Merge "Adjusting commonly failing tasks"

defaults/main.yml

@@ -167,7 +167,7 @@ action_mail_acct: root                            # V-38680
 # **IMMENENT DANGER**
 admin_space_left_action: SUSPEND                  # V-54381
 
-## Authentication
+## Password complexity and aging
 # V-38475 - There is no password length requirement by default in Ubuntu
 # 14.04. To set a password length requirement, uncomment
 # password_minimum_length below. The STIG recommendation is 14 characters.
@@ -231,7 +231,13 @@ disable_ipv6: no                                  # V-38546
 # necessary. Set this variable to 'no' to skip this change.
 disable_core_dumps: yes                           # V-38675
 
-## Fail2ban
+## PAM and authentication
+# V-38497 requires that accounts with null passwords aren't allowed to
+# authenticate via PAM. Ubuntu 14.04's default allows these logins -- see the
+# documentation for V-38497 for more details. Set the variable below to 'yes'
+# to remove 'nullok_secure' from the PAM configuration or set it to 'no' to
+# leave the PAM configuration unaltered.
+pam_remove_nullok: yes                             # V-38497
 # V-38501 requires that failed login attempts must lock a user account using
 # pam_faillock, but Ubuntu doesn't package that PAM module. Instead, fail2ban
 # can be installed to lock out IP addresses with failed logins for 15 minutes.
@@ -241,6 +247,16 @@ install_fail2ban: no                               # V-38501
 # to set the time an IP is banned by fail2ban (in seconds).
 fail2ban_bantime: 900                              # V-38501
 
+## sudo
+# V-58901 requires that 'NOPASSWD' and '!authenticate' do not appear in any
+# sudoers files since they could lead to a compromise. Set the following
+# variables to 'yes' to comment out any lines found with these prohibited
+# parameters or leave them set to 'no' (the default) to leave sudoers files
+# unaltered. Deployers are urged to review the documentation for this STIG
+# before making changes.
+sudoers_remove_nopasswd: no                        # V-58901
+sudoers_remove_authenticate: no                    # V-58901
+
 ## AIDE
 # The default Ubuntu configuration for AIDE will cause it to wander into some
 # terrible places on the system, such as /var/lib/lxc and images in /opt.

doc/source/developer-notes/V-38497.rst

@@ -1,5 +1,17 @@
-Making adjustments to PAM configuration can be **very dangerous** for a
-production system, so the Ansible task runs a check for text matching
-``nullok`` in ``/etc/pam.d/common-auth`` (different than
-``/etc/pam.d/system-auth`` found in RHEL 6) and prints a warning if it is
-found.
+Ubuntu 14.04 allows accounts with null passwords to authenticate via PAM by
+default. This STIG requires that those login attempts are blocked.
+
+In Ubuntu, this functionality is controlled by the ``nullok_secure`` parameter
+found in ``/etc/pam.d/common-auth``.  The Ansible task for this STIG will
+remove the ``nullok_secure`` from the PAM configuration file.  The effects of
+the change are immediate and no service restarts are required.
+
+However, deployers can opt-out of this change by adjusting an Ansible variable:
+
+.. code-block:: yaml
+
+    pam_remove_nullok: yes
+
+Setting the variable to ``yes`` (the default) will cause the Ansible tasks to
+remove the ``nullok_secure`` parameter while setting the variable to ``no``
+will leave the PAM configuration unchanged.

doc/source/developer-notes/V-58901.rst

@@ -1,3 +1,22 @@
-The Ansible tasks will search for ``NOPASSWD`` and ``!authenticate`` in the
-sudo configuration. If either is found, the playbook will fail and an error
-message will be printed.
+This STIG requires that ``NOPASSWD`` and ``!authenticate`` are not used within
+the sudoers configuration files. Using these directives reduces the security
+of the system.
+
+``NOPASSWD`` allows users to run commands as root without providing a password
+first. Using ``!authenticate`` with the ``Defaults`` directive will disable
+password usage for any users which use ``sudo``.
+
+There are two configuration options for handling these changes. By default,
+both of these options are set to ``no``, which means that the sudoers
+configuration files will not be altered:
+
+.. code-block:: yaml
+
+    sudoers_remove_nopasswd: no
+    sudoers_remove_authenticate: no
+
+Setting ``sudoers_remove_nopasswd`` to ``yes`` will cause the Ansible tasks to
+search for any lines containing ``NOPASSWD`` and comment them out of the
+configuration. Setting ``sudoers_remove_authenticate`` will do the same
+actions on lines containing ``!authenticate``. Lines that are already
+commented will be left unaltered.

tasks/auth.yml

@@ -89,22 +89,14 @@
 # RHEL 6 keeps this content in /etc/pam.d/system-auth, but Ubuntu keeps it in
 # /etc/pam.d/common-auth
 - name: V-38497 - The system must not have accounts configured with blank or null passwords.
-  command: grep nullok /etc/pam.d/common-auth
-  register: v38497_result
-  changed_when: False
-  failed_when: False
-  always_run: True
-  tags:
-    - auth
-    - cat1
-    - V-38497
-
-# Print a warning about making a change.  We ought to figure out a better way
-# to capture this later.
-- name: V-38497 - The system must not have accounts configured with blank or null passwords.
-  fail:
-    msg: "FAILED: Remove 'nullok' from /etc/pam.d/system-auth for better security."
-  when: not check_mode and v38497_result.rc == 0
+  lineinfile:
+    dest: /etc/pam.d/common-auth
+    state: present
+    regexp: "^(.*)nullok_secure(.*)$"
+    line: '\1\2'
+    backup: yes
+    backrefs: yes
+  when: pam_remove_nullok | bool
   tags:
     - auth
     - cat1
@@ -383,34 +375,33 @@
     - cat3
     - V-38683
 
-- name: Checking for NOPASSWD in sudoers (for V-58901)
-  shell: "egrep '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/*"
-  register: v58901_nopasswd_result
-  changed_when: False
-  failed_when: v58901_nopasswd_result.rc > 1
+# This should be updated to use the find module when Ansible 2.0 is available.
+- name: Search for sudoers files (for V-58901)
+  shell: find /etc/sudoers* -type f
+  register: v58901_result
   always_run: True
   tags:
     - auth
     - cat2
     - V-58901
 
-- name: Checking for !authenticate in sudoers (for V-58901)
-  shell: "egrep '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/*"
-  register: v58901_authenticate_result
-  changed_when: False
-  failed_when: v58901_authenticate_result.rc > 1
-  always_run: True
+# The lineinfile module can't be used here since we may need to comment out
+# multiple lines.
+- name: Comment out sudoers lines with NOPASSWD present (for V-58901)
+  shell: "sed -e '/NOPASSWD/ s/^#*/#/' -i {{ item }}"
+  with_items: v58901_result.stdout_lines
+  when: sudoers_remove_nopasswd | bool
   tags:
     - auth
     - cat2
     - V-58901
 
-- name: V-58901 - The sudo command must require authentication
-  fail:
-    msg: "FAILED: NOPASSWD or !authenticate found in sudo configuration"
-  when: >
-    not check_mode
-    and (v58901_nopasswd_result.rc == 0 or v58901_authenticate_result.rc == 0)
+# The lineinfile module can't be used here since we may need to comment out
+# multiple lines.
+- name: Comment out sudoers lines with !authenticate present (for V-58901)
+  shell: "sed -e '/!authenticate/ s/^#*/#/' -i {{ item }}"
+  with_items: v58901_result.stdout_lines
+  when: sudoers_remove_authenticate | bool
   tags:
     - auth
     - cat2