Merge pull request #119 from dev-sec/exec_shield

rndmh3ro · web-flow · commit 9fa496f91d35 · 2017-08-07T21:46:42.000+02:00
remove execshield sysctl-parameter on rhel7
diff --git a/.travis.yml b/.travis.yml
@@ -55,7 +55,7 @@ script:
   - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/default.yml --skip-tags "sysctl"'
 
    # Verify role
-  - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --controls=os-01 os-02 os-03 os-04 os-05 os-06 os-07 package-01 package-02 package-03 package-04 package-05 package-06'
+  - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --controls=os-01 os-02 os-03 os-04 os-05 os-06 os-07 os-09 os-10 package-01 package-02 package-03 package-04 package-05 package-06 package-09'
 
 notifications:
   webhooks: https://galaxy.ansible.com/api/v1/notifications/
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -22,7 +22,7 @@ os_chfn_restrict: ''
 # may contain: change_user
 os_security_users_allow: []
 # specify system accounts those login should not be disabled and password not changed
-os_ignore_users: ['vagrant']
+os_ignore_users: ['vagrant', 'kitchen']
 os_security_kernel_enable_module_loading: true
 os_security_kernel_enable_core_dump: false
 os_security_suid_sgid_enforce: true
@@ -182,9 +182,3 @@ sysctl_config:
 # Do not delete the following line or otherwise the playbook will fail
 # at task 'create a combined sysctl-dict if overwrites are defined'
 sysctl_overwrite:
-
-sysctl_rhel_config:
-  # ExecShield protection against buffer overflows | sysctl-33
-  kernel.exec-shield: 1
-  # Syncookies is used to prevent SYN-flooding attacks. | sysctl-11
-  net.ipv4.tcp_syncookies: 1
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,8 +1,18 @@
 ---
-- name: add the OS specific variables
+- name: Set OS family dependent variables
   include_vars: '{{ ansible_os_family }}.yml'
   tags: always
 
+- name: Set OS dependent variables
+  include_vars: '{{ item }}'
+  with_first_found:
+    - files:
+      - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml'
+      - '{{ ansible_distribution }}.yml'
+      - '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml'
+      skip: true
+  tags: always
+
 - include: limits.yml
   tags: limits
 
diff --git a/tasks/sysctl.yml b/tasks/sysctl.yml
@@ -51,15 +51,15 @@
     ignoreerrors: yes
   with_dict: '{{ sysctl_config }}'
 
-- name: Change various sysctl-settings on rhel-hosts, look at the sysctl-vars file for documentation
+- name: Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation
   sysctl:
     name: '{{ item.key }}'
     value: '{{ item.value }}'
     state: present
     reload: yes
     ignoreerrors: yes
   with_dict: '{{ sysctl_rhel_config }}'
-  when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS'
+  when: (ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS') and ansible_distribution_major_version < '7'
 
 - name: Apply ufw defaults
   template:
diff --git a/vars/RedHat-6.yml b/vars/RedHat-6.yml
@@ -0,0 +1,6 @@
+---
+sysctl_rhel_config:
+  # ExecShield protection against buffer overflows
+  kernel.exec-shield: 1
+  # Syncookies is used to prevent SYN-flooding attacks.
+  net.ipv4.tcp_syncookies: 1
