RONCC
/
Dell-Omnia-Clusters-HPC-AI


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241
							# Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
#
#  Licensed under the Apache License, Version 2.0 (the "License");
#  you may not use this file except in compliance with the License.
#  You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
#  limitations under the License.
---

- name: Include security variable file security_vars.yml
  include_vars: "{{ security_vars_filename }}"
  no_log: true
  tags: init

- name: Validate input parameters of security vars are not empty
  fail:
    msg: "{{ input_security_failure_msg }}"
  register: input_base_check
  tags: [ validate, security ]
  when:
    - domain_name | length < 1 or
      realm_name | length < 1

- name: Validate the domain name
  assert:
    that:
      - domain_name is regex("^(?!-)[A-Za-z0-9-]+([\\-\\.]{1}[a-z0-9]+)*\\.[A-Za-z]{2,}$")
    success_msg: "{{ dom_name_success_msg }}"
    fail_msg: "{{ dom_name_fail_msg }}"
  tags: [ validate, security ]

- name: Validate the realm name
  assert:
    that:
      - realm_name is regex("^(?!-)[A-Z0-9-]+([\\-\\.]{1}[a-z0-9]+)*\\.[A-Z]{2,}$")
      - '"." in realm_name'
    success_msg: "{{ realm_success_msg }}"
    fail_msg: "{{ realm_fail_msg }}"
  tags: [ validate, security ]
  
- name: Fetch the short hostname
  command: hostname -s
  register: short_hostname
  changed_when: false
  tags: security

- name: Verify the hostname is not blank in hostname
  fail:
    msg: " {{ hostname_blank_msg }}"
  when: short_hostname.stdout | length < 1
  tags: [ validate, security ]

- name: Validate the host name
  assert:
    that:
      - short_hostname.stdout is regex(("^(([a-z]|[a-z][a-z0-9\-]*[a-z0-9])\.)*([a-z]|[a-z][a-z0-9\-]*[a-z0-9])$"))
      - short_hostname.stdout != "localhost"
    success_msg: "{{ server_hostname_success }}"
    fail_msg: "{{ server_hostname_fail }}"
  tags: [ validate, security ]

- name: Fetch the domain name
  command: hostname -d
  register: domain_name_set
  changed_when: false
  failed_when: false
  tags: security

- name: Verify the domain name is not blank in hostname
  fail:
    msg: " {{ domain_name_blank_msg }}"
  when: domain_name_set.stdout | length < 1
  tags: [ validate, security ]

- name: Set fact for the domain name in hostname
  set_fact:
    ms_domain_name: "{{ domain_name_set.stdout }}"
  tags: security

- name: Validate the domain name set on the host
  assert:
    that:
      - domain_name == ms_domain_name
    success_msg: "{{ server_domain_name_success }}"
    fail_msg: "{{ server_domain_name_fail }}"
  tags: [ validate, security ]

- name: Get the hostname
  command: hostname
  register: machine_hostname
  changed_when: false
  tags: security

- name: Add host name in hosts file
  lineinfile:
    dest: "{{ hosts_file_path }}"
    line: "{{ public_ip }} {{ machine_hostname.stdout }}"
    state: present
    create: yes
    mode: "{{ hosts_file_mode }}"
  tags: [ validate, security ]

- name: Validate max_failures
  assert:
    that:
      - max_failures | int == max_failures_default_value
    success_msg: "{{ max_failures_success_msg }}"
    fail_msg: "{{ max_failures_fail_msg }}"
  tags: [ validate, security ]

- name: Validate failure_reset_interval
  assert:
    that:
      - failure_reset_interval | int
      - failure_reset_interval | int <= failure_reset_interval_max_value
      - failure_reset_interval | int >= failure_reset_interval_min_value
    success_msg: "{{ failure_reset_interval_success_msg }}"
    fail_msg: "{{ failure_reset_interval_fail_msg }}"
  tags: [ validate, security ]

- name: Validate lockout_duration
  assert:
    that:
      - lockout_duration | int
      - lockout_duration | int <= lockout_duration_max_value
      - lockout_duration | int >= lockout_duration_min_value
    success_msg: "{{ lockout_duration_success_msg }}"
    fail_msg: "{{ lockout_duration_fail_msg }}"
  tags: [ validate, security ]

- name: Validate session_timeout
  assert:
    that:
      - session_timeout | int
      - session_timeout | int <= session_timeout_max_value
      - session_timeout | int >= session_timeout_min_value
    success_msg: "{{ session_timeout_success_msg }}"
    fail_msg: "{{ session_timeout_fail_msg }}"
  tags: [ validate, security ]

- name: Validate alert_email_address
  assert:
    that:
      - email_search_key in alert_email_address
      - alert_email_address | length < email_max_length
    success_msg: "{{ alert_email_success_msg }}"
    fail_msg: "{{ alert_email_fail_msg }}"
  tags: [ validate, security ]
  when: alert_email_address | length > 1

- name: Warning - alert_email_address is empty
  debug:
    msg: "{{ alert_email_warning_msg }}"
  tags: security
  when: alert_email_address | length < 1

- name: Prepare user list
  set_fact:
    user_list: "{{ lookup('vars', 'user').split()| unique | select| list }}"
  when: user | length > 1
  tags: security

- name: validate user
  assert:
    that:
      - item is regex("^(?!-)[a-zA-Z]+[0-9-]*[@]((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$") or
        item is regex("(?!-)[a-zA-Z]+[0-9-]*$")
    success_msg: "{{ user_success_msg }}"
    fail_msg: "{{ user_fail_msg }}"
  with_items: "{{ user_list }}"
  tags: [ validate, security ]
  when:
    - user | length > 1

- name: Validate allow_deny
  assert:
    that:
      - allow_deny == 'Allow' or allow_deny == 'Deny'
    success_msg: "{{ allow_deny_success_msg }}"
    fail_msg: "{{ allow_deny_fail_msg }}"
  tags: [ validate, security ]

- name: Assert restrict_program_support
  assert:
    that:
      - restrict_program_support == true or restrict_program_support == false
    success_msg: "{{ restrict_program_support_success_msg }}"
    fail_msg: "{{ restrict_program_support_failure_msg }}"
  tags: [ validate, security ]

- name: Initialize variables for restrict_softwares
  set_fact:
    restrict_program_status: false
    disable_services: []
  tags: security

- block:
    - name: The services needs to be disabled are appending to list
      set_fact:
          services_list: "{{ lookup('vars', 'restrict_softwares').split(',')| map('trim') | unique | select| list }}"
      tags: security

    - name: Assert restrict_softwares variable
      assert:
        that:
          - item == 'telnet' or
            item == 'lpd' or
            item == 'bluetooth' or
            item == 'rlogin' or
            item == 'rexec'
        success_msg: "{{ restrict_softwares_success_msg }}"
        fail_msg: "{{ restrict_softwares_failure_msg }}"
      failed_when: false
      with_items: "{{ services_list }}"
      tags: [ validate, security ]

    - name: Creating a list for disabling services
      set_fact:
          disable_services: "{{ disable_services + [ item ] }}"
      when:
        - item == 'telnet' or
          item == 'lpd' or
          item == 'bluetooth' or
          item == 'rlogin' or
          item == 'rexec'
      with_items: "{{ services_list }}"
      tags: security

    - name: Setting restrict_program_status
      set_fact:
        restrict_program_status: true
      when:
        - disable_services | length > 0
      tags: security
  when: restrict_program_support