V-38501, V-38573: Disable accounts after failed logins

This requirement is not easily translated for Ubuntu 14.04. As a mitigation, fail2ban will be installed and configured to block IP addresses with failed login attempts for 15 minutes. Change-Id: Icb469896c55acc8b18dfb64ebf642fe7d48e86fc
2015-10-07 11:10:44 -05:00 · 2015-10-07 11:10:44 -05:00 · 4506933796
commit 4506933796
parent 8c3a88a008
6 changed files with 88 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -218,3 +218,13 @@ disable_ipv6: no                                  # V-38546
 # V-38675 requires disabling core dumps for all users unless absolutely
 # necessary. Set this variable to 'no' to skip this change.
 disable_core_dumps: yes                           # V-38675
+
+## Fail2ban
+# V-38501 requires that failed login attempts must lock a user account using
+# pam_faillock, but Ubuntu doesn't package that PAM module. Instead, fail2ban
+# can be installed to lock out IP addresses with failed logins for 15 minutes.
+# Set the variable below to 'yes' to install and configure fail2ban.
+install_fail2ban: no                               # V-38501
+# The STIG requires bans to last 15 minutes. Adjust the following variable
+# to set the time an IP is banned by fail2ban (in seconds).
+fail2ban_bantime: 900                              # V-38501
--- a/doc/source/developer-notes/V-38501.rst
+++ b/doc/source/developer-notes/V-38501.rst
@ -0,0 +1,40 @@
+**Exception and opt-in alternative**
+
+Adjusting PAM configurations is very risky since it affects how all users
+authenticate. In addition, ``pam_faillock.so`` isn't available in Ubuntu.
+
+Another option is to utilize ``pam_tally`` to deny logins after failed
+attempts. Adjusting PAM configurations automatically can disrupt the operation
+of production systems, so this is left up to the deployer to configure.
+For more details on how to configure ``pam_tally``, refer to `this AskUbuntu
+article about pam_tally`_.
+
+Another alternative is `fail2ban`_. Read the notes below for more tails on
+this option.
+
+The Ansible tasks will install `fail2ban`_ and configure it to ban IP
+addresses using the following logic
+
+* The IP has attempted three logins in the last 10 minutes and all have failed
+* That IP will be banned for 15 minutes (via iptables rules)
+
+Deployers must opt-in for fail2ban to be installed and configured. To opt-in,
+set the ``install_fail2ban`` Ansible variable to ``yes``. The time period for
+bans can also be configured (in seconds) via tha ``fail2ban_bantime``
+variable:
+
+.. code-block:: yaml
+
+    install_fail2ban: yes
+    fail2ban_bantime: 900
+
+**NOTE:** Fail2ban can only review authentication attempts for services that
+listen on the network, such as ssh. It has no control over physical consoles.
+Deployers are strongly urged to use stong physical security policies to
+prevent unauthorized users from accessing server consoles. In addition,
+deployers must secure out-of-band access methods, like IPMI, as they can be
+vectors for physical console access as well.
+
+.. _this AskUbuntu article about pam_tally: http://askubuntu.com/questions/59459/how-do-i-enable-account-lockout-using-pam-tally
+.. _fail2ban: https://en.wikipedia.org/wiki/Fail2ban
+
--- a/doc/source/developer-notes/V-38573.rst
+++ b/doc/source/developer-notes/V-38573.rst
@ -0,0 +1 @@
+V-38501.rst
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -24,6 +24,11 @@
    name: chrony
    state: restarted

+- name: restart fail2ban
+  service:
+    name: fail2ban
+    state: restarted
+
 - name: restart postfix
  service:
    name: postfix
--- a/openstack-ansible-security/templates/jail.local.j2
+++ b/openstack-ansible-security/templates/jail.local.j2
@ -0,0 +1,5 @@
+# File added by openstack-ansible-security for RHEL 6 STIG V-38501
+
+[DEFAULT]
+# "bantime" is the number of seconds that a host is banned.
+bantime  = {{ fail2ban_bantime }}
--- a/tasks/auth.yml
+++ b/tasks/auth.yml
@ -153,6 +153,33 @@
    - cat2
    - V-38500

+# Opt-in required for fail2ban (see documentation and defaults/main.yml)
+# Ubuntu doesn't offer pam_faillock, but fail2ban provides a decent alternative
+# for ssh-based authentication. See the documentation for details.
+- name: V-38501 - The system must disable accounts after excessive login failures (install fail2ban)
+  apt:
+    name: fail2ban
+    state: present
+  when: install_fail2ban | bool
+  tags:
+    - auth
+    - cat2
+    - V-38501
+
+# Ban the offending IP for 15 minutes to meet the spirit of the STIG.
+# Yes, the bantime we want to modify has two spaces before the equal sign.
+- name: V-38501 - The system must disable accounts after excessive login failures (configure fail2ban)
+  template:
+    src: jail.local.j2
+    dest: /etc/fail2ban/jail.d/jail.local
+  when: install_fail2ban | bool
+  notify:
+    - restart fail2ban
+  tags:
+    - auth
+    - cat2
+    - V-38501
+
 - name: V-38591 - Remove rshd
  apt:
    name: rsh-server