=P page_poison=1 vsyscall=none fips=1 audit=1 fips=1 audit_backlog_limit=8192"
- # - name: Update initrd and bootloader
- # shell: |
- # dracut -f
- # grub2-mkconfig -o /etc/grub2.cfg
- #
- # Update /dev/shm in /etc/fstab
- #
- - name: get back device associated to mountpoint
- shell: mount | grep ' /dev/shm ' |cut -d ' ' -f 1
- register: device_name
- check_mode: no
- - name: get back device previous mount option
- shell: mount | grep ' /dev/shm ' | sed -re 's:.*\((.*)\):\1:'
- register: device_cur_mountoption
- check_mode: no
- - name: get back device fstype
- shell: mount | grep ' /dev/shm ' | cut -d ' ' -f 5
- register: device_fstype
- check_mode: no
- - name: Ensure permission noexec are set on /dev/shm
- mount:
- path: "/dev/shm"
- src: "{{device_name.stdout}}"
- opts: "{{device_cur_mountoption.stdout}},noexec"
- state: "mounted"
- fstype: "{{device_fstype.stdout}}"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement