ComplianceAsCode · mpreisler · Jul 24, 2017 · Jul 6, 2017 · Jul 6, 2017 · Jul 6, 2017
diff --git a/shared/templates/static/ansible/account_disable_post_pw_expiration.yml b/shared/templates/static/ansible/account_disable_post_pw_expiration.yml
@@ -3,12 +3,12 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- name: "Disable POST password expiration"
+- name: "Set Account Expiration Following Inactivity"
   lineinfile:
     create=yes
     dest="/etc/default/useradd"
     regexp="^INACTIVE"
-    line="INACTIVE=-1"
+    line="INACTIVE=(ansible-populate var_account_disable_post_pw_expiration)"
   tags:
     @ANSIBLE_TAGS@
 
diff --git a/shared/templates/static/ansible/accounts_max_concurrent_login_sessions.yml b/shared/templates/static/ansible/accounts_max_concurrent_login_sessions.yml
@@ -0,0 +1,14 @@
+# platform = multi_platform_fedora, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 6
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Limit the Number of Concurrent Login Sessions Allowed Per User"
+  lineinfile:
+    state: present
+    dest: /etc/security/limits.conf
+    insertbefore: '^# End of file'
+    regexp: '^#?\\*.*maxlogins'
+    line: '*           hard    maxlogins     (ansible-populate var_accounts_max_concurrent_login_sessions)'
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_maximum_age_login_defs.yml b/shared/templates/static/ansible/accounts_maximum_age_login_defs.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Maximum Age
+  lineinfile:
+      create: yes
+      dest: /etc/login.defs
+      regexp: ^#?PASS_MAX_DAYS
+      line: PASS_MAX_DAYS (ansible-populate var_accounts_maximum_age_login_defs)
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_minimum_age_login_defs.yml b/shared/templates/static/ansible/accounts_minimum_age_login_defs.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Minimum Age
+  lineinfile:
+      create: yes
+      dest: /etc/login.defs
+      regexp: ^#?PASS_MIN_DAYS
+      line: PASS_MIN_DAYS (ansible-populate var_accounts_minimum_age_login_defs)
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_password_minlen_login_defs.yml b/shared/templates/static/ansible/accounts_password_minlen_login_defs.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Set Password Minimum Length in login.defs"
+  lineinfile:
+    dest: /etc/login.defs
+    regexp: "^PASS_MIN_LEN *[0-9]*"
+    state: present
+    line: "PASS_MIN_LEN        (ansible-populate var_accounts_password_minlen_login_defs)"
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_password_pam_maxclassrepeat.yml b/shared/templates/static/ansible/accounts_password_pam_maxclassrepeat.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: 
+  lineinfile:
+      create: yes
+      dest: /etc/security/pwquality.conf
+      regexp: '^#?\s*maxclassrepeat'
+      line: maxclassrepeat = (ansible-populate var_password_pam_maxclassrepeat)
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_password_pam_maxrepeat.yml b/shared/templates/static/ansible/accounts_password_pam_maxrepeat.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Maximum Consecutive Repeating Characters
+  lineinfile:
+      create: yes
+      dest: /etc/security/pwquality.conf
+      regexp: '^#?\s*maxrepeat'
+      line: maxrepeat = (ansible-populate var_password_pam_maxrepeat)
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_password_pam_minlen.yml b/shared/templates/static/ansible/accounts_password_pam_minlen.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Set Password Minimum Length - /etc/security/pwquality.conf"
+  lineinfile:
+    dest: /etc/security/pwquality.conf
+    regexp: "^minlen ="
+    state: present
+    line: "minlen = (ansible-populate var_password_pam_minlen)"
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_password_warn_age_login_defs.yml b/shared/templates/static/ansible/accounts_password_warn_age_login_defs.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Set Password Warning Age"
+  lineinfile:
+    dest: /etc/login.defs
+    regexp: "^PASS_WARN_AGE *[0-9]*"
+    state: present
+    line: "PASS_WARN_AGE        (ansible-populate var_accounts_password_warn_age_login_defs)"
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/accounts_tmout.yml b/shared/templates/static/ansible/accounts_tmout.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Interactive Session Timeout
+  lineinfile:
+      create: yes
+      dest: /etc/profile
+      regexp: ^#?TMOUT
+      line: TMOUT=(ansible-populate var_accounts_tmout)
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/auditd_data_retention_action_mail_acct.yml b/shared/templates/static/ansible/auditd_data_retention_action_mail_acct.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd mail_acct Action on Low Disk Space
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    line: "action_mail_acct = (ansible-populate var_auditd_action_mail_acct)"
+    state: present
+  notify: reload auditd
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/auditd_data_retention_admin_space_left_action.yml b/shared/templates/static/ansible/auditd_data_retention_admin_space_left_action.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd admin_space_left Action on Low Disk Space
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    line: "admin_space_left_action = (ansible-populate var_auditd_admin_space_left_action)"
+    regexp: "^admin_space_left_action*"
+  notify: reload auditd
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/auditd_data_retention_flush.yml b/shared/templates/static/ansible/auditd_data_retention_flush.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd Flush Priority
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    regexp: '.*flush.*'
+    line: flush = data
+  notify: reload auditd
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/auditd_data_retention_max_log_file.yml b/shared/templates/static/ansible/auditd_data_retention_max_log_file.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd Max Log File Size
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    line: "max_log_file (ansible-populate var_auditd_max_log_file)"
+    state: present
+  notify: reload auditd
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/auditd_data_retention_max_log_file_action.yml b/shared/templates/static/ansible/auditd_data_retention_max_log_file_action.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    line: "max_log_file_action (ansible-populate var_auditd_max_log_file_action)"
+    state: present
+  notify: reload auditd
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/auditd_data_retention_space_left_action.yml b/shared/templates/static/ansible/auditd_data_retention_space_left_action.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Configure auditd space_left Action on Low Disk Space
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    line: "space_left_action = (ansible-populate var_auditd_space_left_action)"
+    regexp: "^space_left_action*"
+  notify: reload auditd
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/bootloader_audit_argument.yml b/shared/templates/static/ansible/bootloader_audit_argument.yml
@@ -0,0 +1,9 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Enable Auditing for Processes Which Start Prior to the Audit Daemon"
+  shell: /sbin/grubby --update-kernel=ALL --args="audit=1"
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/clean_components_post_updating.yml b/shared/templates/static/ansible/clean_components_post_updating.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Ensure YUM Removes Previous Package Versions"
+  lineinfile:
+      dest: /etc/yum.conf
+      regexp: ^#?clean_requirements_on_remove
+      line: clean_requirements_on_remove=1
+      insertafter: '\[main\]'
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/ensure_gpgcheck_never_disabled.yml b/shared/templates/static/ansible/ensure_gpgcheck_never_disabled.yml
@@ -0,0 +1,21 @@
+# platform = multi_platform_rhel
+# reboot = false
+# strategy = unknown
+# complexity = low
+# disruption = medium
+#
+- name: Find All Yum Repositories
+  find:
+    paths: "/etc/yum.repos.d/"
+    patterns: "*.repo"
+  register: yum_find
+
+- name: Ensure gpgcheck Enabled For All Yum Package Repositories
+  with_items: "{{ yum_find.files }}"
+  lineinfile:
+    create: yes
+    dest: "{{ item.path }}"
+    regexp: '^gpgcheck'
+    line: 'gpgcheck=1'
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/no_direct_root_logins.yml b/shared/templates/static/ansible/no_direct_root_logins.yml
@@ -0,0 +1,9 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Direct root Logins Not Allowed"
+  shell: echo > /etc/securetty
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/no_rsh_trust_files.yml b/shared/templates/static/ansible/no_rsh_trust_files.yml
@@ -0,0 +1,22 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- block:
+    - name: "Detect shosts.equiv Files on the System"
+      find:
+          paths: /
+          recurse: yes
+          patterns: shosts.equiv
+      check_mode: no
+      register: shosts_equiv_locations
+
+    - name: "Remove Rsh Trust Files"
+      file:
+          path: "{{ item.path }}"
+          state: absent
+      with_items: "{{ shosts_equiv_locations }}"
+  when: shosts_equiv_locations
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/require_smb_client_signing.yml b/shared/templates/static/ansible/require_smb_client_signing.yml
@@ -0,0 +1,22 @@
+# platform = multi_platform_rhel, multi_platform_fedora
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = medium
+- name: Check if /etc/samba/smb.conf exists
+  stat:
+    path: /etc/samba/smb.conf
+  register: st_smb
+  tags:
+    @ANSIBLE_TAGS@
+
+- name: Require Client SMB Packet Signing, if using smbclient
+  lineinfile:
+    dest: /etc/samba/smb.conf
+    line: "client signing = mandatory"
+    state: present
+    insertafter: "[global]"
+  when: st_smb.stat.exists
+  tags:
+    @ANSIBLE_TAGS@
+
diff --git a/shared/templates/static/ansible/restrict_serial_port_logins.yml b/shared/templates/static/ansible/restrict_serial_port_logins.yml
@@ -0,0 +1,12 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Restrict Serial Port Root Logins"
+  lineinfile:
+    dest: /etc/securetty
+    regexp: 'ttyS[0-9]'
+    state: absent
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/securetty_root_login_console_only.yml b/shared/templates/static/ansible/securetty_root_login_console_only.yml
@@ -0,0 +1,12 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Restrict Virtual Console Root Logins"
+  lineinfile:
+    dest: /etc/securetty
+    regexp: '^vc'
+    state: absent
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/set_password_hashing_algorithm_libuserconf.yml b/shared/templates/static/ansible/set_password_hashing_algorithm_libuserconf.yml
@@ -0,0 +1,14 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Hashing Algorithm in /etc/libuser.conf
+  lineinfile:
+    dest: /etc/libuser.conf
+    insertafter: "^.default]"
+    regexp: ^#?crypt_style
+    line: crypt_style = sha512
+    state: present
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/set_password_hashing_algorithm_logindefs.yml b/shared/templates/static/ansible/set_password_hashing_algorithm_logindefs.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Set Password Hashing Algorithm in /etc/login.defs
+  lineinfile:
+      dest: /etc/login.defs
+      regexp: ^#?ENCRYPT_METHOD
+      line: ENCRYPT_METHOD SHA512
+      state: present
+  tags:
+    @ANSIBLE_TAGS@
diff --git a/shared/templates/static/ansible/sshd_allow_only_protocol2.yml b/shared/templates/static/ansible/sshd_allow_only_protocol2.yml
@@ -9,6 +9,7 @@
     dest: /etc/ssh/sshd_config
     regexp: "^Protocol [0-9]"
     line: "Protocol 2"
+    validate: sshd -t -f %s
   notify:
     - reload ssh
   tags: