From ec50013f55b2d4fc0a01be0499f08534e6172ff2 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Tue, 1 Dec 2015 12:24:54 -0600 Subject: [PATCH] Adjusting commonly failing tasks This patch takes two commonly failing tasks and configures them to be fixed if a variable is toggled on. This is needed for gate checks to pass for ansible-functional runs. Closes-bug: 1521233 Change-Id: I4f54ef7af30d530f781d60ce232cc6aacda81ce4 --- defaults/main.yml | 20 ++++++++- doc/source/developer-notes/V-38497.rst | 22 +++++++--- doc/source/developer-notes/V-58901.rst | 25 +++++++++-- tasks/auth.yml | 57 +++++++++++--------------- 4 files changed, 81 insertions(+), 43 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2cff74ea..d860b1d8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -167,7 +167,7 @@ action_mail_acct: root # V-38680 # **IMMENENT DANGER** admin_space_left_action: SUSPEND # V-54381 -## Authentication +## Password complexity and aging # V-38475 - There is no password length requirement by default in Ubuntu # 14.04. To set a password length requirement, uncomment # password_minimum_length below. The STIG recommendation is 14 characters. @@ -231,7 +231,13 @@ disable_ipv6: no # V-38546 # necessary. Set this variable to 'no' to skip this change. disable_core_dumps: yes # V-38675 -## Fail2ban +## PAM and authentication +# V-38497 requires that accounts with null passwords aren't allowed to +# authenticate via PAM. Ubuntu 14.04's default allows these logins -- see the +# documentation for V-38497 for more details. Set the variable below to 'yes' +# to remove 'nullok_secure' from the PAM configuration or set it to 'no' to +# leave the PAM configuration unaltered. +pam_remove_nullok: yes # V-38497 # V-38501 requires that failed login attempts must lock a user account using # pam_faillock, but Ubuntu doesn't package that PAM module. Instead, fail2ban # can be installed to lock out IP addresses with failed logins for 15 minutes. @@ -241,6 +247,16 @@ install_fail2ban: no # V-38501 # to set the time an IP is banned by fail2ban (in seconds). fail2ban_bantime: 900 # V-38501 +## sudo +# V-58901 requires that 'NOPASSWD' and '!authenticate' do not appear in any +# sudoers files since they could lead to a compromise. Set the following +# variables to 'yes' to comment out any lines found with these prohibited +# parameters or leave them set to 'no' (the default) to leave sudoers files +# unaltered. Deployers are urged to review the documentation for this STIG +# before making changes. +sudoers_remove_nopasswd: no # V-58901 +sudoers_remove_authenticate: no # V-58901 + ## AIDE # The default Ubuntu configuration for AIDE will cause it to wander into some # terrible places on the system, such as /var/lib/lxc and images in /opt. diff --git a/doc/source/developer-notes/V-38497.rst b/doc/source/developer-notes/V-38497.rst index 8c4bc5fc..047a2bca 100644 --- a/doc/source/developer-notes/V-38497.rst +++ b/doc/source/developer-notes/V-38497.rst @@ -1,5 +1,17 @@ -Making adjustments to PAM configuration can be **very dangerous** for a -production system, so the Ansible task runs a check for text matching -``nullok`` in ``/etc/pam.d/common-auth`` (different than -``/etc/pam.d/system-auth`` found in RHEL 6) and prints a warning if it is -found. +Ubuntu 14.04 allows accounts with null passwords to authenticate via PAM by +default. This STIG requires that those login attempts are blocked. + +In Ubuntu, this functionality is controlled by the ``nullok_secure`` parameter +found in ``/etc/pam.d/common-auth``. The Ansible task for this STIG will +remove the ``nullok_secure`` from the PAM configuration file. The effects of +the change are immediate and no service restarts are required. + +However, deployers can opt-out of this change by adjusting an Ansible variable: + +.. code-block:: yaml + + pam_remove_nullok: yes + +Setting the variable to ``yes`` (the default) will cause the Ansible tasks to +remove the ``nullok_secure`` parameter while setting the variable to ``no`` +will leave the PAM configuration unchanged. diff --git a/doc/source/developer-notes/V-58901.rst b/doc/source/developer-notes/V-58901.rst index 779c172d..2ba15a48 100644 --- a/doc/source/developer-notes/V-58901.rst +++ b/doc/source/developer-notes/V-58901.rst @@ -1,3 +1,22 @@ -The Ansible tasks will search for ``NOPASSWD`` and ``!authenticate`` in the -sudo configuration. If either is found, the playbook will fail and an error -message will be printed. +This STIG requires that ``NOPASSWD`` and ``!authenticate`` are not used within +the sudoers configuration files. Using these directives reduces the security +of the system. + +``NOPASSWD`` allows users to run commands as root without providing a password +first. Using ``!authenticate`` with the ``Defaults`` directive will disable +password usage for any users which use ``sudo``. + +There are two configuration options for handling these changes. By default, +both of these options are set to ``no``, which means that the sudoers +configuration files will not be altered: + +.. code-block:: yaml + + sudoers_remove_nopasswd: no + sudoers_remove_authenticate: no + +Setting ``sudoers_remove_nopasswd`` to ``yes`` will cause the Ansible tasks to +search for any lines containing ``NOPASSWD`` and comment them out of the +configuration. Setting ``sudoers_remove_authenticate`` will do the same +actions on lines containing ``!authenticate``. Lines that are already +commented will be left unaltered. diff --git a/tasks/auth.yml b/tasks/auth.yml index 7e86c673..a77bb7cf 100644 --- a/tasks/auth.yml +++ b/tasks/auth.yml @@ -89,22 +89,14 @@ # RHEL 6 keeps this content in /etc/pam.d/system-auth, but Ubuntu keeps it in # /etc/pam.d/common-auth - name: V-38497 - The system must not have accounts configured with blank or null passwords. - command: grep nullok /etc/pam.d/common-auth - register: v38497_result - changed_when: False - failed_when: False - always_run: True - tags: - - auth - - cat1 - - V-38497 - -# Print a warning about making a change. We ought to figure out a better way -# to capture this later. -- name: V-38497 - The system must not have accounts configured with blank or null passwords. - fail: - msg: "FAILED: Remove 'nullok' from /etc/pam.d/system-auth for better security." - when: not check_mode and v38497_result.rc == 0 + lineinfile: + dest: /etc/pam.d/common-auth + state: present + regexp: "^(.*)nullok_secure(.*)$" + line: '\1\2' + backup: yes + backrefs: yes + when: pam_remove_nullok | bool tags: - auth - cat1 @@ -383,34 +375,33 @@ - cat3 - V-38683 -- name: Checking for NOPASSWD in sudoers (for V-58901) - shell: "egrep '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/*" - register: v58901_nopasswd_result - changed_when: False - failed_when: v58901_nopasswd_result.rc > 1 +# This should be updated to use the find module when Ansible 2.0 is available. +- name: Search for sudoers files (for V-58901) + shell: find /etc/sudoers* -type f + register: v58901_result always_run: True tags: - auth - cat2 - V-58901 -- name: Checking for !authenticate in sudoers (for V-58901) - shell: "egrep '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/*" - register: v58901_authenticate_result - changed_when: False - failed_when: v58901_authenticate_result.rc > 1 - always_run: True +# The lineinfile module can't be used here since we may need to comment out +# multiple lines. +- name: Comment out sudoers lines with NOPASSWD present (for V-58901) + shell: "sed -e '/NOPASSWD/ s/^#*/#/' -i {{ item }}" + with_items: v58901_result.stdout_lines + when: sudoers_remove_nopasswd | bool tags: - auth - cat2 - V-58901 -- name: V-58901 - The sudo command must require authentication - fail: - msg: "FAILED: NOPASSWD or !authenticate found in sudo configuration" - when: > - not check_mode - and (v58901_nopasswd_result.rc == 0 or v58901_authenticate_result.rc == 0) +# The lineinfile module can't be used here since we may need to comment out +# multiple lines. +- name: Comment out sudoers lines with !authenticate present (for V-58901) + shell: "sed -e '/!authenticate/ s/^#*/#/' -i {{ item }}" + with_items: v58901_result.stdout_lines + when: sudoers_remove_authenticate | bool tags: - auth - cat2