Ansible¶
TEMPLATE
ansible_instantiate_variables
¶Pass strings that correspond to XCCDF value names as arguments to this macro: ansible_instantiate_variables(“varname1”, “varname2”)
Then, assume that the task that follows can work with the variable by referencing it, e.g. value: “Setting={{ varname1 }}”
ansible_instantiate_variables()
TEMPLATE
ansible_lineinfile
¶A wrapper over the Ansible lineinfile module. This handles the most common options for us. regex is optional and when blank, it won’t be included in the Ansible script; this allows arbitrary additions to files. new_line will only be passed when state is present. with_items will be specified only if non-empty, allowing for iterating through a variable of content (with the appropriate macro-based path). register will be specified only if non-empty, allowing for saving the output of this lineinfile module.
Note that all string-like parameters are single quoted in the YAML.
ansible_lineinfile(msg=’’, path=’’, regex=’’, new_line=’’, create=’no’, state=’present’, with_items=’’, register=’’, when=’’, validate=’’, insert_after=’’, insert_before=’’)
TEMPLATE
ansible_stat
¶Check the file system status of an object. Not a full implementation.
ansible_stat(msg=’’, path=’’, register=’’)
TEMPLATE
ansible_find
¶Find files matching a particular value. Not a full implementation.
ansible_find(msg=’’, paths=’’, recurse=’yes’, follow=’no’, contains=’’, register=’’, when=’’)
TEMPLATE
ansible_only_lineinfile
¶A wrapper for adding one, unique line to a file. A regex must be specified to tell if the line is unique. This is helpful in configuration files where a single configuration parameter might have multiple values, but only one value is approved. All lines matching the regex are first removed and then the new line is appended to the file.
ansible_only_lineinfile(msg, path, line_regex, new_line, create=’no’, block=False, validate=’’, insert_after=’’, insert_before=’’)
TEMPLATE
ansible_set_config_file
¶Ensure the configuration is set in a file. Note this handles generic key-seperator-value files with no sense of structure. In particular, ini configuration files are best served with the ini Ansible module instead of lineinfile-based solutions.
ansible_set_config_file(msg, file, parameter, separator=’ ‘, separator_regex=’s+’, value=’’, prefix_regex=’^s*’, create=’no’, validate=’’, insert_after=’’, insert_before=’’)
TEMPLATE
ansible_set_config_file_dir
¶Ensure the configuration is set in a file and not conflicted by a configuration in a directory. Note this handles generic key-separator-value files with no sense of structure. In particular, ini configuration files are best served with the ini Ansible module instead of lineinfile-based solutions.
ansible_set_config_file_dir(msg, config_file, config_dir, set_file, parameter, separator=’ ‘, separator_regex=’s+’, value=’’, prefix_regex=’^s*’, create=’no’, validate=’’, insert_after=’’, insert_before=’’)
TEMPLATE
ansible_sshd_set
¶High level macro to set a value in the ssh daemon configuration file. This takes three values: msg (the name for the Ansible task), a parameter to set in the configuration file, and the value to set it to. We specify a case insensitive comparison in the prefix since this is used to deduplicate since sshd_config has case-insensitive parameters (but case-sensitive values). We also specify the validation program here; -t specifies test and -f allows Ansible to pass a file at a different path.
ansible_sshd_set(msg=’’, parameter=’’, value=’’)
TEMPLATE
ansible_shell_set
¶High level macro to set a value in a shell-related file that contains var assignments. This takes these values: - msg (the name for the Ansible task), - path to the file, - parameter to set in the configuration file, and - value to set it to. We also specify the validation program here; see ‘bash -c “help set” | grep -e -n’
ansible_shell_set(msg, path, parameter, value=’’, no_quotes=false)
TEMPLATE
ansible_tmux_set
¶High level macro to set a command in tmux configuration file /etc/tmux.conf. Parameters: - msg: the name for the Ansible task - parameter: parameter to be set in the configuration file - value: value of the parameter Automatically adds “set -g ” before the parameter.
ansible_tmux_set(msg=’’, parameter=’’, value=’’)
TEMPLATE
ansible_etc_profile_set
¶High level macro to set a value in /etc/profile (and /etc/profile.d) bash files. Note this is only suitable for calling a single command once with the correct arguments and not for calling the same command multiple times with different arguments. This includes setting an environment variable once.
ansible_etc_profile_set(msg=’’, parameter=’’, value=’’)
TEMPLATE
ansible_auditd_set
¶High level macro to set a command in auditd configuration file /etc/audit/auditd.conf. Parameters: - msg: the name for the Ansible task - parameter: parameter to be set in the configuration file - value: value of the parameter
ansible_auditd_set(msg=’’, parameter=’’, value=’’)
TEMPLATE
ansible_coredump_config_set
¶High level macro to set a parameter in /etc/systemd/coredump.conf. Parameters: - msg: the name for the Ansible task - parameter: parameter to be set in the configuration file - value: value of the parameter
ansible_coredump_config_set(msg=’’, parameter=’’, value=’’)
TEMPLATE
ansible_selinux_config_set
¶High level macro to set a parameter in /etc/selinux/config. Parameters: - msg: the name for the Ansible task - parameter: parameter to be set in the configuration file - value: value of the parameter
ansible_selinux_config_set(msg=’’, parameter=’’, value=’’)
TEMPLATE
ansible_file_contents
¶Generates an Ansible task that puts ‘contents’ into a file at ‘filepath’ Parameters:
filepath - filepath of the file to check
contents - contents that should be in the file
ansible_file_contents(filepath=’’, contents=’’)
Formats a banner regex for use in /etc/issue Parameters:
banner_var_name - name of ansible variable with the banner regex
ansible_deregexify_banner_etc_issue(banner_var_name)
Formats a banner regex for use in dconf Parameters:
banner_var_name - name of ansible variable with the banner regex
ansible_deregexify_banner_dconf_gnome(banner_var_name)
Strips anchors around the banner
ansible_deregexify_banner_anchors()
Strips multibanner regex and keeps only the first banner
ansible_deregexify_multiple_banners()
Strips whitespace or newline regex
ansible_deregexify_banner_space()
Strips newline or newline escape sequence regex
ansible_deregexify_banner_newline(newline)
Strips newline token for a newline escape sequence regex
ansible_deregexify_banner_newline_token()
Strips backslash regex
ansible_deregexify_banner_backslash()
TEMPLATE
ansible_audit_augenrules_add_watch_rule
¶The following macro remediates one audit watch rule in /etc/audit/rules.d directory. The macro requires following parameters: - path: path to watch - permissions: permissions changes to watch for - key: key to use as identifier. Note that if there exists any other rule with the same find_mac_key in some file within /etc/audit/rules.d/, the new rule will be appended to this file. ansible_audit_augenrules_add_watch_rule(path=’’, permissions=’’, key=’’)
TEMPLATE
ansible_audit_auditctl_add_watch_rule
¶The following macro remediates one audit watch rule in /etc/audit/audit.rules. The macro requires following parameters: - path: path to watch - permissions: permissions changes to watch for - key: key to use as identifier. ansible_audit_auditctl_add_watch_rule(path=’’, permissions=’’, key=’’)
TEMPLATE
ansible_audit_augenrules_add_syscall_rule
¶The following macro remediates Audit syscall rule in /etc/audit/rules.d directory. The macro requires following parameters: - arch: an architecture to be used in the Audit rule (b32, b64) - syscalls: list of syscalls supplied as a list [“syscall1”, “syscall2”] etc. - key: a key to use as rule identifier. - fields (optional): list of syscall fields to add (e.g.: auid=unset, exit=-EPERM, a0&0100);
Add them in the order you expect them to be in the audit rule.
Note that if there already exists a rule wit the same key in the /etc/audit/rules.d directory, the rule will be placed in the same file. ansible_audit_augenrules_add_syscall_rule(arch=””, syscalls=[], key=””, fields=[])
TEMPLATE
ansible_audit_auditctl_add_syscall_rule
¶The following macro remediates Audit syscall rule in /etc/audit/audit.rules file. The macro requires following parameters: - arch: an architecture to be used in the Audit rule (b32, b64) - syscalls: list of syscalls supplied as a list [“syscall1”, “syscall2”] etc. - key: a key to use as rule identifier. - fields (optional): list of syscall fields to add (e.g.: auid=unset, exit=-EPERM, a0&0100);
Add them in the order you expect them to be in the audit rule.
ansible_audit_auditctl_add_syscall_rule(arch=””, syscalls=[], key=””, fields=[])