V-38501, V-38573: Disable accounts after failed logins

This requirement is not easily translated for Ubuntu 14.04. As a mitigation, fail2ban will be installed and configured to block IP addresses with failed login attempts for 15 minutes. Change-Id: Icb469896c55acc8b18dfb64ebf642fe7d48e86fc
2015-10-07 11:10:44 -05:00 · 2015-10-07 11:10:44 -05:00 · 4506933796
commit 4506933796
parent 8c3a88a008
6 changed files with 88 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -218,3 +218,13 @@ disable_ipv6: no                                  # V-38546
 # V-38675 requires disabling core dumps for all users unless absolutely
 # necessary. Set this variable to 'no' to skip this change.
 disable_core_dumps: yes                           # V-38675
 ## Fail2ban
 # V-38501 requires that failed login attempts must lock a user account using
 # pam_faillock, but Ubuntu doesn't package that PAM module. Instead, fail2ban
 # can be installed to lock out IP addresses with failed logins for 15 minutes.
 # Set the variable below to 'yes' to install and configure fail2ban.
 install_fail2ban: no                               # V-38501
 # The STIG requires bans to last 15 minutes. Adjust the following variable
 # to set the time an IP is banned by fail2ban (in seconds).
 fail2ban_bantime: 900                              # V-38501
--- a/doc/source/developer-notes/V-38501.rst
+++ b/doc/source/developer-notes/V-38501.rst
@ -0,0 +1,40 @@
 **Exception and opt-in alternative**
 Adjusting PAM configurations is very risky since it affects how all users
 authenticate. In addition, ``pam_faillock.so`` isn't available in Ubuntu.
 Another option is to utilize ``pam_tally`` to deny logins after failed
 attempts. Adjusting PAM configurations automatically can disrupt the operation
 of production systems, so this is left up to the deployer to configure.
 For more details on how to configure ``pam_tally``, refer to `this AskUbuntu
 article about pam_tally`_.
 Another alternative is `fail2ban`_. Read the notes below for more tails on
 this option.
 The Ansible tasks will install `fail2ban`_ and configure it to ban IP
 addresses using the following logic
 * The IP has attempted three logins in the last 10 minutes and all have failed
 * That IP will be banned for 15 minutes (via iptables rules)
 Deployers must opt-in for fail2ban to be installed and configured. To opt-in,
 set the ``install_fail2ban`` Ansible variable to ``yes``. The time period for
 bans can also be configured (in seconds) via tha ``fail2ban_bantime``
 variable:
 .. code-block:: yaml
    install_fail2ban: yes
    fail2ban_bantime: 900
 **NOTE:** Fail2ban can only review authentication attempts for services that
 listen on the network, such as ssh. It has no control over physical consoles.
 Deployers are strongly urged to use stong physical security policies to
 prevent unauthorized users from accessing server consoles. In addition,
 deployers must secure out-of-band access methods, like IPMI, as they can be
 vectors for physical console access as well.
 .. _this AskUbuntu article about pam_tally: http://askubuntu.com/questions/59459/how-do-i-enable-account-lockout-using-pam-tally
 .. _fail2ban: https://en.wikipedia.org/wiki/Fail2ban
--- a/doc/source/developer-notes/V-38573.rst
+++ b/doc/source/developer-notes/V-38573.rst
@ -0,0 +1 @@
 V-38501.rst
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -24,6 +24,11 @@
    name: chrony
    state: restarted
 - name: restart fail2ban
  service:
    name: fail2ban
    state: restarted
 - name: restart postfix
  service:
    name: postfix
--- a/openstack-ansible-security/templates/jail.local.j2
+++ b/openstack-ansible-security/templates/jail.local.j2
@ -0,0 +1,5 @@
 # File added by openstack-ansible-security for RHEL 6 STIG V-38501
 [DEFAULT]
 # "bantime" is the number of seconds that a host is banned.
 bantime  = {{ fail2ban_bantime }}
--- a/tasks/auth.yml
+++ b/tasks/auth.yml
@ -153,6 +153,33 @@
    - cat2
    - V-38500
 # Opt-in required for fail2ban (see documentation and defaults/main.yml)
 # Ubuntu doesn't offer pam_faillock, but fail2ban provides a decent alternative
 # for ssh-based authentication. See the documentation for details.
 - name: V-38501 - The system must disable accounts after excessive login failures (install fail2ban)
  apt:
    name: fail2ban
    state: present
  when: install_fail2ban | bool
  tags:
    - auth
    - cat2
    - V-38501
 # Ban the offending IP for 15 minutes to meet the spirit of the STIG.
 # Yes, the bantime we want to modify has two spaces before the equal sign.
 - name: V-38501 - The system must disable accounts after excessive login failures (configure fail2ban)
  template:
    src: jail.local.j2
    dest: /etc/fail2ban/jail.d/jail.local
  when: install_fail2ban | bool
  notify:
    - restart fail2ban
  tags:
    - auth
    - cat2
    - V-38501
 - name: V-38591 - Remove rshd
  apt:
    name: rsh-server