Last active
April 17, 2020 02:08
-
-
Save barrybritt-vertex/ae42dada6d7995a08376082065064dd2 to your computer and use it in GitHub Desktop.
Centos 7.6 ansible playbook for NIST
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
- name: NIST 800-171 Security Configuration | |
hosts: all | |
become: true | |
# Vars | |
######### | |
vars: | |
sshd_idle_timeout_value: "600" | |
sshd_approved_macs: "hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com" | |
sysctl_net_ipv6_conf_default_accept_source_route_value: "0" | |
sysctl_net_ipv6_conf_all_accept_source_route_value: "0" | |
sysctl_net_ipv6_conf_all_forwarding_value: "0" | |
sysctl_net_ipv6_conf_all_accept_redirects_value: "0" | |
sysctl_net_ipv6_conf_default_accept_ra_value: "0" | |
sysctl_net_ipv6_conf_all_accept_ra_value: "0" | |
sysctl_net_ipv6_conf_default_accept_redirects_value: "0" | |
sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: "1" | |
sysctl_net_ipv4_conf_default_log_martians_value: "1" | |
sysctl_net_ipv4_conf_all_secure_redirects_value: "0" | |
sysctl_net_ipv4_conf_default_secure_redirects_value: "0" | |
sysctl_net_ipv4_conf_all_accept_redirects_value: "0" | |
sysctl_net_ipv4_conf_all_log_martians_value: "1" | |
sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: "1" | |
sysctl_net_ipv4_ip_forward: "0" | |
var_account_disable_post_pw_expiration: "35" | |
var_accounts_password_minlen_login_defs: "15" | |
var_accounts_minimum_age_login_defs: "7" | |
var_accounts_maximum_age_login_defs: "60" | |
var_accounts_passwords_pam_faillock_deny: "3" | |
var_accounts_passwords_pam_faillock_unlock_time: never | |
var_accounts_passwords_pam_faillock_fail_interval: "900" | |
var_password_pam_unix_remember: "5" | |
var_password_pam_minlen: "{{ var_accounts_password_minlen_login_defs }}" | |
var_password_pam_maxclassrepeat: "4" | |
var_password_pam_dcredit: "-1" | |
var_password_pam_minclass: "4" | |
var_password_pam_difok: "8" | |
var_password_pam_ocredit: "-1" | |
var_password_pam_lcredit: "-1" | |
var_password_pam_ucredit: "-1" | |
var_accounts_tmout: "600" | |
var_accounts_fail_delay: "4" | |
var_accounts_max_concurrent_login_sessions: "10" | |
var_auditd_admin_space_left_action: "single" | |
var_auditd_space_left_action: "email" | |
sshd_listening_port: "22" | |
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" | |
combined_audit_file: "/etc/audit/rules.d/all.rules" | |
# Pre-Tasks | |
############ | |
pre_tasks: | |
- name: "Install and enable firewalld" | |
yum: | |
name: "firewalld" | |
state: "installed" | |
- name: "Update system" | |
yum: | |
name: "*" | |
state: "latest" | |
# Tasks | |
########## | |
tasks: | |
# Kernel | |
- name: Disable service kdump | |
service: | |
name: "{{item}}" | |
enabled: "no" | |
state: "stopped" | |
register: service_result | |
failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" | |
with_items: | |
- kdump | |
- name: Disable socket of service kdump if applicable | |
service: | |
name: "{{item}}" | |
enabled: "no" | |
state: "stopped" | |
register: socket_result | |
failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" | |
with_items: | |
- kdump.socket | |
# IPv6 sysctl values | |
- name: Ensure sysctl values are set | |
sysctl: | |
name: "{{ item.name }}" | |
value: "{{ item.value }}" | |
state: present | |
reload: yes | |
with_items: | |
- name: net.ipv6.conf.default.accept_source_route | |
value: "{{ sysctl_net_ipv6_conf_default_accept_source_route_value }}" | |
- name: net.ipv6.conf.all.accept_source_route | |
value: "{{ sysctl_net_ipv6_conf_all_accept_source_route_value }}" | |
- name: net.ipv6.conf.all.forwarding | |
value: "{{ sysctl_net_ipv6_conf_all_forwarding_value }}" | |
- name: net.ipv6.conf.all.accept_redirects | |
value: "{{ sysctl_net_ipv6_conf_all_accept_redirects_value }}" | |
- name: net.ipv6.conf.default.accept_ra | |
value: "{{ sysctl_net_ipv6_conf_default_accept_ra_value }}" | |
- name: net.ipv6.conf.all.accept_ra | |
value: "{{ sysctl_net_ipv6_conf_all_accept_ra_value }}" | |
- name: net.ipv6.conf.default.accept_redirects | |
value: "{{ sysctl_net_ipv6_conf_default_accept_redirects_value }}" | |
- name: net.ipv6.conf.all.disable_ipv6 | |
value: "1" | |
# IPv4 kernel networking values | |
- name: Ensure sysctl values are set | |
sysctl: | |
name: "{{ item.name }}" | |
value: "{{ item.value }}" | |
state: present | |
reload: yes | |
with_items: | |
- name: net.ipv4.icmp_ignore_bogus_error_responses | |
value: "{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}" | |
- name: net.ipv4.conf.default.log_martians | |
value: "{{ sysctl_net_ipv4_conf_default_log_martians_value }}" | |
- name: net.ipv4.conf.all.secure_redirects | |
value: "{{ sysctl_net_ipv4_conf_all_secure_redirects_value }}" | |
- name: net.ipv4.conf.default.secure_redirects | |
value: "{{ sysctl_net_ipv4_conf_default_secure_redirects_value }}" | |
- name: net.ipv4.conf.all.accept_redirects | |
value: "{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}" | |
- name: net.ipv4.conf.all.log_martians | |
value: "{{ sysctl_net_ipv4_conf_all_log_martians_value }}" | |
- name: net.ipv4.icmp_echo_ignore_broadcasts | |
value: "{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}" | |
- name: net.ipv4.ip_forward | |
value: "{{ sysctl_net_ipv4_ip_forward }}" | |
- name: net.ipv4.conf.all.send_redirects | |
value: 0 | |
- name: net.ipv4.conf.default.send_redirects | |
value: 0 | |
# Other values | |
- name: Ensure sysctl values are set | |
sysctl: | |
name: "{{ item.name }}" | |
value: "{{ item.value }}" | |
state: present | |
reload: yes | |
with_items: | |
- name: fs.suid_dumpable | |
value: "0" | |
- name: kernel.randomize_va_space | |
value: "2" | |
- name: kernel.dmesg_restrict | |
value: "1" | |
- name: kernel.kptr_restrict | |
value: "1" | |
- name: kernel.kexec_load_disabled | |
value: "1" | |
# | |
# Disable uncommon Network Protocols and Bluetooth | |
# | |
- name: Ensure unnecessary kernel modules are disabled | |
lineinfile: | |
create: yes | |
dest: "/etc/modprobe.d/{{item}}.conf" | |
regexp: '{{item}}' | |
line: "install {{item}} /bin/true" | |
with_items: | |
- dccp | |
- sctp | |
- bluetooth | |
- hfs | |
- usb-storage | |
- freevxfs | |
- squashfs | |
- hfsplus | |
- jffs2 | |
- cramfs | |
# | |
# OpenSSH | |
# | |
- name: "Disable SSH Root Login" | |
lineinfile: | |
create: yes | |
dest: "/etc/ssh/sshd_config" | |
regexp: "^PermitRootLogin" | |
line: "PermitRootLogin no" | |
insertafter: '(?i)^#?authentication' | |
validate: sshd -t -f %s | |
- name: "Disable SSH Support for User Known Hosts" | |
lineinfile: | |
create: yes | |
dest: /etc/ssh/sshd_config | |
regexp: ^IgnoreUserKnownHosts | |
line: IgnoreUserKnownHosts yes | |
validate: sshd -t -f %s | |
- name: Disable SSH Access via Empty Passwords | |
lineinfile: | |
create: yes | |
dest: /etc/ssh/sshd_config | |
regexp: ^PermitEmptyPasswords | |
line: PermitEmptyPasswords no | |
validate: sshd -t -f %s | |
- name: Set SSH Client Alive Count | |
lineinfile: | |
create: yes | |
dest: /etc/ssh/sshd_config | |
regexp: ^ClientAliveCountMax | |
line: ClientAliveCountMax 0 | |
validate: sshd -t -f %s | |
- name: Set SSH Idle Timeout Interval | |
lineinfile: | |
create: yes | |
dest: /etc/ssh/sshd_config | |
regexp: ^ClientAliveInterval | |
line: "ClientAliveInterval {{ sshd_idle_timeout_value }}" | |
validate: sshd -t -f %s | |
- name: Use Only Approved Ciphers | |
lineinfile: | |
create: yes | |
dest: /etc/ssh/sshd_config | |
regexp: ^Ciphers | |
line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc | |
validate: sshd -t -f %s | |
- name: "Enable use of Privilege Separation" | |
lineinfile: | |
create: yes | |
dest: /etc/ssh/sshd_config | |
regexp: (?i)^#?useprivilegeseparation | |
line: UsePrivilegeSeparation sandbox | |
validate: sshd -t -f %s | |
- name: "Disable GSSAPI Authentication" | |
lineinfile: | |
create: yes | |
dest: /etc/ssh/sshd_config | |
regexp: (?i)^#?gssapiauthentication | |
line: GSSAPIAuthentication no | |
validate: sshd -t -f %s | |
- name: "Disable Compression or Set Compression to delayed" | |
lineinfile: | |
create: yes | |
dest: /etc/ssh/sshd_config | |
regexp: (?i)^#?compression | |
line: Compression delayed | |
validate: sshd -t -f %s | |
- name: Do Not Allow SSH Environment Options | |
lineinfile: | |
create: yes | |
dest: /etc/ssh/sshd_config | |
regexp: ^PermitUserEnvironment | |
line: PermitUserEnvironment no | |
validate: sshd -t -f %s | |
- name: "Use Only Approved MACs" | |
lineinfile: | |
create: yes | |
dest: /etc/ssh/sshd_config | |
regexp: ^MACs | |
line: "MACs {{ sshd_approved_macs }}" | |
validate: sshd -t -f %s | |
- name: Enable SSH Warning Banner | |
lineinfile: | |
create: yes | |
dest: /etc/ssh/sshd_config | |
regexp: ^Banner | |
line: Banner /etc/issue | |
validate: sshd -t -f %s | |
- name: Ensure permission 0644 on /etc/ssh/*.pub | |
file: | |
path: "{{ item }}" | |
mode: 0644 | |
with_fileglob: | |
- "/etc/ssh/*.pub" | |
# Because of Systemd, we need to use permissions of 0640, so that | |
# the group ssh_keys can read the generated ssh private keys for | |
# access to the system. | |
- name: Ensure permission 0600 on /etc/ssh/*_key | |
file: | |
path: "{{ item }}" | |
mode: 0600 | |
with_fileglob: | |
- "/etc/ssh/*_key" | |
# | |
# AIDE package | |
# | |
- name: Ensure aide is installed | |
package: | |
name: "{{item}}" | |
state: present | |
with_items: | |
- aide | |
- name: "Build and Test AIDE Database" | |
shell: /usr/sbin/aide --init | |
- name: "Check whether the stock AIDE Database exists" | |
stat: | |
path: /var/lib/aide/aide.db.new.gz | |
register: aide_database | |
- name: "Stage AIDE Database" | |
copy: | |
src: /var/lib/aide/aide.db.new.gz | |
dest: /var/lib/aide/aide.db.gz | |
backup: yes | |
remote_src: yes | |
when: aide_database.stat.exists is defined and not aide_database.stat.exists | |
- name: "Configure Periodic Execution of AIDE" | |
cron: | |
name: "run AIDE check" | |
minute: "05" | |
hour: "04" | |
weekday: "0" | |
user: root | |
job: "/usr/sbin/aide --check | /bin/mail -s \"$(hostname) - AIDE Integrity Check\" root@localhost" | |
# | |
# YUM | |
# | |
- name: Check existence of yum on Fedora | |
stat: | |
path: /etc/yum.conf | |
register: yum_config_file | |
check_mode: no | |
when: ansible_distribution == "Fedora" | |
- name: "Ensure YUM Removes Previous Package Versions" | |
lineinfile: | |
dest: /etc/yum.conf | |
regexp: ^#?clean_requirements_on_remove | |
line: clean_requirements_on_remove=1 | |
insertafter: '\[main\]' | |
- name: Ensure GPG check Enabled for Local Packages (Yum) | |
ini_file: | |
dest: "{{item}}" | |
section: main | |
option: localpkg_gpgcheck | |
value: "1" | |
create: True | |
with_items: "/etc/yum.conf" | |
when: ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or yum_config_file.stat.exists | |
- name: Ensure GPG check Enabled for Local Packages (DNF) | |
ini_file: | |
dest: "{{item}}" | |
section: main | |
option: localpkg_gpgcheck | |
value: 1 | |
create: True | |
with_items: "/etc/dnf/dnf.conf" | |
when: ansible_distribution == "Fedora" | |
# | |
# Firewall | |
# | |
- name: Enable service firewalld | |
service: | |
name: "{{ item }}" | |
enabled: "yes" | |
state: "restarted" | |
with_items: | |
- firewalld | |
- name: Enable SSHD in firewalld (default port) | |
firewalld: | |
service: ssh | |
permanent: yes | |
state: enabled | |
when: sshd_listening_port == 22 | |
- name: Update log denied settings for firewalld | |
shell: firewall-cmd --set-log-denied=all | |
- name: "Set Default Firewall zone to DROP" | |
lineinfile: | |
dest: /etc/firewalld/firewalld.conf | |
regexp: '^DefaultZone' | |
line: 'DefaultZone=drop' | |
state: present | |
# | |
# Access Control | |
# | |
- name: "Restrict Serial Port Root Logins" | |
lineinfile: | |
dest: /etc/securetty | |
regexp: 'ttyS[0-9]' | |
state: absent | |
- name: "Direct root Logins Not Allowed" | |
shell: echo > /etc/securetty | |
changed_when: false | |
- name: "Restrict Virtual Console Root Logins" | |
lineinfile: | |
dest: /etc/securetty | |
regexp: '^vc' | |
state: absent | |
- name: Set Account Expiration Following Inactivity | |
lineinfile: | |
create: yes | |
dest: /etc/default/useradd | |
regexp: ^INACTIVE | |
line: "INACTIVE={{ var_account_disable_post_pw_expiration }}" | |
- name: "Set Password Minimum Length in login.defs" | |
lineinfile: | |
dest: /etc/login.defs | |
regexp: "^PASS_MIN_LEN *[0-9]*" | |
state: present | |
line: "PASS_MIN_LEN {{ var_accounts_password_minlen_login_defs }}" | |
- name: Set Password Minimum Age | |
lineinfile: | |
create: yes | |
dest: /etc/login.defs | |
regexp: ^#?PASS_MIN_DAYS | |
line: "PASS_MIN_DAYS {{ var_accounts_minimum_age_login_defs }}" | |
- name: Set Password Maximum Age | |
lineinfile: | |
create: yes | |
dest: /etc/login.defs | |
regexp: ^#?PASS_MAX_DAYS | |
line: "PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }}" | |
- name: "Prevent Log In to Accounts With Empty Password - system-auth" | |
replace: | |
dest: /etc/pam.d/system-auth | |
follow: yes | |
regexp: 'nullok' | |
- name: "Prevent Log In to Accounts With Empty Password - password-auth" | |
replace: | |
dest: /etc/pam.d/password-auth | |
follow: yes | |
regexp: 'nullok' | |
# | |
# PAM Configuration | |
# | |
- name: set auth pam_faillock before pam_unix.so | |
pamd: | |
name: "{{ item }}" | |
type: auth | |
control: sufficient | |
module_path: pam_unix.so | |
new_type: auth | |
new_control: required | |
new_module_path: pam_faillock.so | |
module_arguments: 'preauth | |
silent | |
even_deny_root | |
deny: {{ var_accounts_passwords_pam_faillock_deny }} | |
unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} | |
fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' | |
state: before | |
with_items: | |
- system-auth | |
- password-auth | |
- name: set auth pam_faillock after pam_unix.so | |
pamd: | |
name: "{{ item }}" | |
type: auth | |
control: sufficient | |
module_path: pam_unix.so | |
new_type: auth | |
new_control: '[default=die]' | |
new_module_path: pam_faillock.so | |
module_arguments: 'preauth | |
silent | |
even_deny_root | |
deny: {{ var_accounts_passwords_pam_faillock_deny }} | |
unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} | |
fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' | |
state: after | |
with_items: | |
- system-auth | |
- password-auth | |
- name: set account pam_faillock before pam_unix.so | |
pamd: | |
name: "{{ item }}" | |
type: account | |
control: required | |
module_path: pam_unix.so | |
new_type: account | |
new_control: required | |
new_module_path: pam_faillock.so | |
state: before | |
with_items: | |
- system-auth | |
- password-auth | |
- name: "Do not allow users to reuse recent passwords - system-auth (change)" | |
replace: | |
dest: "{{ item }}" | |
follow: yes | |
regexp: '^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$' | |
replace: '\g<1>{{ var_password_pam_unix_remember }}\g<3>' | |
with_items: | |
- /etc/pam.d/system-auth | |
- /etc/pam.d/password-auth | |
- name: "Do not allow users to reuse recent passwords - system-auth (add)" | |
replace: | |
dest: "{{ item }}" | |
follow: yes | |
regexp: '^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$' | |
replace: '\g<0> remember={{ var_password_pam_unix_remember }}' | |
with_items: | |
- /etc/pam.d/system-auth | |
- /etc/pam.d/password-auth | |
- name: Ensure PAM variable minlen is set accordingly | |
lineinfile: | |
create: yes | |
dest: "/etc/security/pwquality.conf" | |
regexp: '^#?\s*minlen' | |
line: "minlen = {{ var_password_pam_minlen }}" | |
- name: Ensure PAM variable maxclassrepeat is set accordingly | |
lineinfile: | |
create: yes | |
dest: "/etc/security/pwquality.conf" | |
regexp: '^#?\s*maxclassrepeat' | |
line: "maxclassrepeat = {{ var_password_pam_maxclassrepeat }}" | |
- name: Ensure PAM variable dcredit is set accordingly | |
lineinfile: | |
create: yes | |
dest: "/etc/security/pwquality.conf" | |
regexp: '^#?\s*dcredit' | |
line: "dcredit = {{ var_password_pam_dcredit }}" | |
- name: Ensure PAM variable minclass is set accordingly | |
lineinfile: | |
create: yes | |
dest: "/etc/security/pwquality.conf" | |
regexp: '^#?\s*minclass' | |
line: "minclass = {{ var_password_pam_minclass }}" | |
- name: Ensure PAM variable difok is set accordingly | |
lineinfile: | |
create: yes | |
dest: "/etc/security/pwquality.conf" | |
regexp: '^#?\s*difok' | |
line: "difok = {{ var_password_pam_difok }}" | |
- name: Ensure PAM variable ocredit is set accordingly | |
lineinfile: | |
create: yes | |
dest: "/etc/security/pwquality.conf" | |
regexp: '^#?\s*ocredit' | |
line: "ocredit = {{ var_password_pam_ocredit }}" | |
- name: Ensure PAM variable ocredit is set accordingly | |
lineinfile: | |
create: yes | |
dest: "/etc/security/pwquality.conf" | |
regexp: '^#?\s*lcredit' | |
line: "lcredit = {{ var_password_pam_lcredit }}" | |
- name: Ensure PAM variable ocredit is set accordingly | |
lineinfile: | |
create: yes | |
dest: "/etc/security/pwquality.conf" | |
regexp: '^#?\s*ucredit' | |
line: "ucredit = {{ var_password_pam_ucredit }}" | |
# | |
# Protect Physical Console Access | |
# | |
- name: Ensure screen is installed | |
package: | |
name: "{{item}}" | |
state: present | |
with_items: | |
- screen | |
- name: Set Interactive Session Timeout | |
lineinfile: | |
create: yes | |
dest: /etc/profile | |
regexp: ^#?TMOUT | |
line: "TMOUT={{ var_accounts_tmout }}" | |
- name: Set accounts logon fail delay | |
lineinfile: | |
dest: /etc/login.defs | |
regexp: ^FAIL_DELAY | |
line: "FAIL_DELAY {{ var_accounts_fail_delay }}" | |
- name: "Limit the Number of Concurrent Login Sessions Allowed Per User" | |
lineinfile: | |
state: present | |
dest: /etc/security/limits.conf | |
insertbefore: "^# End of file" | |
regexp: "^#?\\*.*maxlogins" | |
line: "* hard maxlogins {{ var_accounts_max_concurrent_login_sessions }}" | |
# | |
# Auditd | |
# | |
- name: Configure auditd Flush Priority | |
lineinfile: | |
dest: /etc/audit/auditd.conf | |
regexp: '.*flush.*' | |
line: flush = data | |
- name: Configure auditd Flush Priority | |
lineinfile: | |
dest: /etc/audisp/plugins.d/syslog.conf | |
regexp: '^active' | |
line: "active = yes" | |
- name: Configure auditd admin_space_left Action on Low Disk Space | |
lineinfile: | |
dest: /etc/audit/auditd.conf | |
line: "admin_space_left_action = {{ var_auditd_admin_space_left_action }}" | |
regexp: "^admin_space_left_action*" | |
- name: Configure auditd space_left Action on Low Disk Space | |
lineinfile: | |
dest: /etc/audit/auditd.conf | |
line: "space_left_action = {{ var_auditd_space_left_action }}" | |
regexp: ^space_left_action* | |
- name: Update audit files | |
lineinfile: | |
dest: "{{ combined_audit_file }}" | |
line: "{{ item }}" | |
create: yes | |
with_items: | |
- "-D" | |
- "-b 8192" | |
- "-f 2" | |
- "-w /usr/sbin/rmmod -p x -k modules" | |
- "-a always,exit -F arch=b32 -S delete_module -k modules" | |
- "-a always,exit -F arch=b64 -S delete_module -k modules" | |
- "-w /usr/sbin/modprobe -p x -k modules" | |
- "-w /usr/sbin/insmod -p x -k modules" | |
- "-a always,exit -F arch=b32 -S init_module -k modules" | |
- "-a always,exit -F arch=b64 -S init_module -k modules" | |
- "-w /var/log/lastlog -p wa -k logins" | |
- "-w /var/run/faillock/ -p wa -k logins" | |
- "-w /var/log/tallylog -p wa -k logins" | |
- "-w /etc/localtime -p wa -k audit_time_rules" | |
- "-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules" | |
- "-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules" | |
- "-a always,exit -F arch=b32 -S stime -F key=audit_time_rules" | |
- "-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules" | |
- "-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules" | |
- "-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change" | |
- "-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change" | |
- "-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod" | |
- "-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change" | |
- "-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change" | |
- "-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change" | |
- "-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change" | |
- "-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change" | |
- "-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete" | |
- "-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete" | |
- "-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete" | |
- "-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete" | |
- "-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete" | |
- "-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/bin/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged" | |
- "-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access" | |
- "-w /etc/sudoers -p wa -k actions" | |
- "-w /etc/sudoers.d/ -p wa -k actions" | |
- "-a always,exit -F arch=b64 -S sethostname -F key=audit_rules_networkconfig_modification" | |
- "-a always,exit -F arch=b64 -S setdomainname -F key=audit_rules_networkconfig_modification" | |
- "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" | |
- "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" | |
- "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" | |
- "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" | |
- "-w /var/run/utmp -p wa -k session" | |
- "-w /var/log/btmp -p wa -k session" | |
- "-w /var/log/wtmp -p wa -k session" | |
- "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" | |
- "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export" | |
- "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" | |
- "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification" | |
- "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" | |
- "-w /etc/group -p wa -k audit_rules_usergroup_modification" | |
- "-w /etc/selinux/ -p wa -k MAC-policy" | |
- "-e 2" | |
# | |
# Secure Grub configuration | |
# | |
# - name: Install dracut-fips | |
# yum: | |
# name: dracut-fips | |
# state: installed | |
# - name: Grub configuration | |
# lineinfile: | |
# create: yes | |
# dest: /etc/default/grub | |
# regexp: ^GRUB_CMDLINE_LINUX | |
# line: GRUB_CMDLINE_LINUX="console=tty0 crashkernel=auto console=ttyS0,115200 slub_debug=P page_poison=1 vsyscall=none fips=1 audit=1 fips=1 audit_backlog_limit=8192" | |
# - name: Update initrd and bootloader | |
# shell: | | |
# dracut -f | |
# grub2-mkconfig -o /etc/grub2.cfg | |
# | |
# Update /dev/shm in /etc/fstab | |
# | |
- name: get back device associated to mountpoint | |
shell: mount | grep ' /dev/shm ' |cut -d ' ' -f 1 | |
register: device_name | |
check_mode: no | |
- name: get back device previous mount option | |
shell: mount | grep ' /dev/shm ' | sed -re 's:.*\((.*)\):\1:' | |
register: device_cur_mountoption | |
check_mode: no | |
- name: get back device fstype | |
shell: mount | grep ' /dev/shm ' | cut -d ' ' -f 5 | |
register: device_fstype | |
check_mode: no | |
- name: Ensure permission noexec are set on /dev/shm | |
mount: | |
path: "/dev/shm" | |
src: "{{device_name.stdout}}" | |
opts: "{{device_cur_mountoption.stdout}},noexec" | |
state: "mounted" | |
fstype: "{{device_fstype.stdout}}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment