openstack/ansible-hardening
Code Issues Proposed changes

Add RHEL-07-010270 (ssh - empty password)

Browse Source 
This patch adds the tasks and documentation for RHEL-07-010270.

Implements: blueprint security-rhel7-stig
Change-Id: I6af1d6f188f7244c261c3c847f2056f293023eca
This commit is contained in:
Major Hayden 2016-10-31 14:01:15 -05:00
parent bc9cc7b13b
commit 0637257c60
5 changed files with 87 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
defaults/main.yml
View File

@ -384,8 +384,12 @@ security_unattended_upgrades_notifications: false
## Authentication (auth) ## Authentication (auth)
# Disallow logins from accounts with blank/null passwords via PAM. # Disallow logins from accounts with blank/null passwords via PAM.
security_disallow_blank_password_login: yes # RHEL-07-010260 security_disallow_blank_password_login: yes # RHEL-07-010260
## File permissions (file_perms) ## File permissions (file_perms)
# Reset file permissions and ownership for files installed via RPM packages. # Reset file permissions and ownership for files installed via RPM packages.
security_reset_perm_ownership: yes # RHEL-07-010010 security_reset_perm_ownership: yes # RHEL-07-010010
## ssh server (sshd)
# Prevent users from logging in over ssh if they have an empty password.
security_sshd_disallow_empty_password: yes # RHEL-07-010270

14
doc/metadata/rhel7/RHEL-07-010270.rst
View File

@ -1,7 +1,15 @@
--- ---
id: RHEL-07-010270 id: RHEL-07-010270
status: not implemented status: implemented
tag: misc tag: sshd
--- ---
This STIG requirement is not yet implemented. The ``PermitEmptyPasswords`` configuration will be set to ``no`` in
``/etc/ssh/sshd_config`` and sshd will be restarted. This disallows logins over
ssh for users with a empty or null password set.
Deployers can opt-out of this change by setting the following Ansible variable:
.. code-block:: yaml
security_sshd_disallow_empty_password: no

7
doc/metadata/rhel7/RHEL-07-010440.rst
View File

@ -1,7 +1,8 @@
--- ---
id: RHEL-07-010440 id: RHEL-07-010440
status: not implemented status: implemented
tag: misc tag: sshd
--- ---
This STIG requirement is not yet implemented. The tasks for :ref:`stig-RHEL-07-010270` disable logins for accounts with empty
passwords. No other action is needed for this STIG requirement.

4
tasks/rhel7stig/main.yml
View File

@ -62,6 +62,10 @@
tags: tags:
- rpm - rpm
- include: sshd.yml
tags:
- sshd
- name: Remove the temporary directory - name: Remove the temporary directory
file: file:
path: "{{ temp_dir }}" path: "{{ temp_dir }}"

62
tasks/rhel7stig/sshd.yml Normal file
View File

@ -0,0 +1,62 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Adding additional sshd configuration options is usually easy, but if a
# configuration file ends with certain configurations, like a "Match" stanza,
# we need a blank line to separate those configurations from the ones that
# are added by the security role. For that reason, we check for the existence
# of a marker line here and add a marker line to the file if it doesn't exist.
- name: Check for security role marker in sshd_config
command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config"
register: sshd_marker_check
changed_when: False
always_run: True
failed_when: False
# Check for "Match" stanzas in the sshd_config.
- name: Check for Match stanzas in sshd_config
command: "grep '^Match' /etc/ssh/sshd_config"
register: sshd_match_check
changed_when: False
always_run: True
failed_when: False
# If the marker is missing, and "Match" stanzas are present, we must carefully
# add a marker line above any "Match" stanzas in the configuration file. This
# is done by finding the first match with sed and then adding a marker
# line above it.
- name: Add security role marker with sed above Match stanza
shell: |
sed -i '0,/^Match/s/^Match/\n# openstack-ansible-security configurations\n\n&/' /etc/ssh/sshd_config
when:
- sshd_marker_check.rc != 0
- sshd_match_check.rc == 0
- name: RHEL-07-010270 - The SSH daemon must not allow authentication using an empty password
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?PermitEmptyPasswords'
line: 'PermitEmptyPasswords no'
insertafter: "^# openstack-ansible-security configurations"
validate: '/usr/sbin/sshd -T -f %s'
when:
- security_sshd_disallow_empty_password | bool
notify:
- restart ssh
tags:
- high
- RHEL-07-010270