Ansible
- TEMPLATE ansible_instantiate_variables
Pass strings that correspond to XCCDF value names as arguments to this macro: ansible_instantiate_variables(“varname1”, “varname2”)
Then, assume that the task that follows can work with the variable by referencing it, e.g. value:
Setting={{ varname1 }}
ansible_instantiate_variables()
- TEMPLATE ansible_lineinfile
A wrapper over the Ansible lineinfile module. This handles the most common options for us. regex is optional and when blank, it won’t be included in the Ansible script; this allows arbitrary additions to files. new_line will only be passed when state is present. with_items will be specified only if non-empty, allowing for iterating through a variable of content (with the appropriate macro-based path). register will be specified only if non-empty, allowing for saving the output of this lineinfile module. check_mode allows an idempotent way to gather output, or run a task without changes. Useful when calling the ansible_only_lineinfile macro to handle deduplication of values.
Note that all string-like parameters are single quoted in the YAML.
ansible_lineinfile(msg=’’, path=’’, regex=’’, new_line=’’, create=’no’, state=’present’, with_items=’’, register=’’, when=’’, validate=’’, insert_after=’’, insert_before=’’, check_mode=False)
- TEMPLATE ansible_stat
Check the file system status of an object. Not a full implementation.
- Parameters
msg (str) – Optional task title
path (str) – Path to file
register (str) – variable to register
ansible_stat(msg=’’, path=’’, register=’’)
- TEMPLATE ansible_find
Find files matching a particular value. Not a full implementation.
ansible_find(msg=’’, paths=’’, recurse=’yes’, follow=’no’, contains=’’, register=’’, when=’’)
- TEMPLATE ansible_only_lineinfile
A wrapper for adding one, unique line to a file. A regex must be specified to tell if the line is unique. This is helpful in configuration files where a single configuration parameter might have multiple values, but only one value is approved. All lines matching the regex are first removed and then the new line is appended to the file.
ansible_only_lineinfile(msg, path, line_regex, new_line, create=’no’, block=False, validate=’’, insert_after=’’, insert_before=’’)
- TEMPLATE ansible_set_config_file
Ensure the configuration is set in a file. Note this handles generic key-seperator-value files with no sense of structure. In particular, ini configuration files are best served with the ini Ansible module instead of lineinfile-based solutions.
ansible_set_config_file(msg, file, parameter, separator=’ ‘, separator_regex=’s+’, value=’’, prefix_regex=’^s*’, create=’no’, validate=’’, insert_after=’’, insert_before=’’, escape_regex=False)
- TEMPLATE ansible_set_config_file_dir
Ensure the configuration is set in a file and not conflicted by a configuration in a directory. Note this handles generic key-separator-value files with no sense of structure. In particular, ini configuration files are best served with the ini Ansible module instead of lineinfile-based solutions.
ansible_set_config_file_dir(msg, config_file, config_dir, set_file, parameter, separator=’ ‘, separator_regex=’s+’, value=’’, prefix_regex=’^s*’, create=’no’, validate=’’, insert_after=’’, insert_before=’’)
- TEMPLATE ansible_sshd_set
High level macro to set a value in the ssh daemon configuration file. We specify a case insensitive comparison in the prefix since this is used to deduplicate since sshd_config has case-insensitive parameters (but case-sensitive values). We also specify the validation program here; -t specifies test and -f allows Ansible to pass a file at a different path.
Set set a parameter in /etc/sshd_config or /etc/ssh/sshd_config.d/
- Parameters
msg (str) – Message to be set as Task Title, if not set the rule’s title will be used instead
parameter (str) – Parameter to set
value (str) – The value to set
config_is_distributed (str) – If true, will ok look in /etc/ssh/sshd_config.d
config_basename (str) – Filename of configuration file when using distributed configuration
ansible_sshd_set(msg=’’, parameter=’’, value=’’, config_is_distributed=”false”, config_basename=”00-complianceascode-hardening.conf”)
- TEMPLATE ansible_shell_set
High level macro to set a value in a shell-related file that contains var assignments.
We also specify the validation program here; see
bash -c “help set” | grep -e -n
- Parameters
msg (str) – The name for the Ansible task
path (str) – to the file
parameter (str) – Parameter to be set in the configuration file
value (str) – value of the parameter
ansible_shell_set(msg, path, parameter, value=’’, no_quotes=false)
- TEMPLATE ansible_tmux_set
High level macro to set a command in tmux configuration file /etc/tmux.conf. Automatically adds “set -g ” before the parameter.
- Parameters
msg (str) – The name for the Ansible task
parameter (str) – Parameter to be set in the configuration file
value (str) – Value of the parameter
ansible_tmux_set(msg=’’, parameter=’’, value=’’)
- TEMPLATE ansible_etc_profile_set
High level macro to set a value in /etc/profile (and /etc/profile.d) bash files. Note this is only suitable for calling a single command once with the correct arguments and not for calling the same command multiple times with different arguments. This includes setting an environment variable once.
ansible_etc_profile_set(msg=’’, parameter=’’, value=’’)
- TEMPLATE ansible_auditd_set
High level macro to set a command in auditd configuration file /etc/audit/auditd.conf.
- Parameters
msg (str) – The name for the Ansible task
parameter (str) – Parameter to be set in the configuration file
value (str) – Value of the parameter
ansible_auditd_set(msg=’’, parameter=’’, value=’’)
- TEMPLATE ansible_coredump_config_set
High level macro to set a parameter in /etc/systemd/coredump.conf.
- Parameters
msg (str) – The name for the Ansible task
parameter (str) – Parameter to be set in the configuration file
value (str) – Value of the parameter
ansible_coredump_config_set(msg=’’, parameter=’’, value=’’)
- TEMPLATE ansible_selinux_config_set
High level macro to set a parameter in /etc/selinux/config.
- Parameters
msg (str) – The name for the Ansible task
parameter (str) – Parameter to be set in the configuration file
value (str) – Value of the parameter
ansible_selinux_config_set(msg=’’, parameter=’’, value=’’)
- TEMPLATE ansible_file_contents
Generates an Ansible task that puts ‘contents’ into a file at ‘filepath’
- Parameters
filepath (str) – filepath of the file to check
contents (str) – contents that should be in the file
ansible_file_contents(filepath=’’, contents=’’)
- TEMPLATE ansible_deregexify_banner_etc_issue
Formats a banner regex for use in
/etc/issue
- Parameters
banner_var_name (str) – name of ansible variable with the banner regex
ansible_deregexify_banner_etc_issue(banner_var_name)
- TEMPLATE ansible_deregexify_banner_dconf_gnome
Formats a banner regex for use in dconf
- Parameters
banner_var_name (str) – name of ansible variable with the banner regex
ansible_deregexify_banner_dconf_gnome(banner_var_name)
- TEMPLATE ansible_deregexify_banner_anchors
Strips anchors around the banner
ansible_deregexify_banner_anchors()
- TEMPLATE ansible_deregexify_multiple_banners
Strips multibanner regex and keeps only the first banner
ansible_deregexify_multiple_banners()
- TEMPLATE ansible_deregexify_banner_space
Strips whitespace or newline regex
ansible_deregexify_banner_space()
- TEMPLATE ansible_deregexify_banner_newline
Strips newline or newline escape sequence regex
ansible_deregexify_banner_newline(newline)
- TEMPLATE ansible_deregexify_banner_newline_token
Strips newline token for a newline escape sequence regex
ansible_deregexify_banner_newline_token()
- TEMPLATE ansible_deregexify_banner_backslash
Strips backslash regex
ansible_deregexify_banner_backslash()
- TEMPLATE ansible_audit_augenrules_add_watch_rule
The following macro remediates one audit watch rule in
/etc/audit/rules.d
directory.
- Parameters
path (str) – path to watch
permissions (str) – permissions changes to watch for
key (str) – key to use as identifier. Note that if there exists any other rule with the same find_mac_key in some file within
/etc/audit/rules.d/
, the new rule will be appended to this file.ansible_audit_augenrules_add_watch_rule(path=’’, permissions=’’, key=’’)
- TEMPLATE ansible_audit_auditctl_add_watch_rule
The following macro remediates one audit watch rule in
/etc/audit/audit.rules
.
- Parameters
path (str) – Path to watch
permissions (str) – Permissions changes to watch for
key (str) – Key to use as identifier
ansible_audit_auditctl_add_watch_rule(path=’’, permissions=’’, key=’’)
- TEMPLATE ansible_audit_augenrules_add_syscall_rule
The following macro remediates Audit syscall rule in
/etc/audit/rules.d
directory. The macro requires following parameters:
- Parameters
action_arch_filters – The action and arch filters of the rule. For example, “-a always,exit -F arch=b64”
other_filters – Other filters that may characterize the rule. For example, “-F a2&03 -F path=/etc/passwd”
auid_filters – The auid filters of the rule. For example, “-F auid>=1000 -F auid!=unset”
syscalls – List of syscalls to ensure presense among audit rules. For example, “[‘fchown’, ‘lchown’, ‘fchownat’]”
syscall_groupings – List of other syscalls that can be grouped with ‘syscalls’. For example, “[‘fchown’, ‘lchown’, ‘fchownat’]”
key – The key to use when appending a new rule
ansible_audit_augenrules_add_syscall_rule(action_arch_filters=””, other_filters=””, auid_filters=””, syscalls=[], key=””, syscall_grouping=[])
- TEMPLATE ansible_audit_auditctl_add_syscall_rule
The following macro remediates Audit syscall rule in
/etc/audit/audit.rules
file.
- Parameters
action_arch_filters – The action and arch filters of the rule. For example, “-a always,exit -F arch=b64”
other_filters – Other filters that may characterize the rule. For example, “-F a2&03 -F path=/etc/passwd”
auid_filters – The auid filters of the rule. For example, “-F auid>=1000 -F auid!=unset”
syscalls – List of syscalls to ensure presense among audit rules. For example, “[‘fchown’, ‘lchown’, ‘fchownat’]”
syscall_groupings – List of other syscalls that can be grouped with ‘syscalls’ For example, “[‘fchown’, ‘lchown’, ‘fchownat’]”
key – The key to use when appending a new rule
ansible_audit_auditctl_add_syscall_rule(action_arch_filters=””, other_filters=””, auid_filters=””, syscalls=[], key=””, syscall_grouping=[])
- TEMPLATE ansible_pkg_conditional
This macro creates an Ansible snipped which is used in when clause to determine applicability of a task. If the package passed as a parameter is installed, the task is applicable. The macro respects platform_package_overrides variable.
ansible_pkg_conditional(package)
- TEMPLATE ansible_pam_faillock_enable
This macro ensures the pam_faillock.so PAM module is enabled. It is enabled using the authselect tool or editing the PAM files, only if authselect tool is not available.
ansible_pam_faillock_enable()
- TEMPLATE ansible_pam_faillock_parameter_value
This macro make sure the informed parameter from pam_faillock.so PAM module is properly set.
- param parameter
The pam_faillock.so parameter name.
- param faillock_var_name
If the parameter expects a value from a variable, the variable name is informed here.
ansible_pam_faillock_parameter_value(parameter, faillock_var_name=’’)
- TEMPLATE ansible_grub2_bootloader_argument
Macro for Ansible remediation for adding a kernel command line argument to the GRUB 2 bootloader. Part of the grub2_bootloader_argument template.
- Parameters
arg_name – Kernel command line argument
arg_name_value – Kernel command line argument concatenated with the value of this argument using an equal sign, eg. “noexec=off”.
ansible_grub2_bootloader_argument(arg_name, arg_name_value)
- TEMPLATE ansible_grub2_bootloader_argument_absent
Macro for Ansible remediation for removing a kernel command line argument from the GRUB 2 bootloader. Part of the grub2_bootloader_argument_absent template.
- Parameters
arg_name – Name of the kernel command line argument that will be removed from GRUB 2 configuration.
ansible_grub2_bootloader_argument_absent(arg_name)
- TEMPLATE ansible_restrict_permissions_home_directories
Macro to restrict permissions in home directories of interactive users
ansible_restrict_permissions_home_directories(recursive=false)