From e22ff8a3589f3512237969dda8bd428564b5cc2d Mon Sep 17 00:00:00 2001 From: darrickw Date: Mon, 6 May 2024 15:59:54 -0600 Subject: [PATCH 1/3] cleanup duplicate ansible content, fix pathing in ansible readme fiels --- .../README.md | 8 +- aria/lifecycle/ansible/README.md | 45 --- aria/lifecycle/ansible/playbook.yml | 7 - .../ansible/roles/nginx/defaults/main.yml | 10 - .../ansible/roles/nginx/handlers/main.yml | 5 - .../ansible/roles/nginx/tasks/main.yml | 11 - .../ansible/roles/nginx/tasks/nginx.yml | 230 --------------- .../ansible/roles/postgres/defaults/main.yml | 12 - .../ansible/roles/postgres/handlers/main.yml | 5 - .../ansible/roles/postgres/tasks/main.yml | 11 - .../ansible/roles/postgres/tasks/postgres.yml | 277 ------------------ .../ansible/roles/vrlcm/defaults/main.yml | 7 - .../ansible/roles/vrlcm/tasks/main.yml | 11 - .../ansible/roles/vrlcm/tasks/vrlcm.yml | 120 -------- .../README.md | 6 +- 15 files changed, 7 insertions(+), 758 deletions(-) delete mode 100644 aria/lifecycle/ansible/README.md delete mode 100644 aria/lifecycle/ansible/playbook.yml delete mode 100644 aria/lifecycle/ansible/roles/nginx/defaults/main.yml delete mode 100644 aria/lifecycle/ansible/roles/nginx/handlers/main.yml delete mode 100644 aria/lifecycle/ansible/roles/nginx/tasks/main.yml delete mode 100644 aria/lifecycle/ansible/roles/nginx/tasks/nginx.yml delete mode 100644 aria/lifecycle/ansible/roles/postgres/defaults/main.yml delete mode 100644 aria/lifecycle/ansible/roles/postgres/handlers/main.yml delete mode 100644 aria/lifecycle/ansible/roles/postgres/tasks/main.yml delete mode 100644 aria/lifecycle/ansible/roles/postgres/tasks/postgres.yml delete mode 100644 aria/lifecycle/ansible/roles/vrlcm/defaults/main.yml delete mode 100644 aria/lifecycle/ansible/roles/vrlcm/tasks/main.yml delete mode 100644 aria/lifecycle/ansible/roles/vrlcm/tasks/vrlcm.yml diff --git a/aria/lifecycle/8.x/v1r2-srg/ansible/vmware-vrslcm-8.x-stig-ansible-hardening/README.md b/aria/lifecycle/8.x/v1r2-srg/ansible/vmware-vrslcm-8.x-stig-ansible-hardening/README.md index e7d24ca8..0dec751d 100644 --- a/aria/lifecycle/8.x/v1r2-srg/ansible/vmware-vrslcm-8.x-stig-ansible-hardening/README.md +++ b/aria/lifecycle/8.x/v1r2-srg/ansible/vmware-vrslcm-8.x-stig-ansible-hardening/README.md @@ -21,10 +21,10 @@ This is a hardening playbook that utilizes Ansible to perform automated remediat ## Playbook Structure - playbook.yml - Main playbook to run -- /roles//defaults/main.yml - Default variables to use during the run of the playbook -- /roles//tasks/main.yml - Default role task file -- /roles//handlers/main.yml - Dependencies for service restarts -- /roles//.yml - Task definitions for the role +- /roles/\/defaults/main.yml - Default variables to use during the run of the playbook +- /roles/\/tasks/main.yml - Default role task file +- /roles/\/handlers/main.yml - Dependencies for service restarts +- /roles/\/\.yml - Task definitions for the role ## How to run diff --git a/aria/lifecycle/ansible/README.md b/aria/lifecycle/ansible/README.md deleted file mode 100644 index e7d24ca8..00000000 --- a/aria/lifecycle/ansible/README.md +++ /dev/null @@ -1,45 +0,0 @@ -# aria-suite-lifecycle-8x-stig-ansible-hardening -VMware Aria Suite Lifecycle 8.x Appliance STIG Readiness Guide Ansible Playbook -Version: Version 1 Release 2: 27 February 2024 -STIG Type: STIG Readiness Guide - -## Overview -This is a hardening playbook that utilizes Ansible to perform automated remediation for STIG compliance of the VMware Aria Suite Lifecycle 8.x Appliance STIG Readiness Guide. - -## Supported Versions -- VMware Aria Suite Lifecycle 8.14 - -## !!Important!! -- Please read through the README carefully and familiarize yourself with the playbook and Ansible before running this playbook. -- As always please ensure you have a back out plan - if needed you can roll back the changes. -- In order to run the Photon role it must be installed as a role so that this playbook may find it. -- This playbook has not been tested for forward or backward compatibility beyond the version listed under supported versions. - -### Requirements -- [Ansible](https://docs.ansible.com/ansible/latest/installation_guide/index.html) installed on a machine that can SSH to the target node(s). Tested with Ansible 2.16.4. -- SSH with root access enabled on the target Aria Suite Lifecycle node(s). - -## Playbook Structure -- playbook.yml - Main playbook to run -- /roles//defaults/main.yml - Default variables to use during the run of the playbook -- /roles//tasks/main.yml - Default role task file -- /roles//handlers/main.yml - Dependencies for service restarts -- /roles//.yml - Task definitions for the role - -## How to run - -Run all controls on a target appliance. Prompt for password and display verbose output -``` -ansible-playbook -i 'IP or FQDN', -u 'root' playbook.yml -k -v -b -``` -Run controls for one service by specifying a tag. -``` -ansible-playbook -i 'IP or FQDN', -u 'root' playbook.yml -k -v -b -t nginx -``` -Run a specific control by specifying a tag. -``` -ansible-playbook -i 'IP or FQDN', -u 'username' playbook.yml -k -v -b -t VLMN-8X-000019 -``` - -## Misc -- If vars need to be updated we recommend either creating a vars file to specify at the command line or adding them to the main playbook.yml or your own playbook.yml so that it is easy to track what is being altered from the original state. diff --git a/aria/lifecycle/ansible/playbook.yml b/aria/lifecycle/ansible/playbook.yml deleted file mode 100644 index d70aed3c..00000000 --- a/aria/lifecycle/ansible/playbook.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: VRLCM 8.x Remediation Automation - hosts: all - roles: - - role: nginx - - role: postgres - - role: vrlcm diff --git a/aria/lifecycle/ansible/roles/nginx/defaults/main.yml b/aria/lifecycle/ansible/roles/nginx/defaults/main.yml deleted file mode 100644 index 72b6c2b3..00000000 --- a/aria/lifecycle/ansible/roles/nginx/defaults/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# defaults file for nginx -nginx_conf_file: /etc/nginx/nginx.conf - -# VLIA-8X-000019 -nginx_log_dir: /var/log/nginx - -# VLIA-8X-000040 -nginx_user: "root" -nginx_group: "root" diff --git a/aria/lifecycle/ansible/roles/nginx/handlers/main.yml b/aria/lifecycle/ansible/roles/nginx/handlers/main.yml deleted file mode 100644 index 1b793d57..00000000 --- a/aria/lifecycle/ansible/roles/nginx/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Reload NGINX - ansible.builtin.command: nginx -s reload - register: nginx_reload - changed_when: "nginx_reload.rc != 0" diff --git a/aria/lifecycle/ansible/roles/nginx/tasks/main.yml b/aria/lifecycle/ansible/roles/nginx/tasks/main.yml deleted file mode 100644 index 58ec453c..00000000 --- a/aria/lifecycle/ansible/roles/nginx/tasks/main.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# tasks file for nginx - -- name: Include nginx - ansible.builtin.include_tasks: - file: nginx.yml - apply: - tags: - - nginx - tags: - - always diff --git a/aria/lifecycle/ansible/roles/nginx/tasks/nginx.yml b/aria/lifecycle/ansible/roles/nginx/tasks/nginx.yml deleted file mode 100644 index ce156d53..00000000 --- a/aria/lifecycle/ansible/roles/nginx/tasks/nginx.yml +++ /dev/null @@ -1,230 +0,0 @@ -# Backup files that may be modified in case restoration is needed -- name: Backup nginx configuration file - tags: always - block: - - name: Backup nginx.conf - Create time stamp - ansible.builtin.set_fact: - backup_timestamp: "{{ lookup('pipe', 'date +%Y-%m-%d-%H-%M-%S') }}" - - - name: Backup nginx.conf - If restoring be sure to restore permissions that original file had!! - ansible.builtin.copy: - remote_src: true - src: "{{ nginx_conf_file }}" - dest: "/tmp/ansible-backups-vrlcm-nginx-{{ backup_timestamp }}/" - mode: preserve - changed_when: false - -################################################################################################################################### - -# VLMN-8X-000007 - The VMware Aria Suite Lifecycle web service must generate log records for system events. -- name: VLMN-8X-000007 - The VMware Aria Suite Lifecycle web service must generate log records for system events - tags: [VLMN-8X-000007] - block: - - name: VLMN-8X-000007 - Verify error_log directive - ansible.builtin.shell: nginx -T 2>&1 | grep "^error_log" - register: err_log - changed_when: false - ignore_errors: true - - - name: VLMN-8X-000007 - Add error_log directive in main context - ansible.builtin.lineinfile: - path: "{{ nginx_conf_file }}" - regexp: "^error_log *" - line: "error_log {{ nginx_log_dir }}/error.log info;" - insertbefore: "http *{" - state: present - when: err_log.stdout == "" or "info" not in err_log.stdout - notify: - - Reload NGINX - -################################################################################################################################### - -# VLMN-8X-000019 - The VMware Aria Suite Lifecycle web service log files must only be accessible by privileged users. -- name: VLMN-8X-000019 - The VMware Aria Suite Lifecycle web service log files must only be accessible by privileged users - tags: [VLMN-8X-000019] - block: - - name: VLMN-8X-000019 - Check log file permissions - ansible.builtin.shell: find {{ nginx_log_dir }}/* -xdev -type f -a '(' -perm -640 -o -not -user root -o -not -group root ')' -exec ls {} \; - register: list_files - changed_when: false - - - name: VLMN-8X-000019 - Verify and update file permissions - ansible.builtin.file: - path: "{{ item }}" - state: file - owner: 'root' - group: 'root' - mode: '640' - with_items: "{{ list_files.stdout_lines }}" - -################################################################################################################################### -# VLMN-8X-000025: The VMware Aria Suite Lifecycle web service must not perform user management for hosted applications. -# This is a manual fix. - -################################################################################################################################### -# VLMN-8X-000026: The VMware Aria Suite Lifecycle web service must only contain modules necessary for operation. -# This is a manual fix. - -################################################################################################################################### -# VLMN-8X-000034: The VMware Aria Suite Lifecycle web service must have Web Distributed Authoring (WebDAV) disabled. -# This is a manual fix. - -################################################################################################################################### - -# VLMN-8X-000036 - The VMware Aria Suite Lifecycle web service must not have any symbolic links that traverse outside the web content directory tree. -- name: VLMN-8X-000036 - The VMware Aria Suite Lifecycle web service must not have any symbolic links that traverse outside the web content directory tree - tags: [VLMN-8X-000036] - block: - - name: VLMN-8X-000036 - Search for root directories and list symlinks - ansible.builtin.shell: | - set -o pipefail - nginx -T 2>&1 | grep "root /" | awk -F" " '{print $2}' | awk -F";" '{system("find " $1 " -type l")}' - register: root_dirs - changed_when: false - - - name: VLMN-8X-000036 - Remove symlinks if any - ansible.builtin.command: unlink {{ item }} - with_items: - - "{{ root_dirs.stdout_lines | unique }}" - changed_when: root_dirs.stdout_lines | length > 0 - -################################################################################################################################### - -# VLMN-8X-000040 - The VMware Aria Suite Lifecycle web service private keys must be protected from unauthorized access. -- name: VLMN-8X-000040 - The VMware Aria Suite Lifecycle web service private keys must be protected from unauthorized access - tags: [VLMN-8X-000040] - block: - - name: VLMN-8X-000040 - Search for ssl cert keys - ansible.builtin.shell: | - set -o pipefail - nginx -T 2>&1 | grep ssl_certificate_key | awk -F" " '{print $2}' | awk -F";" '{print $1}' - register: ssl_certs - changed_when: false - - - name: VLMN-8X-000040 - Set appropriate permissions for the cert keys - ansible.builtin.file: - path: "{{ item | trim }}" - state: file - owner: 'root' - group: 'root' - mode: '400' - with_items: "{{ ssl_certs.stdout_lines }}" - -################################################################################################################################### -# VLMN-8X-000041: The VMware Aria Suite Lifecycle web service must use FIPS 140-2 validated cryptographic modules. -# This is a manual fix. - -################################################################################################################################### - -# VLMN-8X-000062 - The VMware Aria Suite Lifecycle web service must disable directory listings. -- name: VLMN-8X-000062 - The VMware Aria Suite Lifecycle web service must disable directory listings - tags: [VLMN-8X-000062] - block: - - name: VLMN-8X-000062 - Verify autoindex - ansible.builtin.shell: nginx -T 2>&1 | grep "autoindex" - register: auto_ind - changed_when: false - ignore_errors: true - - - name: VLMN-8X-000062 - Remove autoindex directive - ansible.builtin.lineinfile: - path: "{{ nginx_conf_file }}" - line: "{{ item }}" - state: absent - when: auto_ind.stdout != "" - with_items: "{{ auto_ind.stdout_lines }}" - notify: - - Reload NGINX - -################################################################################################################################### - -# VLMN-8X-000063 - The VMware Aria Suite Lifecycle web service must minimize the identity of the web server in information displayed to clients. -- name: VLMN-8X-000063 - The VMware Aria Suite Lifecycle web service must minimize the identity of the web server in information displayed to clients - tags: [VLMN-8X-000063] - block: - - name: VLMN-8X-000063 - Verify server_tokens - ansible.builtin.shell: nginx -T 2>&1 | grep "server_tokens" - register: server_token - changed_when: false - ignore_errors: true - - - name: VLMN-8X-000063 - Remove server_tokens directive - ansible.builtin.lineinfile: - path: "{{ nginx_conf_file }}" - line: "{{ item | trim }}" - state: absent - when: item != "" - with_items: "{{ server_token.stdout_lines }}" - notify: - - Reload NGINX - - - name: VLMN-8X-000063 - Add server_tokens directive in http block - ansible.builtin.lineinfile: - path: "{{ nginx_conf_file }}" - line: " server_tokens off;" - insertafter: "http *{" - state: present - notify: - - Reload NGINX - -################################################################################################################################### - -# VLMN-8X-000078 - The VMware Aria Suite Lifecycle web service configuration files must only be accessible to privileged users. -- name: VLMN-8X-000078 - The VMware Aria Suite Lifecycle web service configuration files must only be accessible to privileged users - tags: [VLMN-8X-000078] - block: - - name: VLMN-8X-000078 - Search for conf files - ansible.builtin.shell: find /etc/nginx -xdev -type f -a '(' -perm -o+w -o -not -user root -o -not -group root ')' -exec ls {} \; - register: list_files - changed_when: false - - - name: VLMN-8X-000078 - Set appropriate permissions for the conf files - ansible.builtin.file: - path: "{{ item | trim }}" - state: file - owner: 'root' - group: 'root' - mode: '644' - with_items: "{{ list_files.stdout_lines }}" - -################################################################################################################################### - -# VLMN-8X-000096 - The VMware Aria Suite Lifecycle web service must remove the default web site configuration. -# This is a manual fix - -################################################################################################################################### -# VLMN-8X-000097: The VMware Aria Suite Lifecycle web service must remove references of server information from default web pages. -# This is a manual fix. - -################################################################################################################################### - -# VLMN-8X-000102 - The VMware Aria Suite Lifecycle web service must disable SSL session tickets. -- name: VLMN-8X-000102 - The VMware Aria Suite Lifecycle web service must disable SSL session tickets - tags: [VLMN-8X-000102] - block: - - name: VLMN-8X-000102 - Verify ssl_session_tickets - ansible.builtin.shell: nginx -T 2>&1 | grep "ssl_session_tickets" - register: ssl_ssn_tckt - changed_when: false - ignore_errors: true - - - name: VLMN-8X-000102 - Remove ssl_session_tickets directive - ansible.builtin.lineinfile: - path: "{{ nginx_conf_file }}" - line: "{{ item }}" - state: absent - when: item != "" - with_items: "{{ ssl_ssn_tckt.stdout_lines }}" - notify: - - Reload NGINX - - - name: VLMN-8X-000102 - Add ssl_session_tickets directive in http block - ansible.builtin.lineinfile: - path: "{{ nginx_conf_file }}" - line: " ssl_session_tickets off;" - insertafter: "http *{" - state: present - when: item != "" - with_items: "{{ ssl_ssn_tckt.stdout_lines }}" - notify: - - Reload NGINX diff --git a/aria/lifecycle/ansible/roles/postgres/defaults/main.yml b/aria/lifecycle/ansible/roles/postgres/defaults/main.yml deleted file mode 100644 index 188cb759..00000000 --- a/aria/lifecycle/ansible/roles/postgres/defaults/main.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -# defaults file for postgres -# VLMP-8X-000001 -postgres_max_connections: 100 -# VLMP-8X-000006 -postgres_owner: postgres -postgres__group: users -postgres_data_dir: /var/vmware/vpostgres/current/pgdata - -# VLMP-8X-000032 -postgres_approved_extensions: - - plpgsql diff --git a/aria/lifecycle/ansible/roles/postgres/handlers/main.yml b/aria/lifecycle/ansible/roles/postgres/handlers/main.yml deleted file mode 100644 index 7278584f..00000000 --- a/aria/lifecycle/ansible/roles/postgres/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Restart Postgres - ansible.builtin.service: - name: vpostgres.service - state: restarted diff --git a/aria/lifecycle/ansible/roles/postgres/tasks/main.yml b/aria/lifecycle/ansible/roles/postgres/tasks/main.yml deleted file mode 100644 index ea1d075b..00000000 --- a/aria/lifecycle/ansible/roles/postgres/tasks/main.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# tasks file for postgresql - -- name: Include postgresql - ansible.builtin.include_tasks: - file: postgres.yml - apply: - tags: - - postgres - tags: - - always diff --git a/aria/lifecycle/ansible/roles/postgres/tasks/postgres.yml b/aria/lifecycle/ansible/roles/postgres/tasks/postgres.yml deleted file mode 100644 index 0d4635fa..00000000 --- a/aria/lifecycle/ansible/roles/postgres/tasks/postgres.yml +++ /dev/null @@ -1,277 +0,0 @@ -# VLMP-8X-000001 - VMware Aria Suite Lifecycle vpostgres must limit the number of concurrent sessions. -- name: VLMP-8X-000001 - VMware Aria Suite Lifecycle vpostgres must limit the number of concurrent sessions - tags: [VLMP-8X-000001] - block: - - name: VLMP-8X-000001 - Check number of concurrent sessions configured - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "SHOW max_connections" - register: max_conn_out - changed_when: false - - - name: VLMP-8X-000001 - Set number of concurrent sessions(max_connections) - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -c "ALTER SYSTEM SET max_connections = {{ postgres_max_connections }};" - when: max_conn_out.stdout == "" or max_conn_out.stdout | int < 1 - register: upd_max_conn - changed_when: upd_max_conn.rc == 0 - notify: - - Restart Postgres - -################################################################################################################################### - -# VLMP-8X-000006 - VMware Aria Suite Lifecycle vpostgres configuration files must not be accessible by unauthorized users. -- name: VLMP-8X-000006 - VMware Aria Suite Lifecycle vpostgres configuration files must not be accessible by unauthorized users - tags: [VLMP-8X-000006] - block: - - name: VLMP-8X-000006 - Search for files with permissions other than 600 and owner not as postgres - ansible.builtin.shell: find {{ postgres_data_dir }}/*conf* -xdev -type f -a '(' -not -perm 600 -o -not -user {{ postgres_owner }} -o -not -group {{ postgres__group }} ')' -exec ls -d {} \; - register: file_search_out - changed_when: false - - - name: VLMP-8X-000006 - Updating file permissions - ansible.builtin.file: - path: "{{ item }}" - state: file - owner: '{{ postgres_owner }}' - group: '{{ postgres__group }}' - mode: '600' - when: file_search_out.stdout != "" - with_items: - - "{{ file_search_out.stdout_lines }}" - -################################################################################################################################### - -# VLMP-8X-000010 - VMware Aria Suite Lifecycle vpostgres must produce logs containing sufficient information to establish what type of events occurred. -- name: VLMP-8X-000010 - VMware Aria Suite Lifecycle vpostgres must produce logs containing sufficient information to establish what type of events occurred - tags: [VLMP-8X-000010] - block: - - name: VLMP-8X-000010 - Show log line prefix - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "SHOW log_line_prefix" - register: log_pref_out - changed_when: false - - - name: VLMP-8X-000010 - Updating log pattern - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -c "ALTER SYSTEM SET log_line_prefix = '%m %c %x %d %u %r %p %l';" - when: log_pref_out.stdout != "%m %c %x %d %u %r %p %l" - register: upd_log_pref - changed_when: upd_log_pref.rc == 0 - notify: - - Restart Postgres - -################################################################################################################################### - -# VLMP-8X-000020 - VMware Aria Suite Lifecycle vpostgres must be configured to protect log files from unauthorized access. -- name: VLMP-8X-000020 - VMware Aria Suite Lifecycle vpostgres must be configured to protect log files from unauthorized access - tags: [VLMP-8X-000020] - block: - - name: VLMP-8X-000020 - Show log file mode - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "SHOW log_file_mode;" - register: log_file_out - changed_when: false - - - name: VLMP-8X-000020 - Updating log file mode - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "ALTER SYSTEM SET log_file_mode = '0600';" - when: log_file_out.stdout != "0600" - register: upd_file_mode - changed_when: upd_file_mode.rc == 0 - notify: - - Restart Postgres - - - name: VLMP-8X-000020 - Find out log directory - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "SHOW log_directory;" - register: log_dir_out - changed_when: false - - - name: VLMP-8X-000020 - Find out data directory - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "SHOW data_directory;" - register: data_dir_out - changed_when: false - - - name: VLMP-8X-000020 - Generate complete path for log destination - ansible.builtin.set_fact: - log_dest: "{{ data_dir_out.stdout }}/{{ log_dir_out.stdout }}" - when: '"/" not in log_dir_out.stdout' - changed_when: false - - - name: VLMP-8X-000020 - Generate complete path for log destination - ansible.builtin.set_fact: - log_dest: "{{ log_dir_out.stdout }}" - when: '"/" in log_dir_out.stdout' - changed_when: false - - - name: VLMP-8X-000020 - Find files under log destination directory with incorrect permissions - ansible.builtin.shell: find {{ log_dest }}/* -xdev -type f -a '(' -not -perm 600 -o -not -user postgres -o -not -group users ')' -exec ls {} \; - register: find_files_out - changed_when: false - failed_when: false - - - name: VLMP-8X-000020 - Updating file ownership and permissions - ansible.builtin.file: - path: "{{ item }}" - state: file - owner: 'postgres' - group: 'users' - mode: '600' - when: find_files_out.stdout != "" - with_items: - - "{{ find_files_out.stdout_lines }}" - -################################################################################################################################### - -# VLMP-8X-000032 - VMware Aria Suite Lifecycle vpostgres must not load unused database components, software, and database objects. -- name: VLMP-8X-000032 - VMware Aria Suite Lifecycle vpostgres must not load unused database components, software, and database objects - tags: [VLMP-8X-000032] - block: - - name: VLMP-8X-000032 - List pgextensions - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "select extname from pg_extension where extname != 'plpgsql';" - register: ext_out - changed_when: false - - - name: VLMP-8X-000032 - Remove extensions other than plpgsql - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "DROP EXTENSION {{ item | trim }};" - when: ext_out.stdout != "" and item | trim not in postgres_approved_extensions - register: upd_ext - changed_when: upd_ext.rc == 0 - with_items: - - "{{ ext_out.stdout_lines }}" - -################################################################################################################################### - -# VLMP-8X-000035 - VMware Aria Suite Lifecycle vpostgres must be configured to use an authorized port. -- name: VLMP-8X-000035 - VMware Aria Suite Lifecycle vpostgres must be configured to use an authorized port - tags: [VLMP-8X-000035] - block: - - name: VLMP-8X-000035 - Check for the port postgres is using - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "SHOW port;" - register: port_out - changed_when: false - - - name: VLMP-8X-000035 - Set postgres port - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "ALTER SYSTEM SET port TO '5432';" - when: port_out.stdout != "5432" - register: upd_port - changed_when: upd_port.rc != 0 - notify: - - Restart Postgres - -################################################################################################################################### - -# VLMP-8X-000051 - VMware Aria Suite Lifecycle vpostgres must write log entries to disk prior to returning operation success or failure. -- name: VLMP-8X-000051 - VMware Aria Suite Lifecycle vpostgres must write log entries to disk prior to returning operation success or failure - tags: [VLMP-8X-000051] - block: - - name: VLMP-8X-000051 - Check for the postgres settings - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "SELECT name, setting FROM pg_settings WHERE name IN ('fsync','full_page_writes','synchronous_commit');" - register: pg_settings_out - changed_when: false - - - name: VLMP-8X-000051 - Update settings to turn on - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "ALTER SYSTEM SET {{ item.split('|')[0] }} TO 'on';" - when: - - pg_settings_out.stdout != "" - - item.split('|')[1] | trim != "on" - with_items: - - "{{ pg_settings_out.stdout_lines }}" - register: set_pg_settings - changed_when: set_pg_settings.rc == 0 - notify: - - Restart Postgres - -################################################################################################################################### - -# VLMP-8X-000060 - VMware Aria Suite Lifecycle vpostgres must provide non-privileged users with minimal error information. -- name: VLMP-8X-000060 - VMware Aria Suite Lifecycle vpostgres must provide non-privileged users with minimal error information - tags: [VLMP-8X-000060] - block: - - name: VLMP-8X-00060 - Verify client_min_messages configuration - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "SHOW client_min_messages;" - register: client_min_msg - changed_when: false - - - name: VLMP-8X-000060 - Set client_min_messages to error - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "ALTER SYSTEM SET client_min_messages TO 'error';" - when: client_min_msg.stdout != "error" - register: set_client_min_msg - changed_when: set_client_min_msg.rc == 0 - notify: - - Restart Postgres - -################################################################################################################################### - -# VLMP-8X-000070 - VMware Aria Suite Lifecycle vpostgres must have log collection enabled. -- name: VLMP-8X-000070 - VMware Aria Suite Lifecycle vpostgres must have log collection enabled - tags: [VLMP-8X-000070] - block: - - name: VLMP-8X-00070 - Verify log collector configuration is enabled or not - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "SHOW logging_collector;" - register: log_coll_out - changed_when: false - - - name: VLMP-8X-000070 - Update log collector to on - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "ALTER SYSTEM SET logging_collector TO 'on';" - when: log_coll_out.stdout != "on" - register: set_log_coll - changed_when: set_log_coll.rc == 0 - notify: - - Restart Postgres - -################################################################################################################################## - -# VLMP-8X-000075 - VMware Aria Suite Lifecycle vpostgres must use UTC for log timestamps. -- name: VLMP-8X-000075 - VMware Aria Suite Lifecycle vpostgres must use UTC for log timestamps - tags: [VLMP-8X-000075] - block: - - name: VLMP-8X-00075 - Verify log timezone configuration - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "SHOW log_timezone;" - register: log_tz_out - changed_when: false - - - name: VLMP-8X-000075 - Update log timezone configuration to UTC - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "ALTER SYSTEM SET log_timezone TO 'Etc/UTC';" - when: log_tz_out.stdout != "Etc/UTC" - register: set_log_tz - changed_when: set_log_tz.rc == 0 - notify: - - Restart Postgres - -################################################################################################################################### - -# VLMP-8X-000110 - VMware Aria Suite Lifecycle vpostgres must log all connection attempts. -- name: VLMP-8X-000110 - VMware Aria Suite Lifecycle vpostgres must log all connection attempts - tags: [VLMP-8X-000110] - block: - - name: VLMP-8X-000110 - Verify log connection configuration is on or not - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "SHOW log_connections;" - register: log_conn_out - changed_when: false - - - name: VLMP-8X-000110 - Update log connection to on - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "ALTER SYSTEM SET log_connections TO 'on';" - when: log_conn_out.stdout != "on" - register: set_log_conn - changed_when: set_log_conn.rc == 0 - notify: - - Restart Postgres - -################################################################################################################################### - -# VLMP-8X-000114 - VMware Aria Suite Lifecycle vpostgres must log all client disconnections. -- name: VLMP-8X-000114 - VMware Aria Suite Lifecycle vpostgres must log all client disconnections. - tags: [VLMP-8X-000114] - block: - - name: VLMP-8X-000114 - Verify log collection configuration for disconnections is on or not - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "SHOW log_disconnections;" - register: log_dconn_out - changed_when: false - - - name: VLMP-8X-000114 - Update log collection for disconnections to on - ansible.builtin.command: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "ALTER SYSTEM SET log_disconnections TO 'on';" - when: log_dconn_out.stdout != "on" - register: set_log_dconn - changed_when: set_log_dconn.rc == 0 - notify: - - Restart Postgres - -################################################################################################################################### - -# VLMP-8X-000122 - VMware Aria Suite Lifecycle vpostgres must off-load audit data to a separate log management facility. -# This is a manual fix. -## Setup log_destination, syslog_facility & syslog_ident specific to the environment. diff --git a/aria/lifecycle/ansible/roles/vrlcm/defaults/main.yml b/aria/lifecycle/ansible/roles/vrlcm/defaults/main.yml deleted file mode 100644 index 31d10f0f..00000000 --- a/aria/lifecycle/ansible/roles/vrlcm/defaults/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# defaults file for vrlcm -vrlcm_hostname: "https://cava-n-81-141.eng.vmware.com" -vrlcm_username: "admin@local" -vrlcm_password: "VMware1!" - -vrlcm_ntp_servers: "time-a-b.nist.gov,time.google.com" diff --git a/aria/lifecycle/ansible/roles/vrlcm/tasks/main.yml b/aria/lifecycle/ansible/roles/vrlcm/tasks/main.yml deleted file mode 100644 index bb642149..00000000 --- a/aria/lifecycle/ansible/roles/vrlcm/tasks/main.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# tasks file for vrlcm - -- name: Include vrlcm - ansible.builtin.include_tasks: - file: vrlcm.yml - apply: - tags: - - vrlcm - tags: - - always diff --git a/aria/lifecycle/ansible/roles/vrlcm/tasks/vrlcm.yml b/aria/lifecycle/ansible/roles/vrlcm/tasks/vrlcm.yml deleted file mode 100644 index aa4ad704..00000000 --- a/aria/lifecycle/ansible/roles/vrlcm/tasks/vrlcm.yml +++ /dev/null @@ -1,120 +0,0 @@ -# Generate authentication token -- name: Generate and get session ID - tags: always - block: - - name: Generate sessionId - ansible.builtin.shell: | - set -o pipefail - echo -n "{{ vrlcm_username }}:{{ vrlcm_password }}" | base64 - register: session_token - changed_when: "session_token.rc != 0" - -################################################################################################################################### - -# VLMA-8X-000001 - VMware Aria Suite Lifecycle must enable FIPS mode. -- name: VLMA-8X-000001 - VMware Aria Suite Lifecycle must enable FIPS mode - tags: [VLMA-8X-000001] - block: - - name: VLMA-8X-000001 - Get FIPS mode status - ansible.builtin.uri: - url: "{{ vrlcm_hostname }}/lcm/locker/api/security/fips" - method: GET - status_code: 200 - headers: - Content-Type: 'application/json' - Accept: 'application/json' - Authorization: "Basic {{ session_token.stdout }}" - validate_certs: false - register: fips_status - changed_when: false - failed_when: - - fips_status.status != 200 - - - name: VLMA-8X-000001 - Verify and update FIPS mode - ansible.builtin.uri: - url: "{{ vrlcm_hostname }}/lcm/locker/api/security/fips" - method: POST - headers: - Content-Type: 'application/json' - Accept: 'application/json' - Authorization: "Basic {{ session_token.stdout }}" - body_format: json - body: '{ "enabled": true }' - validate_certs: false - register: response_fips_enable - when: - - not fips_status.json.enabled - changed_when: - - response_fips_enable.status == 200 - -################################################################################################################################### - -# VLMA-8X-000004 - VMware Aria Suite Lifecycle must configure authentication when a proxy server is specified. -# This is a manual fix. - -################################################################################################################################### - -# VLMA-8X-000005 - VMware Aria Suite Lifecycle must off-load log records to a different system. -# This is a manual fix. -#### Log in to the VMware Aria Suite Lifecycle management interface. -#### Select "Lifecycle Operations" >> Settings >> System Administration >> Logs. -#### Enter valid information for Hostname and Port, then choose the relevant Server Protocol and fill in the remaining information. -#### Click Save. - -################################################################################################################################### - -# VLMA-8X-000006 - VMware Aria Suite Lifecycle must not provide environment information to third parties. -- name: VLMA-8X-000006 - VMware Aria Suite Lifecycle must not provide environment information to third parties - tags: [VLMA-8X-000006] - block: - - name: VLMA-8X-000006 - Get server clock configuration - ansible.builtin.uri: - url: "{{ vrlcm_hostname }}/lcm/lcops/api/v2/settings/system-details/time" - method: GET - status_code: 200 - headers: - Content-Type: 'application/json' - Accept: 'application/json' - Authorization: "Basic {{ session_token.stdout }}" - validate_certs: false - register: time_status - changed_when: false - failed_when: - - time_status.status != 200 - - - name: VLMA-8X-000006 - Verify and update server clock configuration - ansible.builtin.uri: - url: "{{ vrlcm_hostname }}/lcm/lcops/api/v2/settings/system-details/time" - method: POST - headers: - Content-Type: 'application/json' - Accept: 'application/json' - Authorization: "Basic {{ session_token.stdout }}" - body_format: json - body: '{ "ntpServerEnabled": true, "ntpServers": "{{ vrlcm_ntp_servers }}" }' - validate_certs: false - register: response_time_enable - when: - - not time_status.json.ntpServerEnabled or not time_status.json.ntpServerStarted or time_status.json.ntpServers != vrlcm_ntp_servers - changed_when: - - response_time_enable.status == 200 - -################################################################################################################################### - -# VLMA-8X-000007 - VMware Aria Suite Lifecycle must off-load log records to a different system. -# This is a manual fix. -#### To install available patches perform the following: -#### Login to VMware Aria Suite Lifecycle as the admin@local account. -#### Select "Lifecycle Operations" >> Settings >> System Administration >> System Patches >> New Patch -#### Select an available patch from the list and click next. -#### Review the patch installation and click Install. - -################################################################################################################################### - -# VLMA-8X-000008 - VMware Aria Suite Lifecycle must off-load log records to a different system. -# This is a manual fix. - -################################################################################################################################### - -# VLMA-8X-000009 - VMware Aria Suite Lifecycle must not provide environment information to third parties. -# This is a manual fix. Unavailability of API. diff --git a/aria/operations-for-logs/8.x/v1r4-srg/ansible/vmware-vrli-8.x-stig-ansible-hardening/README.md b/aria/operations-for-logs/8.x/v1r4-srg/ansible/vmware-vrli-8.x-stig-ansible-hardening/README.md index 79b704c5..9ac6f55d 100644 --- a/aria/operations-for-logs/8.x/v1r4-srg/ansible/vmware-vrli-8.x-stig-ansible-hardening/README.md +++ b/aria/operations-for-logs/8.x/v1r4-srg/ansible/vmware-vrli-8.x-stig-ansible-hardening/README.md @@ -23,9 +23,9 @@ This is a hardening playbook that utilizes Ansible to perform automated remediat ## Playbook Structure - playbook.yml - Main playbook to run -- /roles//defaults/main.yml - Default variables to use during the run of the playbook -- /roles//tasks/main.yml - Default role task file -- /roles//.yml - task definitions for the role +- /roles/\/defaults/main.yml - Default variables to use during the run of the playbook +- /roles/\/tasks/main.yml - Default role task file +- /roles/\/\.yml - task definitions for the role ## How to run From f73501aac0f29fc1ed65629da1b0080dcdb2a7ba Mon Sep 17 00:00:00 2001 From: darrickw Date: Tue, 7 May 2024 06:43:22 -0600 Subject: [PATCH 2/3] aria supported versions cleanup --- aria/automation/8.x/README.md | 11 ++++++----- aria/lifecycle/8.x/README.md | 8 ++++---- aria/operations-for-logs/8.x/README.md | 8 ++++---- aria/operations/8.x/README.md | 12 ++++++------ 4 files changed, 20 insertions(+), 19 deletions(-) diff --git a/aria/automation/8.x/README.md b/aria/automation/8.x/README.md index 9aa42a96..67f2b0fb 100644 --- a/aria/automation/8.x/README.md +++ b/aria/automation/8.x/README.md @@ -3,12 +3,13 @@ ## Compatibility The table below provides supported interoperability between product and STIG versioning. Application of STIG content outside interoperable versions is not supported. -| | V1R3* | V1R4* | V1R5* | V1R6* | +| Version | V1R3* | V1R4* | V1R5* | V1R6* | |:-------------------:|:------------------:|:------------------:|:------------------:|:------------------:| -| `8.11.x` | :heavy_check_mark: | :x: | :x: | :x: | -| `8.12.x` | :x: | :heavy_check_mark: | :x: | :x: | -| `8.13.1` | :x: | :x: | :heavy_check_mark: | :x: | -| `8.16.1` | :x: | :x: | :x: | :heavy_check_mark: | +| `8.11.x` | :heavy_check_mark: | :x: | :x: | :x: | +| `8.12.x` | :x: | :heavy_check_mark: | :x: | :x: | +| `8.13.0` | :x: | :heavy_check_mark: | :x: | :x: | +| `8.13.1`-`8.16.0` | :x: | :x: | :heavy_check_mark: | :x: | +| `8.16.1`-`8.16.2` | :x: | :x: | :x: | :heavy_check_mark: | > [!NOTE] > - \* Denotes STIG Readiness Guide diff --git a/aria/lifecycle/8.x/README.md b/aria/lifecycle/8.x/README.md index f30ef6c1..c38de9ce 100644 --- a/aria/lifecycle/8.x/README.md +++ b/aria/lifecycle/8.x/README.md @@ -3,11 +3,11 @@ ## Compatibility The table below provides supported interoperability between product and STIG versioning. Application of STIG content outside interoperable versions is not supported. -| | V1R1* | V1R2* | +| Version | V1R1* | V1R2* | |:-------------------:|:------------------:|:------------------:| -| `8.2 - 8.12` | :heavy_check_mark: | :x: | -| `8.14.x` | :x: | :heavy_check_mark: | -| `8.16.x` | :x: | :heavy_check_mark: | +| `8.12.x` | :heavy_check_mark: | :x: | +| `8.14.x` | :x: | :heavy_check_mark: | +| `8.16.x` | :x: | :heavy_check_mark: | > [!NOTE] > - \* Denotes STIG Readiness Guide diff --git a/aria/operations-for-logs/8.x/README.md b/aria/operations-for-logs/8.x/README.md index 39d642f0..c204bc2e 100644 --- a/aria/operations-for-logs/8.x/README.md +++ b/aria/operations-for-logs/8.x/README.md @@ -3,11 +3,11 @@ ## Compatibility The table below provides supported interoperability between product and STIG versioning. Application of STIG content outside interoperable versions is not supported. -| | V1R2* | V1R4* | +| Version | V1R2* | V1R4* | |:-------------------:|:------------------:|:------------------:| -| `8.12.x` | :heavy_check_mark: | :x: | -| `8.14.x` | :x: | :heavy_check_mark: | -| `8.16.x` | :x: | :heavy_check_mark: | +| `8.12.x` | :heavy_check_mark: | :x: | +| `8.14.x` | :x: | :heavy_check_mark: | +| `8.16.x` | :x: | :heavy_check_mark: | > [!NOTE] > - \* Denotes STIG Readiness Guide diff --git a/aria/operations/8.x/README.md b/aria/operations/8.x/README.md index 693148a4..be680e24 100644 --- a/aria/operations/8.x/README.md +++ b/aria/operations/8.x/README.md @@ -3,13 +3,13 @@ ## Compatibility The table below provides supported interoperability between product and STIG versioning. Application of STIG content outside interoperable versions is not supported. -| | V1R1* | V1R2* | V1R3* | +| Version | V1R1* | V1R2* | V1R3* | |:-------------------:|:------------------:|:------------------:|:------------------:| -| `8.2.x` | :heavy_check_mark: | :x: | :x: | -| `8.10.x` | :x: | :heavy_check_mark: | :x: | -| `8.12.x` | :x: | :heavy_check_mark: | :x: | -| `8.14.x` | :x: | :x: | :heavy_check_mark: | -| `8.16.x` | :x: | :x: | :heavy_check_mark: | +| `8.10.x` | :heavy_check_mark: | :x: | :x: | +| `8.12.x` | :x: | :heavy_check_mark: | :x: | +| `8.14.x` | :x: | :x: | :heavy_check_mark: | +| `8.16.x` | :x: | :x: | :heavy_check_mark: | +| `8.17.1` | :x: | :x: | :heavy_check_mark: | > [!NOTE] > - \* Denotes STIG Readiness Guide From 3905736640a57f7cf0f27a4a3b4180c3a3dff4e1 Mon Sep 17 00:00:00 2001 From: darrickw Date: Wed, 8 May 2024 02:56:38 -0600 Subject: [PATCH 3/3] ansible pathing updates --- .../vmware-nsxt-3.x-stig-ansible-hardening/README.md | 10 +++++----- .../vmware-nsx-4.x-stig-ansible-hardening/README.md | 10 +++++----- .../vmware-nsx-4.x-stig-ansible-hardening/README.md | 10 +++++----- .../README.md | 10 +++++----- .../README.md | 10 +++++----- .../README.md | 10 +++++----- .../vmware-vcsa-8.0-stig-ansible-hardening/README.md | 10 +++++----- .../vmware-vcsa-8.0-stig-ansible-hardening/README.md | 10 +++++----- 8 files changed, 40 insertions(+), 40 deletions(-) diff --git a/nsx/3.x/v1r3-stig/ansible/vmware-nsxt-3.x-stig-ansible-hardening/README.md b/nsx/3.x/v1r3-stig/ansible/vmware-nsxt-3.x-stig-ansible-hardening/README.md index 2eb7f3e8..ae59a01a 100644 --- a/nsx/3.x/v1r3-stig/ansible/vmware-nsxt-3.x-stig-ansible-hardening/README.md +++ b/nsx/3.x/v1r3-stig/ansible/vmware-nsxt-3.x-stig-ansible-hardening/README.md @@ -24,11 +24,11 @@ This is a hardening playbook that utilizes Ansible to perform automated remediat ## Playbook Structure - playbook.yml - Main playbook to run - requirements.yml - Requirements file for installing dependencies or other roles included in this playbook -- /roles//defaults/main.yml - Default variables used to turn controls on/off in the playbook. Set these to true/false -- /roles//handlers/main.yaml - handlers referenced in the tasks -- /roles//tasks/main.yml - Default role playbook -- /roles//templates - Any template files used in the role -- /roles//vars/main.yml - variables referenced by tasks. Update these variables as needed for your environment. +- /roles/\/defaults/main.yml - Default variables used to turn controls on/off in the playbook. Set these to true/false +- /roles/\/handlers/main.yaml - handlers referenced in the tasks +- /roles/\/tasks/main.yml - Default role playbook +- /roles/\/templates - Any template files used in the role +- /roles/\/vars/main.yml - variables referenced by tasks. Update these variables as needed for your environment. ## Generate API Session Token This playbook uses Session-Based authentication to authenticate with NSX for remediation. A session token and cookie must be generated and provided an input for the profile. This can be generated in various ways via curl, tools like Postman, etc. For more information see the [NSX API Documentation](https://developer.vmware.com/apis/1248/nsx-t). diff --git a/nsx/4.x/v1r1-srg/ansible/vmware-nsx-4.x-stig-ansible-hardening/README.md b/nsx/4.x/v1r1-srg/ansible/vmware-nsx-4.x-stig-ansible-hardening/README.md index 07ca10f0..a13bb41e 100644 --- a/nsx/4.x/v1r1-srg/ansible/vmware-nsx-4.x-stig-ansible-hardening/README.md +++ b/nsx/4.x/v1r1-srg/ansible/vmware-nsx-4.x-stig-ansible-hardening/README.md @@ -26,11 +26,11 @@ This is a hardening playbook that utilizes Ansible to perform automated remediat - playbook.yml - Main playbook to run - requirements.yml - Requirements file for installing dependencies or other roles included in this playbook - vars-nsx-4x-example.yml - Example vars file to profile variable values to the playbook for use during execution -- /roles//defaults/main.yml - Default variables used to turn controls on/off in the playbook. Set these to true/false -- /roles//handlers/main.yaml - handlers referenced in the tasks -- /roles//tasks/main.yml - Default role task file -- /roles//templates - Any template files used in the role -- /roles//vars/main.yml - variables referenced by tasks. Update these variables as needed for your environment. +- /roles/\/defaults/main.yml - Default variables used to turn controls on/off in the playbook. Set these to true/false +- /roles/\/handlers/main.yaml - handlers referenced in the tasks +- /roles/\/tasks/main.yml - Default role task file +- /roles/\/templates - Any template files used in the role +- /roles/\/vars/main.yml - variables referenced by tasks. Update these variables as needed for your environment. ## Generate API Session Token This playbook uses Session-Based authentication to authenticate with NSX for remediation. A session token and cookie must be generated and provided an input for the profile. This can be generated in various ways via curl, tools like Postman, etc. For more information see the [NSX API Documentation](https://developer.vmware.com/apis/1583/nsx-t). diff --git a/nsx/4.x/v1r2-srg/ansible/vmware-nsx-4.x-stig-ansible-hardening/README.md b/nsx/4.x/v1r2-srg/ansible/vmware-nsx-4.x-stig-ansible-hardening/README.md index 62f3b585..49371ce3 100644 --- a/nsx/4.x/v1r2-srg/ansible/vmware-nsx-4.x-stig-ansible-hardening/README.md +++ b/nsx/4.x/v1r2-srg/ansible/vmware-nsx-4.x-stig-ansible-hardening/README.md @@ -25,11 +25,11 @@ This is a hardening playbook that utilizes Ansible to perform automated remediat - playbook.yml - Main playbook to run - requirements.yml - Requirements file for installing dependencies or other roles included in this playbook - vars-nsx-4x-example.yml - Example vars file to profile variable values to the playbook for use during execution -- /roles//defaults/main.yml - Default variables used to turn controls on/off in the playbook. Set these to true/false -- /roles//handlers/main.yaml - handlers referenced in the tasks -- /roles//tasks/main.yml - Default role task file -- /roles//templates - Any template files used in the role -- /roles//vars/main.yml - variables referenced by tasks. Update these variables as needed for your environment. +- /roles/\/defaults/main.yml - Default variables used to turn controls on/off in the playbook. Set these to true/false +- /roles/\/handlers/main.yaml - handlers referenced in the tasks +- /roles/\/tasks/main.yml - Default role task file +- /roles/\/templates - Any template files used in the role +- /roles/\/vars/main.yml - variables referenced by tasks. Update these variables as needed for your environment. ## Generate API Session Token This playbook uses Session-Based authentication to authenticate with NSX for remediation. A session token and cookie must be generated and provided an input for the profile. This can be generated in various ways via curl, tools like Postman, etc. For more information see the [NSX API Documentation](https://developer.vmware.com/apis/1583/nsx-t). diff --git a/vcd/10.x/v1r1-srg/ansible/vmware-cloud-director-10.x-stig-ansible-hardening/README.md b/vcd/10.x/v1r1-srg/ansible/vmware-cloud-director-10.x-stig-ansible-hardening/README.md index 353e906c..7482f9a7 100644 --- a/vcd/10.x/v1r1-srg/ansible/vmware-cloud-director-10.x-stig-ansible-hardening/README.md +++ b/vcd/10.x/v1r1-srg/ansible/vmware-cloud-director-10.x-stig-ansible-hardening/README.md @@ -15,11 +15,11 @@ This is a hardening playbook that utilizes Ansible to perform automated remediat - playbook.yml - Main playbook to run - requirements.yml - Requirements file for installing dependencies or other roles included in this playbook -- /roles//defaults/main.yml - Default variables used to turn controls on/off in the playbook. Set these to true/false -- /roles//handlers/main.yaml - handlers referenced in the tasks -- /roles//tasks/main.yml - Default role playbook -- /roles//templates - Any template files used in the role -- /roles//vars/main.yml - variables referenced by tasks. Update these variables as needed for your environment. +- /roles/\/defaults/main.yml - Default variables used to turn controls on/off in the playbook. Set these to true/false +- /roles/\/handlers/main.yaml - handlers referenced in the tasks +- /roles/\/tasks/main.yml - Default role playbook +- /roles/\/templates - Any template files used in the role +- /roles/\/vars/main.yml - variables referenced by tasks. Update these variables as needed for your environment. ## How to run diff --git a/vcf/5.x/v1r1-srg/ansible/vmware-cloud-foundation-sddcmgr-5x-stig-ansible-hardening/README.md b/vcf/5.x/v1r1-srg/ansible/vmware-cloud-foundation-sddcmgr-5x-stig-ansible-hardening/README.md index 7a71e79b..f9623460 100644 --- a/vcf/5.x/v1r1-srg/ansible/vmware-cloud-foundation-sddcmgr-5x-stig-ansible-hardening/README.md +++ b/vcf/5.x/v1r1-srg/ansible/vmware-cloud-foundation-sddcmgr-5x-stig-ansible-hardening/README.md @@ -22,11 +22,11 @@ This is a hardening playbook that utilizes Ansible to perform automated remediat - playbook.yml - Main playbook to run - requirements.yml - Requirements file for installing dependencies or other roles included in this playbook - vars-vcenter-example.yml - Example vars file to profile variable values to the playbook for use during execution -- /roles//defaults/main.yml - Default variables used to turn controls on/off in the playbook. Set these to true/false -- /roles//handlers/main.yaml - handlers referenced in the tasks -- /roles//tasks/main.yml - Default role task file -- /roles//templates - Any template files used in the role -- /roles//vars/main.yml - variables referenced by tasks. Update these variables as needed for your environment. +- /roles/\/defaults/main.yml - Default variables used to turn controls on/off in the playbook. Set these to true/false +- /roles/\/handlers/main.yaml - handlers referenced in the tasks +- /roles/\/tasks/main.yml - Default role task file +- /roles/\/templates - Any template files used in the role +- /roles/\/vars/main.yml - variables referenced by tasks. Update these variables as needed for your environment. ## How to run diff --git a/vcf/5.x/v1r2-srg/ansible/vmware-cloud-foundation-sddcmgr-5x-stig-ansible-hardening/README.md b/vcf/5.x/v1r2-srg/ansible/vmware-cloud-foundation-sddcmgr-5x-stig-ansible-hardening/README.md index 4c9dcb05..56582bc3 100644 --- a/vcf/5.x/v1r2-srg/ansible/vmware-cloud-foundation-sddcmgr-5x-stig-ansible-hardening/README.md +++ b/vcf/5.x/v1r2-srg/ansible/vmware-cloud-foundation-sddcmgr-5x-stig-ansible-hardening/README.md @@ -25,11 +25,11 @@ This is a hardening playbook that utilizes Ansible to perform automated remediat - playbook.yml - Main playbook to run - requirements.yml - Requirements file for installing dependencies or other roles included in this playbook - vars-vcenter-example.yml - Example vars file to profile variable values to the playbook for use during execution -- /roles//defaults/main.yml - Default variables used to turn controls on/off in the playbook. Set these to true/false -- /roles//handlers/main.yaml - handlers referenced in the tasks -- /roles//tasks/main.yml - Default role task file -- /roles//templates - Any template files used in the role -- /roles//vars/main.yml - variables referenced by tasks. Update these variables as needed for your environment. +- /roles/\/defaults/main.yml - Default variables used to turn controls on/off in the playbook. Set these to true/false +- /roles/\/handlers/main.yaml - handlers referenced in the tasks +- /roles/\/tasks/main.yml - Default role task file +- /roles/\/templates - Any template files used in the role +- /roles/\/vars/main.yml - variables referenced by tasks. Update these variables as needed for your environment. ## How to run diff --git a/vsphere/8.0/v1r1-srg/vcsa/ansible/vmware-vcsa-8.0-stig-ansible-hardening/README.md b/vsphere/8.0/v1r1-srg/vcsa/ansible/vmware-vcsa-8.0-stig-ansible-hardening/README.md index f5c30799..10976e58 100644 --- a/vsphere/8.0/v1r1-srg/vcsa/ansible/vmware-vcsa-8.0-stig-ansible-hardening/README.md +++ b/vsphere/8.0/v1r1-srg/vcsa/ansible/vmware-vcsa-8.0-stig-ansible-hardening/README.md @@ -23,11 +23,11 @@ This is a hardening playbook that utilizes Ansible to perform automated remediat - playbook.yml - Main playbook to run - requirements.yml - Requirements file for installing dependencies or other roles included in this playbook - vars-vcenter-example.yml - Example vars file to profile variable values to the playbook for use during execution -- /roles//defaults/main.yml - Default variables used to turn controls on/off in the playbook. Set these to true/false -- /roles//handlers/main.yaml - handlers referenced in the tasks -- /roles//tasks/main.yml - Default role task file -- /roles//templates - Any template files used in the role -- /roles//vars/main.yml - variables referenced by tasks. Update these variables as needed for your environment. +- /roles/\/defaults/main.yml - Default variables used to turn controls on/off in the playbook. Set these to true/false +- /roles/\/handlers/main.yaml - handlers referenced in the tasks +- /roles/\/tasks/main.yml - Default role task file +- /roles/\/templates - Any template files used in the role +- /roles/\/vars/main.yml - variables referenced by tasks. Update these variables as needed for your environment. ## How to run diff --git a/vsphere/8.0/v1r1-stig/vcsa/ansible/vmware-vcsa-8.0-stig-ansible-hardening/README.md b/vsphere/8.0/v1r1-stig/vcsa/ansible/vmware-vcsa-8.0-stig-ansible-hardening/README.md index 1d95b9fb..f16b5583 100644 --- a/vsphere/8.0/v1r1-stig/vcsa/ansible/vmware-vcsa-8.0-stig-ansible-hardening/README.md +++ b/vsphere/8.0/v1r1-stig/vcsa/ansible/vmware-vcsa-8.0-stig-ansible-hardening/README.md @@ -24,11 +24,11 @@ This is a hardening playbook that utilizes Ansible to perform automated remediat - playbook.yml - Main playbook to run - requirements.yml - Requirements file for installing dependencies or other roles included in this playbook - vars-vcenter-example.yml - Example vars file to profile variable values to the playbook for use during execution -- /roles//defaults/main.yml - Default variables used to turn controls on/off in the playbook. Set these to true/false -- /roles//handlers/main.yaml - handlers referenced in the tasks -- /roles//tasks/main.yml - Default role task file -- /roles//templates - Any template files used in the role -- /roles//vars/main.yml - variables referenced by tasks. Update these variables as needed for your environment. +- /roles/\/defaults/main.yml - Default variables used to turn controls on/off in the playbook. Set these to true/false +- /roles/\/handlers/main.yaml - handlers referenced in the tasks +- /roles/\/tasks/main.yml - Default role task file +- /roles/\/templates - Any template files used in the role +- /roles/\/vars/main.yml - variables referenced by tasks. Update these variables as needed for your environment. ## How to run