Ansible

TEMPLATE ansible_instantiate_variables

Pass strings that correspond to XCCDF value names as arguments to this macro: ansible_instantiate_variables(“varname1”, “varname2”)

Then, assume that the task that follows can work with the variable by referencing it, e.g. value: Setting={{ varname1 }}

ansible_instantiate_variables()

TEMPLATE ansible_lineinfile

A wrapper over the Ansible lineinfile module. This handles the most common options for us. regex is optional and when blank, it won’t be included in the Ansible script; this allows arbitrary additions to files. new_line will only be passed when state is present. with_items will be specified only if non-empty, allowing for iterating through a variable of content (with the appropriate macro-based path). register will be specified only if non-empty, allowing for saving the output of this lineinfile module. check_mode allows an idempotent way to gather output, or run a task without changes. Useful when calling the ansible_only_lineinfile macro to handle deduplication of values.

Note that all string-like parameters are single quoted in the YAML.

ansible_lineinfile(msg=’’, path=’’, regex=’’, new_line=’’, create=’no’, state=’present’, with_items=’’, register=’’, when=’’, validate=’’, insert_after=’’, insert_before=’’, check_mode=False)

TEMPLATE ansible_stat

Check the file system status of an object. Not a full implementation.

Parameters

  • msg (str) – Optional task title

  • path (str) – Path to file

  • register (str) – variable to register

ansible_stat(msg=’’, path=’’, register=’’)

TEMPLATE ansible_find

Find files matching a particular value. Not a full implementation.

ansible_find(msg=’’, paths=’’, recurse=’yes’, follow=’no’, contains=’’, register=’’, when=’’)

TEMPLATE ansible_only_lineinfile

A wrapper for adding one, unique line to a file. A regex must be specified to tell if the line is unique. This is helpful in configuration files where a single configuration parameter might have multiple values, but only one value is approved. All lines matching the regex are first removed and then the new line is appended to the file.

ansible_only_lineinfile(msg, path, line_regex, new_line, create=’no’, block=False, validate=’’, insert_after=’’, insert_before=’’)

TEMPLATE ansible_set_config_file

Ensure the configuration is set in a file. Note this handles generic key-seperator-value files with no sense of structure. In particular, ini configuration files are best served with the ini Ansible module instead of lineinfile-based solutions.

ansible_set_config_file(msg, file, parameter, separator=’ ‘, separator_regex=’s+’, value=’’, prefix_regex=’^s*’, create=’no’, validate=’’, insert_after=’’, insert_before=’’, escape_regex=False)

TEMPLATE ansible_set_config_file_dir

Ensure the configuration is set in a file and not conflicted by a configuration in a directory. Note this handles generic key-separator-value files with no sense of structure. In particular, ini configuration files are best served with the ini Ansible module instead of lineinfile-based solutions.

ansible_set_config_file_dir(msg, config_file, config_dir, set_file, parameter, separator=’ ‘, separator_regex=’s+’, value=’’, prefix_regex=’^s*’, create=’no’, validate=’’, insert_after=’’, insert_before=’’)

TEMPLATE ansible_sshd_set

High level macro to set a value in the ssh daemon configuration file. We specify a case insensitive comparison in the prefix since this is used to deduplicate since sshd_config has case-insensitive parameters (but case-sensitive values). We also specify the validation program here; -t specifies test and -f allows Ansible to pass a file at a different path.

Set set a parameter in /etc/sshd_config or /etc/ssh/sshd_config.d/

Parameters

  • msg (str) – Message to be set as Task Title, if not set the rule’s title will be used instead

  • parameter (str) – Parameter to set

  • value (str) – The value to set

  • config_is_distributed (str) – If true, will ok look in /etc/ssh/sshd_config.d

  • config_basename (str) – Filename of configuration file when using distributed configuration

ansible_sshd_set(msg=’’, parameter=’’, value=’’, config_is_distributed=”false”, config_basename=”00-complianceascode-hardening.conf”)

TEMPLATE ansible_shell_set

High level macro to set a value in a shell-related file that contains var assignments.

We also specify the validation program here; see

bash -c “help set” | grep -e -n

Parameters

  • msg (str) – The name for the Ansible task

  • path (str) – to the file

  • parameter (str) – Parameter to be set in the configuration file

  • value (str) – value of the parameter

ansible_shell_set(msg, path, parameter, value=’’, no_quotes=false)

TEMPLATE ansible_tmux_set

High level macro to set a command in tmux configuration file /etc/tmux.conf. Automatically adds “set -g ” before the parameter.

Parameters

  • msg (str) – The name for the Ansible task

  • parameter (str) – Parameter to be set in the configuration file

  • value (str) – Value of the parameter

ansible_tmux_set(msg=’’, parameter=’’, value=’’)

TEMPLATE ansible_etc_profile_set

High level macro to set a value in /etc/profile (and /etc/profile.d) bash files. Note this is only suitable for calling a single command once with the correct arguments and not for calling the same command multiple times with different arguments. This includes setting an environment variable once.

ansible_etc_profile_set(msg=’’, parameter=’’, value=’’)

TEMPLATE ansible_auditd_set

High level macro to set a command in auditd configuration file /etc/audit/auditd.conf.

Parameters

  • msg (str) – The name for the Ansible task

  • parameter (str) – Parameter to be set in the configuration file

  • value (str) – Value of the parameter

ansible_auditd_set(msg=’’, parameter=’’, value=’’)

TEMPLATE ansible_coredump_config_set

High level macro to set a parameter in /etc/systemd/coredump.conf.

Parameters

  • msg (str) – The name for the Ansible task

  • parameter (str) – Parameter to be set in the configuration file

  • value (str) – Value of the parameter

ansible_coredump_config_set(msg=’’, parameter=’’, value=’’)

TEMPLATE ansible_selinux_config_set

High level macro to set a parameter in /etc/selinux/config.

Parameters

  • msg (str) – The name for the Ansible task

  • parameter (str) – Parameter to be set in the configuration file

  • value (str) – Value of the parameter

ansible_selinux_config_set(msg=’’, parameter=’’, value=’’)

TEMPLATE ansible_file_contents

Generates an Ansible task that puts ‘contents’ into a file at ‘filepath’

Parameters

  • filepath (str) – filepath of the file to check

  • contents (str) – contents that should be in the file

ansible_file_contents(filepath=’’, contents=’’)

TEMPLATE ansible_deregexify_banner_etc_issue

Formats a banner regex for use in /etc/issue

Parameters

  • banner_var_name (str) – name of ansible variable with the banner regex

ansible_deregexify_banner_etc_issue(banner_var_name)

TEMPLATE ansible_deregexify_banner_dconf_gnome

Formats a banner regex for use in dconf

Parameters

  • banner_var_name (str) – name of ansible variable with the banner regex

ansible_deregexify_banner_dconf_gnome(banner_var_name)

TEMPLATE ansible_deregexify_banner_anchors

Strips anchors around the banner

ansible_deregexify_banner_anchors()

TEMPLATE ansible_deregexify_multiple_banners

Strips multibanner regex and keeps only the first banner

ansible_deregexify_multiple_banners()

TEMPLATE ansible_deregexify_banner_space

Strips whitespace or newline regex

ansible_deregexify_banner_space()

TEMPLATE ansible_deregexify_banner_newline

Strips newline or newline escape sequence regex

ansible_deregexify_banner_newline(newline)

TEMPLATE ansible_deregexify_banner_newline_token

Strips newline token for a newline escape sequence regex

ansible_deregexify_banner_newline_token()

TEMPLATE ansible_deregexify_banner_backslash

Strips backslash regex

ansible_deregexify_banner_backslash()

TEMPLATE ansible_audit_augenrules_add_watch_rule

The following macro remediates one audit watch rule in /etc/audit/rules.d directory.

Parameters

  • path (str) – path to watch

  • permissions (str) – permissions changes to watch for

  • key (str) – key to use as identifier. Note that if there exists any other rule with the same find_mac_key in some file within /etc/audit/rules.d/, the new rule will be appended to this file.

ansible_audit_augenrules_add_watch_rule(path=’’, permissions=’’, key=’’)

TEMPLATE ansible_audit_auditctl_add_watch_rule

The following macro remediates one audit watch rule in /etc/audit/audit.rules.

Parameters

  • path (str) – Path to watch

  • permissions (str) – Permissions changes to watch for

  • key (str) – Key to use as identifier

ansible_audit_auditctl_add_watch_rule(path=’’, permissions=’’, key=’’)

TEMPLATE ansible_audit_augenrules_add_syscall_rule

The following macro remediates Audit syscall rule in /etc/audit/rules.d directory. The macro requires following parameters:

Parameters

  • action_arch_filters – The action and arch filters of the rule. For example, “-a always,exit -F arch=b64”

  • other_filters – Other filters that may characterize the rule. For example, “-F a2&03 -F path=/etc/passwd”

  • auid_filters – The auid filters of the rule. For example, “-F auid>=1000 -F auid!=unset”

  • syscalls – List of syscalls to ensure presense among audit rules. For example, “[‘fchown’, ‘lchown’, ‘fchownat’]”

  • syscall_groupings – List of other syscalls that can be grouped with ‘syscalls’. For example, “[‘fchown’, ‘lchown’, ‘fchownat’]”

  • key – The key to use when appending a new rule

ansible_audit_augenrules_add_syscall_rule(action_arch_filters=””, other_filters=””, auid_filters=””, syscalls=[], key=””, syscall_grouping=[])

TEMPLATE ansible_audit_auditctl_add_syscall_rule

The following macro remediates Audit syscall rule in /etc/audit/audit.rules file.

Parameters

  • action_arch_filters – The action and arch filters of the rule. For example, “-a always,exit -F arch=b64”

  • other_filters – Other filters that may characterize the rule. For example, “-F a2&03 -F path=/etc/passwd”

  • auid_filters – The auid filters of the rule. For example, “-F auid>=1000 -F auid!=unset”

  • syscalls – List of syscalls to ensure presense among audit rules. For example, “[‘fchown’, ‘lchown’, ‘fchownat’]”

  • syscall_groupings – List of other syscalls that can be grouped with ‘syscalls’ For example, “[‘fchown’, ‘lchown’, ‘fchownat’]”

  • key – The key to use when appending a new rule

ansible_audit_auditctl_add_syscall_rule(action_arch_filters=””, other_filters=””, auid_filters=””, syscalls=[], key=””, syscall_grouping=[])

TEMPLATE ansible_pkg_conditional

This macro creates an Ansible snipped which is used in when clause to determine applicability of a task. If the package passed as a parameter is installed, the task is applicable. The macro respects platform_package_overrides variable.

ansible_pkg_conditional(package)

TEMPLATE ansible_pam_faillock_enable

This macro ensures the pam_faillock.so PAM module is enabled. It is enabled using the authselect tool or editing the PAM files, only if authselect tool is not available.

ansible_pam_faillock_enable()

TEMPLATE ansible_pam_faillock_parameter_value

This macro make sure the informed parameter from pam_faillock.so PAM module is properly set.

param parameter

The pam_faillock.so parameter name.

param faillock_var_name

If the parameter expects a value from a variable, the variable name is informed here.

ansible_pam_faillock_parameter_value(parameter, faillock_var_name=’’)

TEMPLATE ansible_grub2_bootloader_argument

Macro for Ansible remediation for adding a kernel command line argument to the GRUB 2 bootloader. Part of the grub2_bootloader_argument template.

Parameters

  • arg_name – Kernel command line argument

  • arg_name_value – Kernel command line argument concatenated with the value of this argument using an equal sign, eg. “noexec=off”.

ansible_grub2_bootloader_argument(arg_name, arg_name_value)

TEMPLATE ansible_grub2_bootloader_argument_absent

Macro for Ansible remediation for removing a kernel command line argument from the GRUB 2 bootloader. Part of the grub2_bootloader_argument_absent template.

Parameters

  • arg_name – Name of the kernel command line argument that will be removed from GRUB 2 configuration.

ansible_grub2_bootloader_argument_absent(arg_name)

TEMPLATE ansible_restrict_permissions_home_directories

Macro to restrict permissions in home directories of interactive users

ansible_restrict_permissions_home_directories(recursive=false)