Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add option to disable auditd #192

Merged
merged 1 commit into from
Sep 20, 2018
Merged

add option to disable auditd #192

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,10 @@ It configures:
* Shadow password suite configuration
* Configures system path permissions
* Disable core dumps via soft limits
* Restrict Root Logins to System Console
* Restrict root Logins to System Console
* Set SUIDs
* Configures kernel parameters via sysctl
* Install and configure auditd

It will not:

Expand Down Expand Up @@ -61,7 +62,8 @@ Otherwise inspec will fail. For more information, see [issue #124](https://githu
| `ufw_ipt_sysctl` | '' | by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf`
| `ufw_default_input_policy` | DROP | set default input policy of ufw to `DROP` |
| `ufw_default_output_policy` | ACCEPT | set default output policy of ufw to `ACCEPT` |
| `ufw_default_forward_policy` | DROP| set default forward policy of ufw to `DROP` |
| `ufw_default_forward_policy` | DROP | set default forward policy of ufw to `DROP` |
| `os_auditd_enabled` | true | Set to false to disable installing and configuring auditd. |

## Packages

Expand All @@ -86,7 +88,7 @@ We disable the following filesystems, because they're most likely not used:
* "hfsplus"
* "squashfs"
* "udf"
* "vfat"
* "vfat" # only if uefi is not in use

To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable.

Expand Down
3 changes: 3 additions & 0 deletions defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -247,3 +247,6 @@ os_filesystem_whitelist: []
# Set to false to turn the role into a no-op. Useful when using
# the Ansible role dependency mechanism.
os_hardening_enabled: true

# Set to false to disable installing and configuring auditd.
os_auditd_enabled: true
1 change: 1 addition & 0 deletions tasks/hardening.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@

- import_tasks: auditd.yml
tags: auditd
when: os_auditd_enabled

- import_tasks: limits.yml
tags: limits
Expand Down
2 changes: 1 addition & 1 deletion tasks/profile.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
group: 'root'
mode: '0750'
when: not os_security_kernel_enable_core_dump

- name: remove pinerolo_profile.sh from profile.d
file:
path: /etc/profile.d/pinerolo_profile.sh
Expand Down
2 changes: 2 additions & 0 deletions tests/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@

- name: wrapper playbook for kitchen testing "ansible-os-hardening"
hosts: localhost
vars:
- os_auditd_enabled: false
pre_tasks:
- name: Run the equivalent of "apt-get update" as a separate step
apt:
Expand Down