API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 22nd, 2019
255
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 36.38 KB | None | 0 0
raw download clone embed print report
  1. ---
  2. - name: NIST 800-171 Security Configuration
  3. hosts: all
  4. become: true
  5.  
  6. # Vars
  7. #########
  8. vars:
  9. sshd_idle_timeout_value: "600"
  10. sshd_approved_macs: "hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com"
  11. sysctl_net_ipv6_conf_default_accept_source_route_value: "0"
  12. sysctl_net_ipv6_conf_all_accept_source_route_value: "0"
  13. sysctl_net_ipv6_conf_all_forwarding_value: "0"
  14. sysctl_net_ipv6_conf_all_accept_redirects_value: "0"
  15. sysctl_net_ipv6_conf_default_accept_ra_value: "0"
  16. sysctl_net_ipv6_conf_all_accept_ra_value: "0"
  17. sysctl_net_ipv6_conf_default_accept_redirects_value: "0"
  18. sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: "1"
  19. sysctl_net_ipv4_conf_default_log_martians_value: "1"
  20. sysctl_net_ipv4_conf_all_secure_redirects_value: "0"
  21. sysctl_net_ipv4_conf_default_secure_redirects_value: "0"
  22. sysctl_net_ipv4_conf_all_accept_redirects_value: "0"
  23. sysctl_net_ipv4_conf_all_log_martians_value: "1"
  24. sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: "1"
  25. sysctl_net_ipv4_ip_forward: "0"
  26. var_account_disable_post_pw_expiration: "35"
  27. var_accounts_password_minlen_login_defs: "15"
  28. var_accounts_minimum_age_login_defs: "7"
  29. var_accounts_maximum_age_login_defs: "60"
  30. var_accounts_passwords_pam_faillock_deny: "3"
  31. var_accounts_passwords_pam_faillock_unlock_time: never
  32. var_accounts_passwords_pam_faillock_fail_interval: "900"
  33. var_password_pam_unix_remember: "5"
  34. var_password_pam_minlen: "{{ var_accounts_password_minlen_login_defs }}"
  35. var_password_pam_maxclassrepeat: "4"
  36. var_password_pam_dcredit: "-1"
  37. var_password_pam_minclass: "4"
  38. var_password_pam_difok: "8"
  39. var_password_pam_ocredit: "-1"
  40. var_password_pam_lcredit: "-1"
  41. var_password_pam_ucredit: "-1"
  42. var_accounts_tmout: "600"
  43. var_accounts_fail_delay: "4"
  44. var_accounts_max_concurrent_login_sessions: "10"
  45. var_auditd_admin_space_left_action: "single"
  46. var_auditd_space_left_action: "email"
  47. sshd_listening_port: "22"
  48. audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
  49. combined_audit_file: "/etc/audit/rules.d/all.rules"
  50.  
  51. # Pre-Tasks
  52. ############
  53. pre_tasks:
  54. - name: "Install and enable firewalld"
  55. yum:
  56. name: "firewalld"
  57. state: "installed"
  58.  
  59. - name: "Update system"
  60. yum:
  61. name: "*"
  62. state: "latest"
  63.  
  64. # Tasks
  65. ##########
  66. tasks:
  67. # Kernel
  68. - name: Disable service kdump
  69. service:
  70. name: "{{item}}"
  71. enabled: "no"
  72. state: "stopped"
  73. register: service_result
  74. failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)"
  75. with_items:
  76. - kdump
  77.  
  78. - name: Disable socket of service kdump if applicable
  79. service:
  80. name: "{{item}}"
  81. enabled: "no"
  82. state: "stopped"
  83. register: socket_result
  84. failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)"
  85. with_items:
  86. - kdump.socket
  87.  
  88. # IPv6 sysctl values
  89. - name: Ensure sysctl values are set
  90. sysctl:
  91. name: "{{ item.name }}"
  92. value: "{{ item.value }}"
  93. state: present
  94. reload: yes
  95. with_items:
  96. - name: net.ipv6.conf.default.accept_source_route
  97. value: "{{ sysctl_net_ipv6_conf_default_accept_source_route_value }}"
  98. - name: net.ipv6.conf.all.accept_source_route
  99. value: "{{ sysctl_net_ipv6_conf_all_accept_source_route_value }}"
  100. - name: net.ipv6.conf.all.forwarding
  101. value: "{{ sysctl_net_ipv6_conf_all_forwarding_value }}"
  102. - name: net.ipv6.conf.all.accept_redirects
  103. value: "{{ sysctl_net_ipv6_conf_all_accept_redirects_value }}"
  104. - name: net.ipv6.conf.default.accept_ra
  105. value: "{{ sysctl_net_ipv6_conf_default_accept_ra_value }}"
  106. - name: net.ipv6.conf.all.accept_ra
  107. value: "{{ sysctl_net_ipv6_conf_all_accept_ra_value }}"
  108. - name: net.ipv6.conf.default.accept_redirects
  109. value: "{{ sysctl_net_ipv6_conf_default_accept_redirects_value }}"
  110. - name: net.ipv6.conf.all.disable_ipv6
  111. value: "1"
  112.  
  113. # IPv4 kernel networking values
  114. - name: Ensure sysctl values are set
  115. sysctl:
  116. name: "{{ item.name }}"
  117. value: "{{ item.value }}"
  118. state: present
  119. reload: yes
  120. with_items:
  121. - name: net.ipv4.icmp_ignore_bogus_error_responses
  122. value: "{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}"
  123. - name: net.ipv4.conf.default.log_martians
  124. value: "{{ sysctl_net_ipv4_conf_default_log_martians_value }}"
  125. - name: net.ipv4.conf.all.secure_redirects
  126. value: "{{ sysctl_net_ipv4_conf_all_secure_redirects_value }}"
  127. - name: net.ipv4.conf.default.secure_redirects
  128. value: "{{ sysctl_net_ipv4_conf_default_secure_redirects_value }}"
  129. - name: net.ipv4.conf.all.accept_redirects
  130. value: "{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}"
  131. - name: net.ipv4.conf.all.log_martians
  132. value: "{{ sysctl_net_ipv4_conf_all_log_martians_value }}"
  133. - name: net.ipv4.icmp_echo_ignore_broadcasts
  134. value: "{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}"
  135. - name: net.ipv4.ip_forward
  136. value: "{{ sysctl_net_ipv4_ip_forward }}"
  137. - name: net.ipv4.conf.all.send_redirects
  138. value: 0
  139. - name: net.ipv4.conf.default.send_redirects
  140. value: 0
  141.  
  142. # Other values
  143. - name: Ensure sysctl values are set
  144. sysctl:
  145. name: "{{ item.name }}"
  146. value: "{{ item.value }}"
  147. state: present
  148. reload: yes
  149. with_items:
  150. - name: fs.suid_dumpable
  151. value: "0"
  152. - name: kernel.randomize_va_space
  153. value: "2"
  154. - name: kernel.dmesg_restrict
  155. value: "1"
  156. - name: kernel.kptr_restrict
  157. value: "1"
  158. - name: kernel.kexec_load_disabled
  159. value: "1"
  160.  
  161. #
  162. # Disable uncommon Network Protocols and Bluetooth
  163. #
  164. - name: Ensure unnecessary kernel modules are disabled
  165. lineinfile:
  166. create: yes
  167. dest: "/etc/modprobe.d/{{item}}.conf"
  168. regexp: '{{item}}'
  169. line: "install {{item}} /bin/true"
  170. with_items:
  171. - dccp
  172. - sctp
  173. - bluetooth
  174. - hfs
  175. - usb-storage
  176. - freevxfs
  177. - squashfs
  178. - hfsplus
  179. - jffs2
  180. - cramfs
  181.  
  182. #
  183. # OpenSSH
  184. #
  185. - name: "Disable SSH Root Login"
  186. lineinfile:
  187. create: yes
  188. dest: "/etc/ssh/sshd_config"
  189. regexp: "^PermitRootLogin"
  190. line: "PermitRootLogin no"
  191. insertafter: '(?i)^#?authentication'
  192. validate: sshd -t -f %s
  193.  
  194. - name: "Disable SSH Support for User Known Hosts"
  195. lineinfile:
  196. create: yes
  197. dest: /etc/ssh/sshd_config
  198. regexp: ^IgnoreUserKnownHosts
  199. line: IgnoreUserKnownHosts yes
  200. validate: sshd -t -f %s
  201.  
  202. - name: Disable SSH Access via Empty Passwords
  203. lineinfile:
  204. create: yes
  205. dest: /etc/ssh/sshd_config
  206. regexp: ^PermitEmptyPasswords
  207. line: PermitEmptyPasswords no
  208. validate: sshd -t -f %s
  209.  
  210. - name: Set SSH Client Alive Count
  211. lineinfile:
  212. create: yes
  213. dest: /etc/ssh/sshd_config
  214. regexp: ^ClientAliveCountMax
  215. line: ClientAliveCountMax 0
  216. validate: sshd -t -f %s
  217.  
  218. - name: Set SSH Idle Timeout Interval
  219. lineinfile:
  220. create: yes
  221. dest: /etc/ssh/sshd_config
  222. regexp: ^ClientAliveInterval
  223. line: "ClientAliveInterval {{ sshd_idle_timeout_value }}"
  224. validate: sshd -t -f %s
  225.  
  226. - name: Use Only Approved Ciphers
  227. lineinfile:
  228. create: yes
  229. dest: /etc/ssh/sshd_config
  230. regexp: ^Ciphers
  231. line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
  232. validate: sshd -t -f %s
  233.  
  234. - name: "Enable use of Privilege Separation"
  235. lineinfile:
  236. create: yes
  237. dest: /etc/ssh/sshd_config
  238. regexp: (?i)^#?useprivilegeseparation
  239. line: UsePrivilegeSeparation sandbox
  240. validate: sshd -t -f %s
  241.  
  242. - name: "Disable GSSAPI Authentication"
  243. lineinfile:
  244. create: yes
  245. dest: /etc/ssh/sshd_config
  246. regexp: (?i)^#?gssapiauthentication
  247. line: GSSAPIAuthentication no
  248. validate: sshd -t -f %s
  249.  
  250. - name: "Disable Compression or Set Compression to delayed"
  251. lineinfile:
  252. create: yes
  253. dest: /etc/ssh/sshd_config
  254. regexp: (?i)^#?compression
  255. line: Compression delayed
  256. validate: sshd -t -f %s
  257.  
  258. - name: Do Not Allow SSH Environment Options
  259. lineinfile:
  260. create: yes
  261. dest: /etc/ssh/sshd_config
  262. regexp: ^PermitUserEnvironment
  263. line: PermitUserEnvironment no
  264. validate: sshd -t -f %s
  265.  
  266. - name: "Use Only Approved MACs"
  267. lineinfile:
  268. create: yes
  269. dest: /etc/ssh/sshd_config
  270. regexp: ^MACs
  271. line: "MACs {{ sshd_approved_macs }}"
  272. validate: sshd -t -f %s
  273.  
  274. - name: Enable SSH Warning Banner
  275. lineinfile:
  276. create: yes
  277. dest: /etc/ssh/sshd_config
  278. regexp: ^Banner
  279. line: Banner /etc/issue
  280. validate: sshd -t -f %s
  281.  
  282. - name: Ensure permission 0644 on /etc/ssh/*.pub
  283. file:
  284. path: "{{ item }}"
  285. mode: 0644
  286. with_fileglob:
  287. - "/etc/ssh/*.pub"
  288.  
  289. # Because of Systemd, we need to use permissions of 0640, so that
  290. # the group ssh_keys can read the generated ssh private keys for
  291. # access to the system.
  292. - name: Ensure permission 0600 on /etc/ssh/*_key
  293. file:
  294. path: "{{ item }}"
  295. mode: 0600
  296. with_fileglob:
  297. - "/etc/ssh/*_key"
  298.  
  299. #
  300. # AIDE package
  301. #
  302. - name: Ensure aide is installed
  303. package:
  304. name: "{{item}}"
  305. state: present
  306. with_items:
  307. - aide
  308.  
  309. - name: "Build and Test AIDE Database"
  310. shell: /usr/sbin/aide --init
  311.  
  312. - name: "Check whether the stock AIDE Database exists"
  313. stat:
  314. path: /var/lib/aide/aide.db.new.gz
  315. register: aide_database
  316.  
  317. - name: "Stage AIDE Database"
  318. copy:
  319. src: /var/lib/aide/aide.db.new.gz
  320. dest: /var/lib/aide/aide.db.gz
  321. backup: yes
  322. remote_src: yes
  323. when: aide_database.stat.exists is defined and not aide_database.stat.exists
  324.  
  325. - name: "Configure Periodic Execution of AIDE"
  326. cron:
  327. name: "run AIDE check"
  328. minute: "05"
  329. hour: "04"
  330. weekday: "0"
  331. user: root
  332. job: "/usr/sbin/aide --check | /bin/mail -s \"$(hostname) - AIDE Integrity Check\" root@localhost"
  333.  
  334. #
  335. # YUM
  336. #
  337. - name: Check existence of yum on Fedora
  338. stat:
  339. path: /etc/yum.conf
  340. register: yum_config_file
  341. check_mode: no
  342. when: ansible_distribution == "Fedora"
  343.  
  344. - name: "Ensure YUM Removes Previous Package Versions"
  345. lineinfile:
  346. dest: /etc/yum.conf
  347. regexp: ^#?clean_requirements_on_remove
  348. line: clean_requirements_on_remove=1
  349. insertafter: '\[main\]'
  350.  
  351. - name: Ensure GPG check Enabled for Local Packages (Yum)
  352. ini_file:
  353. dest: "{{item}}"
  354. section: main
  355. option: localpkg_gpgcheck
  356. value: "1"
  357. create: True
  358. with_items: "/etc/yum.conf"
  359. when: ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or yum_config_file.stat.exists
  360.  
  361. - name: Ensure GPG check Enabled for Local Packages (DNF)
  362. ini_file:
  363. dest: "{{item}}"
  364. section: main
  365. option: localpkg_gpgcheck
  366. value: 1
  367. create: True
  368. with_items: "/etc/dnf/dnf.conf"
  369. when: ansible_distribution == "Fedora"
  370.  
  371. #
  372. # Firewall
  373. #
  374. - name: Enable service firewalld
  375. service:
  376. name: "{{ item }}"
  377. enabled: "yes"
  378. state: "started"
  379. with_items:
  380. - firewalld
  381.  
  382. - name: Enable SSHD in firewalld (default port)
  383. firewalld:
  384. service: ssh
  385. permanent: yes
  386. state: enabled
  387. when: sshd_listening_port == 22
  388.  
  389. - name: Set work zone in firewalld
  390. firewalld:
  391. zone: work
  392. source: "10.0.0.0/8"
  393. permanent: yes
  394. state: enabled
  395.  
  396. - name: Update log denied settings for firewalld
  397. shell: firewall-cmd --set-log-denied=all
  398.  
  399. - name: "Set Default Firewall zone to DROP"
  400. lineinfile:
  401. dest: /etc/firewalld/firewalld.conf
  402. regexp: '^DefaultZone'
  403. line: 'DefaultZone=drop'
  404. state: present
  405.  
  406. #
  407. # Access Control
  408. #
  409. - name: "Restrict Serial Port Root Logins"
  410. lineinfile:
  411. dest: /etc/securetty
  412. regexp: 'ttyS[0-9]'
  413. state: absent
  414.  
  415. - name: "Direct root Logins Not Allowed"
  416. shell: echo > /etc/securetty
  417. changed_when: false
  418.  
  419. - name: "Restrict Virtual Console Root Logins"
  420. lineinfile:
  421. dest: /etc/securetty
  422. regexp: '^vc'
  423. state: absent
  424.  
  425. - name: Set Account Expiration Following Inactivity
  426. lineinfile:
  427. create: yes
  428. dest: /etc/default/useradd
  429. regexp: ^INACTIVE
  430. line: "INACTIVE={{ var_account_disable_post_pw_expiration }}"
  431.  
  432. - name: "Set Password Minimum Length in login.defs"
  433. lineinfile:
  434. dest: /etc/login.defs
  435. regexp: "^PASS_MIN_LEN *[0-9]*"
  436. state: present
  437. line: "PASS_MIN_LEN {{ var_accounts_password_minlen_login_defs }}"
  438.  
  439. - name: Set Password Minimum Age
  440. lineinfile:
  441. create: yes
  442. dest: /etc/login.defs
  443. regexp: ^#?PASS_MIN_DAYS
  444. line: "PASS_MIN_DAYS {{ var_accounts_minimum_age_login_defs }}"
  445.  
  446. - name: Set Password Maximum Age
  447. lineinfile:
  448. create: yes
  449. dest: /etc/login.defs
  450. regexp: ^#?PASS_MAX_DAYS
  451. line: "PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }}"
  452.  
  453. - name: "Prevent Log In to Accounts With Empty Password - system-auth"
  454. replace:
  455. dest: /etc/pam.d/system-auth
  456. follow: yes
  457. regexp: 'nullok'
  458.  
  459. - name: "Prevent Log In to Accounts With Empty Password - password-auth"
  460. replace:
  461. dest: /etc/pam.d/password-auth
  462. follow: yes
  463. regexp: 'nullok'
  464.  
  465. #
  466. # PAM Configuration
  467. #
  468. - name: set auth pam_faillock before pam_unix.so
  469. pamd:
  470. name: system-auth
  471. type: auth
  472. control: sufficient
  473. module_path: pam_unix.so
  474. new_type: auth
  475. new_control: required
  476. new_module_path: pam_faillock.so
  477. module_arguments: 'preauth
  478. silent
  479. even_deny_root
  480. deny: {{ var_accounts_passwords_pam_faillock_deny }}
  481. unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }}
  482. fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}'
  483. state: before
  484.  
  485. - name: set auth pam_faillock after pam_unix.so
  486. pamd:
  487. name: system-auth
  488. type: auth
  489. control: sufficient
  490. module_path: pam_unix.so
  491. new_type: auth
  492. new_control: '[default=die]'
  493. new_module_path: pam_faillock.so
  494. module_arguments: 'preauth
  495. silent
  496. even_deny_root
  497. deny: {{ var_accounts_passwords_pam_faillock_deny }}
  498. unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }}
  499. fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}'
  500. state: after
  501.  
  502. - name: set account pam_faillock before pam_unix.so
  503. pamd:
  504. name: system-auth
  505. type: account
  506. control: required
  507. module_path: pam_unix.so
  508. new_type: account
  509. new_control: required
  510. new_module_path: pam_faillock.so
  511. state: before
  512.  
  513. - name: "Do not allow users to reuse recent passwords - system-auth (change)"
  514. replace:
  515. dest: /etc/pam.d/system-auth
  516. follow: yes
  517. regexp: '^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$'
  518. replace: '\g<1>{{ var_password_pam_unix_remember }}\g<3>'
  519.  
  520. - name: "Do not allow users to reuse recent passwords - system-auth (add)"
  521. replace:
  522. dest: /etc/pam.d/system-auth
  523. follow: yes
  524. regexp: '^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$'
  525. replace: '\g<0> remember={{ var_password_pam_unix_remember }}'
  526.  
  527. - name: Ensure PAM variable minlen is set accordingly
  528. lineinfile:
  529. create: yes
  530. dest: "/etc/security/pwquality.conf"
  531. regexp: '^#?\s*minlen'
  532. line: "minlen = {{ var_password_pam_minlen }}"
  533.  
  534. - name: Ensure PAM variable maxclassrepeat is set accordingly
  535. lineinfile:
  536. create: yes
  537. dest: "/etc/security/pwquality.conf"
  538. regexp: '^#?\s*maxclassrepeat'
  539. line: "maxclassrepeat = {{ var_password_pam_maxclassrepeat }}"
  540.  
  541. - name: Ensure PAM variable dcredit is set accordingly
  542. lineinfile:
  543. create: yes
  544. dest: "/etc/security/pwquality.conf"
  545. regexp: '^#?\s*dcredit'
  546. line: "dcredit = {{ var_password_pam_dcredit }}"
  547.  
  548. - name: Ensure PAM variable minclass is set accordingly
  549. lineinfile:
  550. create: yes
  551. dest: "/etc/security/pwquality.conf"
  552. regexp: '^#?\s*minclass'
  553. line: "minclass = {{ var_password_pam_minclass }}"
  554.  
  555. - name: Ensure PAM variable difok is set accordingly
  556. lineinfile:
  557. create: yes
  558. dest: "/etc/security/pwquality.conf"
  559. regexp: '^#?\s*difok'
  560. line: "difok = {{ var_password_pam_difok }}"
  561.  
  562. - name: Ensure PAM variable ocredit is set accordingly
  563. lineinfile:
  564. create: yes
  565. dest: "/etc/security/pwquality.conf"
  566. regexp: '^#?\s*ocredit'
  567. line: "ocredit = {{ var_password_pam_ocredit }}"
  568.  
  569. - name: Ensure PAM variable ocredit is set accordingly
  570. lineinfile:
  571. create: yes
  572. dest: "/etc/security/pwquality.conf"
  573. regexp: '^#?\s*lcredit'
  574. line: "lcredit = {{ var_password_pam_lcredit }}"
  575.  
  576. - name: Ensure PAM variable ocredit is set accordingly
  577. lineinfile:
  578. create: yes
  579. dest: "/etc/security/pwquality.conf"
  580. regexp: '^#?\s*ucredit'
  581. line: "ucredit = {{ var_password_pam_ucredit }}"
  582.  
  583. #
  584. # Protect Physical Console Access
  585. #
  586. - name: Ensure screen is installed
  587. package:
  588. name: "{{item}}"
  589. state: present
  590. with_items:
  591. - screen
  592.  
  593. - name: Set Interactive Session Timeout
  594. lineinfile:
  595. create: yes
  596. dest: /etc/profile
  597. regexp: ^#?TMOUT
  598. line: "TMOUT={{ var_accounts_tmout }}"
  599.  
  600. - name: Set accounts logon fail delay
  601. lineinfile:
  602. dest: /etc/login.defs
  603. regexp: ^FAIL_DELAY
  604. line: "FAIL_DELAY {{ var_accounts_fail_delay }}"
  605.  
  606. - name: "Limit the Number of Concurrent Login Sessions Allowed Per User"
  607. lineinfile:
  608. state: present
  609. dest: /etc/security/limits.conf
  610. insertbefore: "^# End of file"
  611. regexp: "^#?\\*.*maxlogins"
  612. line: "* hard maxlogins {{ var_accounts_max_concurrent_login_sessions }}"
  613.  
  614. #
  615. # Auditd
  616. #
  617. - name: Configure auditd Flush Priority
  618. lineinfile:
  619. dest: /etc/audit/auditd.conf
  620. regexp: '.*flush.*'
  621. line: flush = data
  622.  
  623. - name: Configure auditd Flush Priority
  624. lineinfile:
  625. dest: /etc/audisp/plugins.d/syslog.conf
  626. regexp: '^active'
  627. line: "active = yes"
  628.  
  629. - name: Configure auditd admin_space_left Action on Low Disk Space
  630. lineinfile:
  631. dest: /etc/audit/auditd.conf
  632. line: "admin_space_left_action = {{ var_auditd_admin_space_left_action }}"
  633. regexp: "^admin_space_left_action*"
  634.  
  635. - name: Configure auditd space_left Action on Low Disk Space
  636. lineinfile:
  637. dest: /etc/audit/auditd.conf
  638. line: "space_left_action = {{ var_auditd_space_left_action }}"
  639. regexp: ^space_left_action*
  640.  
  641. - name: Update audit files
  642. lineinfile:
  643. dest: "{{ combined_audit_file }}"
  644. line: "{{ item }}"
  645. create: yes
  646. with_items:
  647. - "-D"
  648. - "-b 8192"
  649. - "-f 2"
  650. - "-w /usr/sbin/rmmod -p x -k modules"
  651. - "-a always,exit -F arch=b32 -S delete_module -k modules"
  652. - "-a always,exit -F arch=b64 -S delete_module -k modules"
  653. - "-w /usr/sbin/modprobe -p x -k modules"
  654. - "-w /usr/sbin/insmod -p x -k modules"
  655. - "-a always,exit -F arch=b32 -S init_module -k modules"
  656. - "-a always,exit -F arch=b64 -S init_module -k modules"
  657. - "-w /var/log/lastlog -p wa -k logins"
  658. - "-w /var/run/faillock/ -p wa -k logins"
  659. - "-w /var/log/tallylog -p wa -k logins"
  660. - "-w /etc/localtime -p wa -k audit_time_rules"
  661. - "-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules"
  662. - "-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules"
  663. - "-a always,exit -F arch=b32 -S stime -F key=audit_time_rules"
  664. - "-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules"
  665. - "-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules"
  666. - "-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change"
  667. - "-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change"
  668. - "-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  669. - "-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  670. - "-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  671. - "-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  672. - "-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  673. - "-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  674. - "-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  675. - "-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  676. - "-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  677. - "-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  678. - "-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  679. - "-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  680. - "-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  681. - "-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  682. - "-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  683. - "-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  684. - "-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  685. - "-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  686. - "-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  687. - "-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  688. - "-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  689. - "-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  690. - "-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  691. - "-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  692. - "-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  693. - "-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
  694. - "-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change"
  695. - "-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change"
  696. - "-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change"
  697. - "-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change"
  698. - "-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change"
  699. - "-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete"
  700. - "-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete"
  701. - "-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete"
  702. - "-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete"
  703. - "-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete"
  704. - "-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  705. - "-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  706. - "-a always,exit -F path=/usr/bin/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  707. - "-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  708. - "-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  709. - "-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  710. - "-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  711. - "-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  712. - "-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  713. - "-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  714. - "-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  715. - "-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  716. - "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  717. - "-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  718. - "-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  719. - "-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  720. - "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  721. - "-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  722. - "-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  723. - "-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  724. - "-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  725. - "-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  726. - "-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  727. - "-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  728. - "-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  729. - "-a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  730. - "-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  731. - "-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  732. - "-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  733. - "-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  734. - "-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  735. - "-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged"
  736. - "-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  737. - "-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  738. - "-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  739. - "-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  740. - "-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  741. - "-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  742. - "-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  743. - "-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  744. - "-a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  745. - "-a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  746. - "-a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  747. - "-a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  748. - "-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  749. - "-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  750. - "-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  751. - "-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  752. - "-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  753. - "-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  754. - "-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  755. - "-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  756. - "-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  757. - "-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  758. - "-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  759. - "-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  760. - "-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  761. - "-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  762. - "-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  763. - "-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  764. - "-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  765. - "-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  766. - "-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  767. - "-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  768. - "-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  769. - "-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  770. - "-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  771. - "-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  772. - "-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  773. - "-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  774. - "-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  775. - "-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  776. - "-a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  777. - "-a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  778. - "-a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  779. - "-a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  780. - "-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  781. - "-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  782. - "-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
  783. - "-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
  784. - "-w /etc/sudoers -p wa -k actions"
  785. - "-w /etc/sudoers.d/ -p wa -k actions"
  786. - "-a always,exit -F arch=b64 -S sethostname -F key=audit_rules_networkconfig_modification"
  787. - "-a always,exit -F arch=b64 -S setdomainname -F key=audit_rules_networkconfig_modification"
  788. - "-w /etc/issue -p wa -k audit_rules_networkconfig_modification"
  789. - "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification"
  790. - "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification"
  791. - "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification"
  792. - "-w /var/run/utmp -p wa -k session"
  793. - "-w /var/log/btmp -p wa -k session"
  794. - "-w /var/log/wtmp -p wa -k session"
  795. - "-w /etc/shadow -p wa -k audit_rules_usergroup_modification"
  796. - "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export"
  797. - "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification"
  798. - "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification"
  799. - "-w /etc/passwd -p wa -k audit_rules_usergroup_modification"
  800. - "-w /etc/group -p wa -k audit_rules_usergroup_modification"
  801. - "-w /etc/selinux/ -p wa -k MAC-policy"
  802. - "-e 2"
  803.  
  804. #
  805. # Secure Grub configuration
  806. #
  807. # - name: Install dracut-fips
  808. # yum:
  809. # name: dracut-fips
  810. # state: installed
  811.  
  812. # - name: Grub configuration
  813. # lineinfile:
  814. # create: yes
  815. # dest: /etc/default/grub
  816. # regexp: ^GRUB_CMDLINE_LINUX
  817. # line: GRUB_CMDLINE_LINUX="console=tty0 crashkernel=auto console=ttyS0,115200 slub_debug=P page_poison=1 vsyscall=none fips=1 audit=1 fips=1 audit_backlog_limit=8192"
  818.  
  819. # - name: Update initrd and bootloader
  820. # shell: |
  821. # dracut -f
  822. # grub2-mkconfig -o /etc/grub2.cfg
  823.  
  824. #
  825. # Update /dev/shm in /etc/fstab
  826. #
  827. - name: get back device associated to mountpoint
  828. shell: mount | grep ' /dev/shm ' |cut -d ' ' -f 1
  829. register: device_name
  830. check_mode: no
  831.  
  832. - name: get back device previous mount option
  833. shell: mount | grep ' /dev/shm ' | sed -re 's:.*\((.*)\):\1:'
  834. register: device_cur_mountoption
  835. check_mode: no
  836.  
  837. - name: get back device fstype
  838. shell: mount | grep ' /dev/shm ' | cut -d ' ' -f 5
  839. register: device_fstype
  840. check_mode: no
  841.  
  842. - name: Ensure permission noexec are set on /dev/shm
  843. mount:
  844. path: "/dev/shm"
  845. src: "{{device_name.stdout}}"
  846. opts: "{{device_cur_mountoption.stdout}},noexec"
  847. state: "mounted"
  848. fstype: "{{device_fstype.stdout}}"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!