openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/tasks/auth.yml
Major Hayden f5061fd022
Switch from dict to individual variables 
The dictionary-based variables didn't work properly and this patch
changes them to individual variables. If users followed the existing
documentation, their environments will be unaffected by this change
(they are still broken).

The new variables follow the pattern `security_VARIABLENAME` which
will soon become the standard for the role to avoid variable name
collisions with other playbooks and roles.

Release notes are included with this patch.

Closes-bug: 1577944

Change-Id: I455f66a0b4f423e2cf0e753b129367427f29479f
2016-05-05 08:32:38 -05:00

423 lines
11 KiB
YAML
Raw Blame History

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: V-38475 - Set minimum length for passwords
lineinfile:
dest: /etc/login.defs
regexp: "^(#)?PASS_MIN_LEN"
line: "PASS_MIN_LEN {{ password_minimum_length }}"
when: password_minimum_length is defined
tags:
- auth
- cat2
- V-38475
- name: V-38477 - Set minimum time for password changes
lineinfile:
dest: /etc/login.defs
regexp: "^(#)?PASS_MIN_DAYS"
line: "PASS_MIN_DAYS {{ password_minimum_days }}"
when: password_minimum_days is defined
tags:
- auth
- cat2
- V-38477
- name: V-38479 - Set maximum age for passwords
lineinfile:
dest: /etc/login.defs
regexp: "^(#)?PASS_MAX_DAYS"
line: "PASS_MAX_DAYS {{ password_maximum_days }}"
when: password_maximum_days is defined
tags:
- auth
- cat2
- V-38479
- name: V-38480 - Warn users prior to password expiration
lineinfile:
dest: /etc/login.defs
regexp: "^(#)?PASS_WARN_DAYS"
line: "PASS_WARN_DAYS {{ password_warn_age }}"
when: password_warn_age is defined
tags:
- auth
- cat3
- V-38480
- name: V-38496 - Get all system accounts
shell: "awk -F: '$1 !~ /^root$/ && $3 < 500 {print $1}' /etc/passwd"
register: v38496_system_users
always_run: True
tags:
- auth
- cat2
- V-38496
- name: V-38496 - Loop through system accounts to find unlocked accounts
shell: "awk -F: '$1 ~ /^{{ item }}$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow"
register: v38496_unlocked_system_users
always_run: True
with_items: v38496_system_users.stdout_lines
tags:
- auth
- cat2
- V-38496
- name: V-38496 - Gather problematic system accounts
set_fact:
v38496_violations: |
{% for i in v38496_unlocked_system_users.results %}
{% if i.stdout|length > 0 %}
{{ i.stdout }}
{% endif %}
{% endfor %}
tags:
- auth
- cat2
- V-38496
# The playbook will fail here if any default system accounts besides root are
# not locked.
- name: V-38496 - Default operating system accounts (other than root) must be locked
fail:
msg: "FAILED: System accounts are unlocked: {{ v38496_violations|trim|replace('\n',', ') }}"
when: v38496_violations|length > 0
tags:
- auth
- cat2
- V-38496
# RHEL 6 keeps this content in /etc/pam.d/system-auth, but Ubuntu keeps it in
# /etc/pam.d/common-auth
- name: V-38497 - The system must not have accounts configured with blank or null passwords.
lineinfile:
dest: /etc/pam.d/common-auth
state: present
regexp: "^(.*)nullok_secure(.*)$"
line: '\1\2'
backup: yes
backrefs: yes
when: pam_remove_nullok | bool
tags:
- auth
- cat1
- V-38497
- name: Check if /etc/hosts.equiv exists (for V-38491)
stat:
path: /etc/hosts.equiv
register: v38491_equiv_check
changed_when: v38491_equiv_check.stat.exists == True
tags:
- auth
- cat1
- V-38491
- name: Check if root has a .rhosts file (for V-38491)
stat:
path: /root/.rhosts
register: v38491_rhosts_check
changed_when: v38491_rhosts_check.stat.exists == True
tags:
- auth
- cat1
- V-38491
- name: V-38491 - No .rhosts or hosts.equiv present on system
fail:
msg: "FAILED: Remove all .rhosts and hosts.equiv files"
when: v38491_equiv_check.stat.exists == True or v38491_rhosts_check.stat.exists == True
tags:
- auth
- cat1
- V-38491
- name: Check for accounts with UID 0 other than root (for V-38500)
shell: "awk -F: '($1 != \"root\") && ($3 == 0) {print}' /etc/passwd | wc -l"
register: v38500_result
changed_when: v38500_result.stdout != '0'
always_run: True
tags:
- auth
- cat2
- V-38500
- name: V-38500 - The root account must be the only account with UID 0
fail:
msg: "FAILED: Another account besides root has UID 0"
when: v38500_result.stdout != '0'
tags:
- auth
- cat2
- V-38500
# Opt-in required for fail2ban (see documentation and defaults/main.yml)
# Ubuntu doesn't offer pam_faillock, but fail2ban provides a decent alternative
# for ssh-based authentication. See the documentation for details.
- name: V-38501 - The system must disable accounts after excessive login failures (install fail2ban)
apt:
name: fail2ban
state: present
when: install_fail2ban | bool
tags:
- auth
- cat2
- V-38501
# Ban the offending IP for 15 minutes to meet the spirit of the STIG.
# Yes, the bantime we want to modify has two spaces before the equal sign.
- name: V-38501 - The system must disable accounts after excessive login failures (configure fail2ban)
template:
src: jail.local.j2
dest: /etc/fail2ban/jail.d/jail.local
when: install_fail2ban | bool
notify:
- restart fail2ban
tags:
- auth
- cat2
- V-38501
- name: V-38591 - Remove rshd
apt:
name: rsh-server
state: absent
when: security_remove_rsh_server | bool
tags:
- auth
- cat1
- V-38591
- name: V-38587 - Remove telnet-server
apt:
name: telnetd
state: absent
when: security_remove_telnet_server | bool
tags:
- auth
- cat1
- V-38587
- name: Search /etc/passwd for password hashes (for V-38499)
shell: "awk -F: '($2 != \"x\") {print}' /etc/passwd | wc -l"
register: v38499_result
changed_when: False
always_run: True
tags:
- auth
- cat2
- V-38499
- name: V-38499 - The /etc/passwd file must not contain password hashes
fail:
msg: "FAILED: Remove password hashes from /etc/password to remediate"
when: "v38499_result.stdout != '0'"
tags:
- auth
- cat2
- V-38499
- name: V-38450 - The /etc/passwd file must be owned by root
file:
path: /etc/passwd
owner: root
tags:
- auth
- cat2
- V-38450
- name: V-38451 - The /etc/passwd file must be group-owned by root
file:
path: /etc/passwd
group: root
tags:
- auth
- cat2
- V-38451
# Ubuntu's default is 0644 already
- name: V-38457 - The /etc/passwd file must have mode 0644 or less permissive
file:
path: /etc/passwd
mode: 0644
tags:
- auth
- cat2
- V-38457
# SHA512 is the minimum requirement and it happens to be Ubuntu 14.04's default
# hashing algorithm as well.
- name: Check password hashing algorithm used by PAM (for V-38574)
shell: "grep '^\\s*password.*pam_unix.*sha512' /etc/pam.d/common-password"
register: v38574_result
changed_when: False
failed_when: False
always_run: True
tags:
- auth
- cat2
- V-38574
# If SHA512 isn't in use for some reason, we should fail and display an error.
- name: V-38574 - System must use FIPS 140-2 approved hashing algorithm for passwords (PAM)
fail:
msg: "FAILED: Must use SHA512 for password hashing (via PAM)"
when: v38574_result.rc != 0
tags:
- auth
- cat2
- V-38574
- name: Check password hashing algorithm used in login.defs (for V-38576)
shell: "grep '^ENCRYPT_METHOD.*SHA512' /etc/login.defs"
register: v38576_result
changed_when: v38576_result.rc != 0
always_run: True
tags:
- auth
- cat2
- V-38576
# If SHA512 isn't in use for some reason, we should fail and display an error.
- name: V-38576 - System must use FIPS 140-2 approved hashing algorithm for passwords (login.defs)
debug:
msg: "FAILED: Must use SHA512 for password hashing (in /etc/login.defs)"
when: v38576_result.rc != 0
failed_when: v38576_result.rc != 0
tags:
- auth
- cat2
- V-38576
# Neither Ubuntu or openstack-ansible installs libuser by default, so there's
# no need to install it here unless the deployer has it installed for some
# reason.
- name: Check if libuser is installed (for V-38577)
shell: "dpkg --status libuser | grep '^Status.*ok installed'"
register: v38577_libuser_check
changed_when: False
failed_when: False
always_run: True
tags:
- auth
- cat2
- V-38577
# Only look at libuser.conf when we are sure that libuser is installed
- name: If libuser is installed, verify hashing algorithm in use (for V-38577)
shell: "grep '^crypt_style = sha512' /etc/libuser.conf"
register: v38577_result
when: v38577_libuser_check.rc == 0
changed_when: v38577_result.rc != 0
tags:
- auth
- cat2
- V-38577
# If libuser is installed *AND* it's using unacceptable password hashing
# algorithms, throw an error and a failure.
- name: V-38577 - System must use FIPS 140-2 approved hashing algorithm for passwords (libuser)
debug:
msg: "FAILED: libuser isn't configured to use SHA512 hashing for passwords"
when: v38577_libuser_check.rc == 0 and v38577_result.rc != 0
failed_when: v38577_libuser_check.rc == 0 and v38577_result.rc != 0
tags:
- auth
- cat2
- V-38577
- name: V-38681 - Check for missing GID's in /etc/group
shell: "pwck -r | grep 'no group'"
register: v38681_result
changed_when: False
failed_when: v38681_result.rc > 1
always_run: True
tags:
- auth
- cat3
- V-38681
- name: V-38681 - All GID's in /etc/passwd must be defined in /etc/group
fail:
msg: "FAILED: GID's in /etc/passwd aren't in /etc/group"
when: v38681_result.rc != 1
tags:
- auth
- cat3
- V-38681
- name: V-38692 - Lock inactive accounts
lineinfile:
dest: /etc/default_useradd
regexp: "^(#)?INACTIVE"
line: "INACTIVE {{ inactive_account_lock_days }}"
when: inactive_account_lock_days is defined
tags:
- auth
- cat3
- V-38692
- name: Checking for accounts with non-unique usernames (for V-38683)
shell: pwck -rq | wc -l
register: v38683_result
changed_when: False
always_run: True
tags:
- auth
- cat3
- V-38683
- name: V-38683 - All accounts on the system must have unique user/account names
fail:
msg: "FAILED: Found accounts without unique usernames"
when: v38683_result.stdout != '0'
tags:
- auth
- cat3
- V-38683
# This should be updated to use the find module when Ansible 2.0 is available.
- name: Search for sudoers files (for V-58901)
shell: find /etc/sudoers* -type f
register: v58901_result
always_run: True
tags:
- auth
- cat2
- V-58901
# The lineinfile module can't be used here since we may need to comment out
# multiple lines.
- name: Comment out sudoers lines with NOPASSWD present (for V-58901)
shell: "sed -e '/NOPASSWD/ s/^#*/#/' -i {{ item }}"
with_items: v58901_result.stdout_lines
when: sudoers_remove_nopasswd | bool
tags:
- auth
- cat2
- V-58901
# The lineinfile module can't be used here since we may need to comment out
# multiple lines.
- name: Comment out sudoers lines with !authenticate present (for V-58901)
shell: "sed -e '/!authenticate/ s/^#*/#/' -i {{ item }}"
with_items: v58901_result.stdout_lines
when: sudoers_remove_authenticate | bool
tags:
- auth
- cat2
- V-58901
View Git Blame Copy Permalink