# Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- - name: Include security variable file security_vars.yml include_vars: "{{ security_vars_filename }}" - name: Validate max_failures assert: that: - max_failures | int == max_failures_default_value success_msg: "{{ max_failures_success_msg }}" fail_msg: "{{ max_failures_fail_msg }}" - name: Validate failure_reset_interval assert: that: - failure_reset_interval | int - failure_reset_interval | int <= failure_reset_interval_max_value - failure_reset_interval | int >= failure_reset_interval_min_value success_msg: "{{ failure_reset_interval_success_msg }}" fail_msg: "{{ failure_reset_interval_fail_msg }}" - name: Validate lockout_duration assert: that: - lockout_duration | int - lockout_duration | int <= lockout_duration_max_value - lockout_duration | int >= lockout_duration_min_value success_msg: "{{ lockout_duration_success_msg }}" fail_msg: "{{ lockout_duration_fail_msg }}" - name: Validate session_timeout assert: that: - session_timeout | int - session_timeout | int <= session_timeout_max_value - session_timeout | int >= session_timeout_min_value success_msg: "{{ session_timeout_success_msg }}" fail_msg: "{{ session_timeout_fail_msg }}" - name: Validate alert_email_address assert: that: - email_search_key in alert_email_address - alert_email_address | length < email_max_length success_msg: "{{ alert_email_success_msg }}" fail_msg: "{{ alert_email_fail_msg }}" when: alert_email_address | length > 1 - name: Warning - alert_email_address is empty debug: msg: "{{ alert_email_warning_msg }}" when: alert_email_address | length < 1 - name: Prepare user list set_fact: user_list: "{{ lookup('vars', 'user').split()| unique | select| list }}" when: user | length > 1 - name: validate user assert: that: - item is regex("^(?!-)[a-zA-Z]+[0-9-]*[@]((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$") or item is regex("(?!-)[a-zA-Z]+[0-9-]*$") success_msg: "{{ user_success_msg }}" fail_msg: "{{ user_fail_msg }}" with_items: "{{ user_list }}" when: - user | length > 1 - name: Validate allow_deny assert: that: - allow_deny == 'Allow' or allow_deny == 'Deny' success_msg: "{{ allow_deny_success_msg }}" fail_msg: "{{ allow_deny_fail_msg }}" - name: Assert restrict_program_support assert: that: - restrict_program_support == true or restrict_program_support == false success_msg: "{{ restrict_program_support_success_msg }}" fail_msg: "{{ restrict_program_support_failure_msg }}" - name: Initialize variables for restrict_softwares set_fact: restrict_program_status: false disable_services: [] - block: - name: The services needs to be disabled are appending to list set_fact: services_list: "{{ lookup('vars', 'restrict_softwares').split(',')| map('trim') | unique | select| list }}" - name: Assert restrict_softwares variable assert: that: - item == 'telnet' or item == 'lpd' or item == 'bluetooth' or item == 'rlogin' or item == 'rexec' success_msg: "{{ restrict_softwares_success_msg }}" fail_msg: "{{ restrict_softwares_failure_msg }}" failed_when: false with_items: "{{ services_list }}" - name: Creating a list for disabling services set_fact: disable_services: "{{ disable_services + [ item ] }}" when: - item == 'telnet' or item == 'lpd' or item == 'bluetooth' or item == 'rlogin' or item == 'rexec' with_items: "{{ services_list }}" - name: Setting restrict_program_status set_fact: restrict_program_status: true when: - disable_services | length > 0 when: restrict_program_support