From 0637257c60a667c439ec13d09c1b624677e72abc Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Mon, 31 Oct 2016 14:01:15 -0500 Subject: [PATCH] Add RHEL-07-010270 (ssh - empty password) This patch adds the tasks and documentation for RHEL-07-010270. Implements: blueprint security-rhel7-stig Change-Id: I6af1d6f188f7244c261c3c847f2056f293023eca --- defaults/main.yml | 8 +++- doc/metadata/rhel7/RHEL-07-010270.rst | 14 ++++-- doc/metadata/rhel7/RHEL-07-010440.rst | 7 +-- tasks/rhel7stig/main.yml | 4 ++ tasks/rhel7stig/sshd.yml | 62 +++++++++++++++++++++++++++ 5 files changed, 87 insertions(+), 8 deletions(-) create mode 100644 tasks/rhel7stig/sshd.yml diff --git a/defaults/main.yml b/defaults/main.yml index 5bd8bcad..bd9e1167 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -384,8 +384,12 @@ security_unattended_upgrades_notifications: false ## Authentication (auth) # Disallow logins from accounts with blank/null passwords via PAM. -security_disallow_blank_password_login: yes # RHEL-07-010260 +security_disallow_blank_password_login: yes # RHEL-07-010260 ## File permissions (file_perms) # Reset file permissions and ownership for files installed via RPM packages. -security_reset_perm_ownership: yes # RHEL-07-010010 +security_reset_perm_ownership: yes # RHEL-07-010010 + +## ssh server (sshd) +# Prevent users from logging in over ssh if they have an empty password. +security_sshd_disallow_empty_password: yes # RHEL-07-010270 diff --git a/doc/metadata/rhel7/RHEL-07-010270.rst b/doc/metadata/rhel7/RHEL-07-010270.rst index c995ef78..6d038fc7 100644 --- a/doc/metadata/rhel7/RHEL-07-010270.rst +++ b/doc/metadata/rhel7/RHEL-07-010270.rst @@ -1,7 +1,15 @@ --- id: RHEL-07-010270 -status: not implemented -tag: misc +status: implemented +tag: sshd --- -This STIG requirement is not yet implemented. +The ``PermitEmptyPasswords`` configuration will be set to ``no`` in +``/etc/ssh/sshd_config`` and sshd will be restarted. This disallows logins over +ssh for users with a empty or null password set. + +Deployers can opt-out of this change by setting the following Ansible variable: + +.. code-block:: yaml + + security_sshd_disallow_empty_password: no diff --git a/doc/metadata/rhel7/RHEL-07-010440.rst b/doc/metadata/rhel7/RHEL-07-010440.rst index 2275921a..2cd64428 100644 --- a/doc/metadata/rhel7/RHEL-07-010440.rst +++ b/doc/metadata/rhel7/RHEL-07-010440.rst @@ -1,7 +1,8 @@ --- id: RHEL-07-010440 -status: not implemented -tag: misc +status: implemented +tag: sshd --- -This STIG requirement is not yet implemented. +The tasks for :ref:`stig-RHEL-07-010270` disable logins for accounts with empty +passwords. No other action is needed for this STIG requirement. diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml index 8fe0aec6..3a9a94c5 100644 --- a/tasks/rhel7stig/main.yml +++ b/tasks/rhel7stig/main.yml @@ -62,6 +62,10 @@ tags: - rpm +- include: sshd.yml + tags: + - sshd + - name: Remove the temporary directory file: path: "{{ temp_dir }}" diff --git a/tasks/rhel7stig/sshd.yml b/tasks/rhel7stig/sshd.yml new file mode 100644 index 00000000..bd04277b --- /dev/null +++ b/tasks/rhel7stig/sshd.yml @@ -0,0 +1,62 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Adding additional sshd configuration options is usually easy, but if a +# configuration file ends with certain configurations, like a "Match" stanza, +# we need a blank line to separate those configurations from the ones that +# are added by the security role. For that reason, we check for the existence +# of a marker line here and add a marker line to the file if it doesn't exist. + +- name: Check for security role marker in sshd_config + command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config" + register: sshd_marker_check + changed_when: False + always_run: True + failed_when: False + +# Check for "Match" stanzas in the sshd_config. +- name: Check for Match stanzas in sshd_config + command: "grep '^Match' /etc/ssh/sshd_config" + register: sshd_match_check + changed_when: False + always_run: True + failed_when: False + +# If the marker is missing, and "Match" stanzas are present, we must carefully +# add a marker line above any "Match" stanzas in the configuration file. This +# is done by finding the first match with sed and then adding a marker +# line above it. +- name: Add security role marker with sed above Match stanza + shell: | + sed -i '0,/^Match/s/^Match/\n# openstack-ansible-security configurations\n\n&/' /etc/ssh/sshd_config + when: + - sshd_marker_check.rc != 0 + - sshd_match_check.rc == 0 + +- name: RHEL-07-010270 - The SSH daemon must not allow authentication using an empty password + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^(#)?PermitEmptyPasswords' + line: 'PermitEmptyPasswords no' + insertafter: "^# openstack-ansible-security configurations" + validate: '/usr/sbin/sshd -T -f %s' + when: + - security_sshd_disallow_empty_password | bool + notify: + - restart ssh + tags: + - high + - RHEL-07-010270