New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Additional Ansible Scripts #2134
Changes from 38 commits
46a5e30
24a5499
0d74e64
4350505
a15b196
0e276c8
edca324
0fadd73
5f8f429
3d56736
bba7583
f07b71c
109a804
0d3d239
c210040
024fe01
cdc97d6
4753887
6a6cda0
115841a
7aa0fc5
46d9612
aed4f9a
8f97df5
34dce7e
ef6cd21
14c291d
ddfc139
d25e60c
22cd600
89e6329
3b7cc89
ec092f0
cd387c9
8c900f8
7f256d2
0874bd0
a00ad68
812f3ff
6434bfe
58e630a
ada55fc
cf89346
675dd43
6ab1ec4
0e829d8
89eaf69
b29b16b
d7a75e2
5613309
3151080
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# platform = multi_platform_fedora, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 6 | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: "Limit the Number of Concurrent Login Sessions Allowed Per User" | ||
lineinfile: | ||
state: present | ||
dest: /etc/security/limits.conf | ||
insertbefore: '^# End of file' | ||
regexp: '^#?\\*.*maxlogins' | ||
line: '* hard maxlogins (ansible-populate var_accounts_max_concurrent_login_sessions)' | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: Set Password Maximum Age | ||
lineinfile: | ||
create: yes | ||
dest: /etc/login.defs | ||
regexp: ^#?PASS_MAX_DAYS | ||
line: PASS_MAX_DAYS (ansible-populate var_accounts_maximum_age_login_defs) | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: Set Password Minimum Age | ||
lineinfile: | ||
create: yes | ||
dest: /etc/login.defs | ||
regexp: ^#?PASS_MIN_DAYS | ||
line: PASS_MIN_DAYS (ansible-populate var_accounts_minimum_age_login_defs) | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: "Set Password Minimum Length in login.defs" | ||
lineinfile: | ||
dest: /etc/login.defs | ||
regexp: "^PASS_MIN_LEN *[0-9]*" | ||
state: present | ||
line: "PASS_MIN_LEN (ansible-populate var_accounts_password_minlen_login_defs)" | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: | ||
lineinfile: | ||
create: yes | ||
dest: /etc/security/pwquality.conf | ||
regexp: '^#?\s*maxclassrepeat' | ||
line: maxclassrepeat = (ansible-populate var_password_pam_maxclassrepeat) | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: Set Password Maximum Consecutive Repeating Characters | ||
lineinfile: | ||
create: yes | ||
dest: /etc/security/pwquality.conf | ||
regexp: '^#?\s*maxrepeat' | ||
line: maxrepeat = (ansible-populate var_password_pam_maxrepeat) | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: "Set Password Minimum Length - /etc/security/pwquality.conf" | ||
lineinfile: | ||
dest: /etc/security/pwquality.conf | ||
regexp: "^minlen =" | ||
state: present | ||
line: "minlen = (ansible-populate var_password_pam_minlen)" | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: "Set Password Warning Age" | ||
lineinfile: | ||
dest: /etc/login.defs | ||
regexp: "^PASS_WARN_AGE *[0-9]*" | ||
state: present | ||
line: "PASS_WARN_AGE (ansible-populate var_accounts_password_warn_age_login_defs)" | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: Set Interactive Session Timeout | ||
lineinfile: | ||
create: yes | ||
dest: /etc/profile | ||
regexp: ^#?TMOUT | ||
line: TMOUT=(ansible-populate var_accounts_tmout) | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: Configure auditd mail_acct Action on Low Disk Space | ||
lineinfile: | ||
dest: /etc/audit/auditd.conf | ||
line: "action_mail_acct = (ansible-populate var_auditd_action_mail_acct)" | ||
state: present | ||
notify: reload auditd | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: Configure auditd admin_space_left Action on Low Disk Space | ||
lineinfile: | ||
dest: /etc/audit/auditd.conf | ||
line: "admin_space_left_action = (ansible-populate var_auditd_admin_space_left_action)" | ||
regexp: "^admin_space_left_action*" | ||
notify: reload auditd | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: Configure auditd Flush Priority | ||
lineinfile: | ||
dest: /etc/audit/auditd.conf | ||
regexp: '.*flush.*' | ||
line: flush = data | ||
notify: reload auditd | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: Configure auditd Max Log File Size | ||
lineinfile: | ||
dest: /etc/audit/auditd.conf | ||
line: "max_log_file (ansible-populate var_auditd_max_log_file)" | ||
state: present | ||
notify: reload auditd | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size | ||
lineinfile: | ||
dest: /etc/audit/auditd.conf | ||
line: "max_log_file_action (ansible-populate var_auditd_max_log_file_action)" | ||
state: present | ||
notify: reload auditd | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: Configure auditd space_left Action on Low Disk Space | ||
lineinfile: | ||
dest: /etc/audit/auditd.conf | ||
line: "space_left_action = (ansible-populate var_auditd_space_left_action)" | ||
regexp: "^space_left_action*" | ||
notify: reload auditd | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = true | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: "Enable Auditing for Processes Which Start Prior to the Audit Daemon" | ||
shell: /sbin/grubby --update-kernel=ALL --args="audit=1" | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: "Ensure YUM Removes Previous Package Versions" | ||
lineinfile: | ||
dest: /etc/yum.conf | ||
regexp: ^#?clean_requirements_on_remove | ||
line: clean_requirements_on_remove=1 | ||
insertafter: '\[main\]' | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# platform = multi_platform_rhel | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this whole file needs @ANSIBLE_TAGS@ There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. resolved in cdc97d6 |
||
# reboot = false | ||
# strategy = unknown | ||
# complexity = low | ||
# disruption = medium | ||
# | ||
- name: Find All Yum Repositories | ||
find: | ||
paths: "/etc/yum.repos.d/" | ||
patterns: "*.repo" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. needs There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm learning ansible as I go here. If I understand check_mode correctly, this still should run in check mode to populate the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, you are correct. This does not need |
||
register: yum_find | ||
|
||
- name: Ensure gpgcheck Enabled For All Yum Package Repositories | ||
with_items: "{{ yum_find.files }}" | ||
lineinfile: | ||
create: yes | ||
dest: "{{ item.path }}" | ||
regexp: '^gpgcheck' | ||
line: 'gpgcheck=1' | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: "Direct root Logins Not Allowed" | ||
shell: echo > /etc/securetty | ||
tags: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Using |
||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- block: | ||
- name: "Detect shosts.equiv Files on the System" | ||
find: | ||
paths: / | ||
recurse: yes | ||
patterns: shosts.equiv | ||
check_mode: no | ||
register: shosts_equiv_locations | ||
|
||
- name: "Remove Rsh Trust Files" | ||
file: | ||
path: "{{ item.path }}" | ||
state: absent | ||
with_items: "{{ shosts_equiv_locations }}" | ||
when: shosts_equiv_locations | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# platform = multi_platform_rhel, multi_platform_fedora | ||
# reboot = false | ||
# strategy = configure | ||
# complexity = low | ||
# disruption = medium | ||
- name: Check if /etc/samba/smb.conf exists | ||
stat: | ||
path: /etc/samba/smb.conf | ||
register: st_smb | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. check_mode no There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. all items related to the rule need @ANSIBLE_TAGS@ That way if you just select one rule by its tag it will work. Otherwise it would skip the register tag and then use undeclared variables. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Believe this needs check_mode to populate the st_smb variable There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah, you are right, since it's not |
||
tags: | ||
@ANSIBLE_TAGS@ | ||
|
||
- name: Require Client SMB Packet Signing, if using smbclient | ||
lineinfile: | ||
dest: /etc/samba/smb.conf | ||
line: "client signing = mandatory" | ||
state: present | ||
insertafter: "[global]" | ||
when: st_smb.stat.exists | ||
tags: | ||
@ANSIBLE_TAGS@ | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: "Restrict Serial Port Root Logins" | ||
lineinfile: | ||
dest: /etc/securetty | ||
regexp: 'ttyS[0-9]' | ||
state: absent | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: "Restrict Virtual Console Root Logins" | ||
lineinfile: | ||
dest: /etc/securetty | ||
regexp: '^vc' | ||
state: absent | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: Set Password Hashing Algorithm in /etc/libuser.conf | ||
lineinfile: | ||
dest: /etc/libuser.conf | ||
insertafter: "^.default]" | ||
regexp: ^#?crypt_style | ||
line: crypt_style = sha512 | ||
state: present | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# platform = multi_platform_rhel,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
- name: Set Password Hashing Algorithm in /etc/login.defs | ||
lineinfile: | ||
dest: /etc/login.defs | ||
regexp: ^#?ENCRYPT_METHOD | ||
line: ENCRYPT_METHOD SHA512 | ||
state: present | ||
tags: | ||
@ANSIBLE_TAGS@ |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,6 +9,7 @@ | |
dest: /etc/ssh/sshd_config | ||
regexp: "^Protocol [0-9]" | ||
line: "Protocol 2" | ||
validate: sshd -t -f %s | ||
notify: | ||
- reload ssh | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. needs to be commented as well |
||
tags: | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will this work as is or do we need ansible handlers defined for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mpreisler: shoot, you're right. I can take the
notify
out for now... how would we create handles?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's comment it or something so that we can grep for it when we implement handlers