Add RHEL-07-010270 (ssh - empty password)

This patch adds the tasks and documentation for RHEL-07-010270. Implements: blueprint security-rhel7-stig Change-Id: I6af1d6f188f7244c261c3c847f2056f293023eca
2016-10-31 14:01:15 -05:00 · 2016-10-31 14:01:15 -05:00 · 0637257c60
commit 0637257c60
parent bc9cc7b13b
5 changed files with 87 additions and 8 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -384,8 +384,12 @@ security_unattended_upgrades_notifications: false

 ## Authentication (auth)
 # Disallow logins from accounts with blank/null passwords via PAM.
-security_disallow_blank_password_login: yes             # RHEL-07-010260
+security_disallow_blank_password_login: yes                  # RHEL-07-010260

 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.
-security_reset_perm_ownership: yes                # RHEL-07-010010
+security_reset_perm_ownership: yes                           # RHEL-07-010010
+
+## ssh server (sshd)
+# Prevent users from logging in over ssh if they have an empty password.
+security_sshd_disallow_empty_password: yes                   # RHEL-07-010270
--- a/doc/metadata/rhel7/RHEL-07-010270.rst
+++ b/doc/metadata/rhel7/RHEL-07-010270.rst
@ -1,7 +1,15 @@
 ---
 id: RHEL-07-010270
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---

-This STIG requirement is not yet implemented.
+The ``PermitEmptyPasswords`` configuration will be set to ``no`` in
+``/etc/ssh/sshd_config`` and sshd will be restarted. This disallows logins over
+ssh for users with a empty or null password set.
+
+Deployers can opt-out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_sshd_disallow_empty_password: no
--- a/doc/metadata/rhel7/RHEL-07-010440.rst
+++ b/doc/metadata/rhel7/RHEL-07-010440.rst
@ -1,7 +1,8 @@
 ---
 id: RHEL-07-010440
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---

-This STIG requirement is not yet implemented.
+The tasks for :ref:`stig-RHEL-07-010270` disable logins for accounts with empty
+passwords. No other action is needed for this STIG requirement.
--- a/tasks/rhel7stig/main.yml
+++ b/tasks/rhel7stig/main.yml
@ -62,6 +62,10 @@
  tags:
    - rpm

+- include: sshd.yml
+  tags:
+    - sshd
+
 - name: Remove the temporary directory
  file:
    path: "{{ temp_dir }}"
--- a/tasks/rhel7stig/sshd.yml
+++ b/tasks/rhel7stig/sshd.yml
@ -0,0 +1,62 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Adding additional sshd configuration options is usually easy, but if a
+# configuration file ends with certain configurations, like a "Match" stanza,
+# we need a blank line to separate those configurations from the ones that
+# are added by the security role. For that reason, we check for the existence
+# of a marker line here and add a marker line to the file if it doesn't exist.
+
+- name: Check for security role marker in sshd_config
+  command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config"
+  register: sshd_marker_check
+  changed_when: False
+  always_run: True
+  failed_when: False
+
+# Check for "Match" stanzas in the sshd_config.
+- name: Check for Match stanzas in sshd_config
+  command: "grep '^Match' /etc/ssh/sshd_config"
+  register: sshd_match_check
+  changed_when: False
+  always_run: True
+  failed_when: False
+
+# If the marker is missing, and "Match" stanzas are present, we must carefully
+# add a marker line above any "Match" stanzas in the configuration file. This
+# is done by finding the first match with sed and then adding a marker
+# line above it.
+- name: Add security role marker with sed above Match stanza
+  shell: |
+    sed -i '0,/^Match/s/^Match/\n# openstack-ansible-security configurations\n\n&/' /etc/ssh/sshd_config
+  when:
+    - sshd_marker_check.rc != 0
+    - sshd_match_check.rc == 0
+
+- name: RHEL-07-010270 - The SSH daemon must not allow authentication using an empty password
+  lineinfile:
+    state: present
+    dest: /etc/ssh/sshd_config
+    regexp: '^(#)?PermitEmptyPasswords'
+    line: 'PermitEmptyPasswords no'
+    insertafter: "^# openstack-ansible-security configurations"
+    validate: '/usr/sbin/sshd -T -f %s'
+  when:
+    - security_sshd_disallow_empty_password | bool
+  notify:
+    - restart ssh
+  tags:
+    - high
+    - RHEL-07-010270