Merge pull request #2134 from shawndwells/more_ansible

Additional Ansible Scripts

shared/templates/static/ansible/accounts_logon_fail_delay.yml

@@ -1,9 +1,9 @@
 # platform = multi_platform_rhel
-- name: "Set accounts logon fail delay to (ansible-populate var_accounts_fail_delay)"
+- name: Set accounts logon fail delay to (ansible-populate var_accounts_fail_delay)
   lineinfile:
-    dest="/etc/login.defs"
-    regexp="^FAIL_DELAY"
-    line="FAIL_DELAY (ansible-populate var_accounts_fail_delay)"
+    dest: /etc/login.defs
+    regexp: ^FAIL_DELAY
+    line: FAIL_DELAY (ansible-populate var_accounts_fail_delay)
   tags:
     @ANSIBLE_TAGS@
 

shared/templates/static/ansible/accounts_max_concurrent_login_sessions.yml

@@ -0,0 +1,14 @@
+# platform = multi_platform_fedora, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 6
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Limit the Number of Concurrent Login Sessions Allowed Per User"
+  lineinfile:
+    state: present
+    dest: /etc/security/limits.conf
+    insertbefore: '^# End of file'
+    regexp: '^#?\\*.*maxlogins'
+    line: '*           hard    maxlogins     (ansible-populate var_accounts_max_concurrent_login_sessions)'
+  tags:
+    @ANSIBLE_TAGS@

shared/templates/static/ansible/accounts_maximum_age_login_defs.yml

@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Maximum Age
+  lineinfile:
+      create: yes
+      dest: /etc/login.defs
+      regexp: ^#?PASS_MAX_DAYS
+      line: PASS_MAX_DAYS (ansible-populate var_accounts_maximum_age_login_defs)
+  tags:
+    @ANSIBLE_TAGS@

shared/templates/static/ansible/accounts_minimum_age_login_defs.yml

@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Minimum Age
+  lineinfile:
+      create: yes
+      dest: /etc/login.defs
+      regexp: ^#?PASS_MIN_DAYS
+      line: PASS_MIN_DAYS (ansible-populate var_accounts_minimum_age_login_defs)
+  tags:
+    @ANSIBLE_TAGS@

shared/templates/static/ansible/accounts_password_minlen_login_defs.yml

@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Set Password Minimum Length in login.defs"
+  lineinfile:
+    dest: /etc/login.defs
+    regexp: "^PASS_MIN_LEN *[0-9]*"
+    state: present
+    line: "PASS_MIN_LEN        (ansible-populate var_accounts_password_minlen_login_defs)"
+  tags:
+    @ANSIBLE_TAGS@

shared/templates/static/ansible/accounts_password_pam_maxclassrepeat.yml

@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: 
+  lineinfile:
+      create: yes
+      dest: /etc/security/pwquality.conf
+      regexp: '^#?\s*maxclassrepeat'
+      line: maxclassrepeat = (ansible-populate var_password_pam_maxclassrepeat)
+  tags:
+    @ANSIBLE_TAGS@

shared/templates/static/ansible/accounts_password_pam_maxrepeat.yml

@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Maximum Consecutive Repeating Characters
+  lineinfile:
+      create: yes
+      dest: /etc/security/pwquality.conf
+      regexp: '^#?\s*maxrepeat'
+      line: maxrepeat = (ansible-populate var_password_pam_maxrepeat)
+  tags:
+    @ANSIBLE_TAGS@

shared/templates/static/ansible/accounts_password_pam_minlen.yml

@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Minimum Length - /etc/security/pwquality.conf
+  lineinfile:
+    dest: /etc/security/pwquality.conf
+    regexp: ^minlen =
+    state: present
+    line: minlen = (ansible-populate var_password_pam_minlen)
+  tags:
+    @ANSIBLE_TAGS@

shared/templates/static/ansible/accounts_password_warn_age_login_defs.yml

@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Set Password Warning Age"
+  lineinfile:
+    dest: /etc/login.defs
+    regexp: "^PASS_WARN_AGE *[0-9]*"
+    state: present
+    line: "PASS_WARN_AGE        (ansible-populate var_accounts_password_warn_age_login_defs)"
+  tags:
+    @ANSIBLE_TAGS@

shared/templates/static/ansible/accounts_tmout.yml

@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Interactive Session Timeout
+  lineinfile:
+      create: yes
+      dest: /etc/profile
+      regexp: ^#?TMOUT
+      line: TMOUT=(ansible-populate var_accounts_tmout)
+  tags:
+    @ANSIBLE_TAGS@

shared/templates/static/ansible/auditd_data_retention_action_mail_acct.yml

@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd mail_acct Action on Low Disk Space
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    line: "action_mail_acct = (ansible-populate var_auditd_action_mail_acct)"
+    state: present
+  #notify: reload auditd
+  tags:
+    @ANSIBLE_TAGS@

shared/templates/static/ansible/auditd_data_retention_admin_space_left_action.yml

@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd admin_space_left Action on Low Disk Space
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    line: "admin_space_left_action = (ansible-populate var_auditd_admin_space_left_action)"
+    regexp: "^admin_space_left_action*"
+  #notify: reload auditd
+  tags:
+    @ANSIBLE_TAGS@

shared/templates/static/ansible/auditd_data_retention_flush.yml

@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd Flush Priority
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    regexp: '.*flush.*'
+    line: flush = data
+  #notify: reload auditd
+  tags:
+    @ANSIBLE_TAGS@

shared/templates/static/ansible/auditd_data_retention_max_log_file.yml

@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd Max Log File Size
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    line: "max_log_file (ansible-populate var_auditd_max_log_file)"
+    state: present
+  #notify: reload auditd
+  tags:
+    @ANSIBLE_TAGS@

shared/templates/static/ansible/auditd_data_retention_max_log_file_action.yml

@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    line: "max_log_file_action (ansible-populate var_auditd_max_log_file_action)"
+    state: present
+  #notify: reload auditd
+  tags:
+    @ANSIBLE_TAGS@

shared/templates/static/ansible/auditd_data_retention_space_left_action.yml

@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd space_left Action on Low Disk Space
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    line: space_left_action = (ansible-populate var_auditd_space_left_action)
+    regexp: ^space_left_action*
+  #notify: reload auditd
+  tags:
+    @ANSIBLE_TAGS@

shared/templates/static/ansible/bootloader_audit_argument.yml

@@ -0,0 +1,9 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Enable Auditing for Processes Which Start Prior to the Audit Daemon"
+  shell: /sbin/grubby --update-kernel=ALL --args="audit=1"
+  tags:
+    @ANSIBLE_TAGS@

shared/templates/static/ansible/clean_components_post_updating.yml

@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Ensure YUM Removes Previous Package Versions"
+  lineinfile:
+      dest: /etc/yum.conf
+      regexp: ^#?clean_requirements_on_remove
+      line: clean_requirements_on_remove=1
+      insertafter: '\[main\]'
+  tags:
+    @ANSIBLE_TAGS@

shared/templates/static/ansible/disable_host_auth.yml

@@ -3,11 +3,11 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- name: "Disable Host-Based Authentication"
+- name: Disable Host-Based Authentication
   lineinfile:
-    create=yes
-    dest="/etc/ssh/sshd_config"
-    regexp="^HostbasedAuthentication"
-    line="HostbasedAuthentication no"
+    create: yes
+    dest: /etc/ssh/sshd_config
+    regexp: ^HostbasedAuthentication
+    line: HostbasedAuthentication no
   tags:
     @ANSIBLE_TAGS@

shared/templates/static/ansible/enable_selinux_bootloader.yml

@@ -3,9 +3,9 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- name: "Ensure SELinux Not Disabled in /etc/default/grub"
+- name: Ensure SELinux Not Disabled in /etc/default/grub
   replace:
     dest: /etc/default/grub
-    regexp: "selinux=0"
+    regexp: selinux=0
   tags:
     @ANSIBLE_TAGS@

shared/templates/static/ansible/ensure_gpgcheck_never_disabled.yml

@@ -0,0 +1,21 @@
+# platform = multi_platform_rhel
+# reboot = false
+# strategy = unknown
+# complexity = low
+# disruption = medium
+#
+- name: Find All Yum Repositories
+  find:
+    paths: "/etc/yum.repos.d/"
+    patterns: "*.repo"
+  register: yum_find
+
+- name: Ensure gpgcheck Enabled For All Yum Package Repositories
+  with_items: "{{ yum_find.files }}"
+  lineinfile:
+    create: yes
+    dest: "{{ item.path }}"
+    regexp: '^gpgcheck'
+    line: 'gpgcheck=1'
+  tags:
+    @ANSIBLE_TAGS@

shared/templates/static/ansible/ensure_redhat_gpgkey_installed.yml

@@ -13,21 +13,21 @@
 
 # It should fail if it doesn't find any fingerprints in file - maybe file was not parsed well.
 
-- name: "Read signatures in GPG key"
-  shell: "gpg --with-fingerprint '/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release' | grep 'Key fingerprint =' | tr -s ' ' | sed 's;.*= ;;g'"
+- name: Read signatures in GPG key
+  shell: gpg --with-fingerprint '/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release' | grep 'Key fingerprint =' | tr -s ' ' | sed 's;.*= ;;g'
   changed_when: False
   register: gpg_fingerprints
   check_mode: no
   tags:
     @ANSIBLE_TAGS@
 
-- name: "Set Fact: Valid fingerprints"
+- name: Set Fact - Valid fingerprints
   set_fact:
      gpg_valid_fingerprints: ("567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51" "43A6 E49C 4A38 F4BE 9ABF 2A53 4568 9C88 2FA6 58E0")
   tags:
     @ANSIBLE_TAGS@
 
-- name: "Import RedHat GPG key"
+- name: Import RedHat GPG key
   rpm_key:
     state: present
     key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
@@ -38,4 +38,3 @@
     and (ansible_distribution == "RedHat")
   tags:
     @ANSIBLE_TAGS@
-

shared/templates/static/ansible/firewalld_sshd_port_enabled.yml

@@ -4,21 +4,21 @@
 # strategy = configure
 # disruption = low
 
-- name: "Enable SSHD in firewalld (custom port)"
+- name: Enable SSHD in firewalld (custom port)
   firewalld:
-    port="(ansible-populate sshd_listening_port)/tcp"
-    permanent="yes"
-    state="enabled"
-  when: "(ansible-populate sshd_listening_port)" != "22"
+    port: (ansible-populate sshd_listening_port)/tcp
+    permanent: yes
+    state: enabled
+  when: (ansible-populate sshd_listening_port) != 22
   tags:
     @ANSIBLE_TAGS@
 
-- name: "Enable SSHD in firewalld (default port)"
+- name: Enable SSHD in firewalld (default port)
   firewalld:
-    service="ssh"
-    permanent="yes"
-    state="enabled"
-  when: "(ansible-populate sshd_listening_port)" == "22"
+    service: ssh
+    permanent: yes
+    state: enabled
+  when: (ansible-populate sshd_listening_port) == 22
   tags:
     @ANSIBLE_TAGS@
 

shared/templates/static/ansible/no_direct_root_logins.yml

@@ -0,0 +1,9 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Direct root Logins Not Allowed"
+  shell: echo > /etc/securetty
+  tags:
+    @ANSIBLE_TAGS@

shared/templates/static/ansible/no_rsh_trust_files.yml

@@ -0,0 +1,22 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- block:
+    - name: "Detect shosts.equiv Files on the System"
+      find:
+          paths: /
+          recurse: yes
+          patterns: shosts.equiv
+      check_mode: no
+      register: shosts_equiv_locations
+
+    - name: "Remove Rsh Trust Files"
+      file:
+          path: "{{ item.path }}"
+          state: absent
+      with_items: "{{ shosts_equiv_locations }}"
+  when: shosts_equiv_locations
+  tags:
+    @ANSIBLE_TAGS@