22c4c21583
This patch adds initial support for CentOS 7 and Ubuntu 16.04 to the security role. Documentation and tests still need updates in subsequent patches. Release notes are included. Change-Id: Iae936bb307a5938651c55e703d68d39a7716d178
451 lines
12 KiB
YAML
451 lines
12 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: V-38475 - Set minimum length for passwords
|
|
lineinfile:
|
|
dest: /etc/login.defs
|
|
regexp: "^(#)?PASS_MIN_LEN"
|
|
line: "PASS_MIN_LEN {{ security_password_minimum_length }}"
|
|
when: security_password_minimum_length is defined
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38475
|
|
|
|
- name: V-38477 - Set minimum time for password changes
|
|
lineinfile:
|
|
dest: /etc/login.defs
|
|
regexp: "^(#)?PASS_MIN_DAYS"
|
|
line: "PASS_MIN_DAYS {{ security_password_minimum_days }}"
|
|
when: security_password_minimum_days is defined
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38477
|
|
|
|
- name: V-38479 - Set maximum age for passwords
|
|
lineinfile:
|
|
dest: /etc/login.defs
|
|
regexp: "^(#)?PASS_MAX_DAYS"
|
|
line: "PASS_MAX_DAYS {{ security_password_maximum_days }}"
|
|
when: security_password_maximum_days is defined
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38479
|
|
|
|
- name: V-38480 - Warn users prior to password expiration
|
|
lineinfile:
|
|
dest: /etc/login.defs
|
|
regexp: "^(#)?PASS_WARN_DAYS"
|
|
line: "PASS_WARN_DAYS {{ security_password_warn_age }}"
|
|
when: security_password_warn_age is defined
|
|
tags:
|
|
- auth
|
|
- cat3
|
|
- V-38480
|
|
|
|
- name: V-38496 - Get all system accounts
|
|
shell: "awk -F: '$1 !~ /^root$/ && $3 < 500 {print $1}' /etc/passwd"
|
|
register: v38496_system_users
|
|
always_run: True
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38496
|
|
|
|
- name: V-38496 - Loop through system accounts to find unlocked accounts
|
|
shell: "awk -F: '$1 ~ /^{{ item }}$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow"
|
|
register: v38496_unlocked_system_users
|
|
always_run: True
|
|
with_items: v38496_system_users.stdout_lines
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38496
|
|
|
|
- name: V-38496 - Gather problematic system accounts
|
|
set_fact:
|
|
v38496_violations: |
|
|
{% for i in v38496_unlocked_system_users.results %}
|
|
{% if i.stdout|length > 0 %}
|
|
{{ i.stdout }}
|
|
{% endif %}
|
|
{% endfor %}
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38496
|
|
|
|
# The playbook will fail here if any default system accounts besides root are
|
|
# not locked.
|
|
- name: V-38496 - Default operating system accounts (other than root) must be locked
|
|
fail:
|
|
msg: "FAILED: System accounts are unlocked: {{ v38496_violations|trim|replace('\n',', ') }}"
|
|
when: v38496_violations|length > 0
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38496
|
|
|
|
# RHEL 6 keeps this content in /etc/pam.d/system-auth, but Ubuntu keeps it in
|
|
# /etc/pam.d/common-auth
|
|
- name: V-38497 - The system must not have accounts configured with blank or null passwords.
|
|
lineinfile:
|
|
dest: "{{ pam_auth_file }}"
|
|
state: present
|
|
regexp: "^(.*)nullok_secure(.*)$"
|
|
line: '\1\2'
|
|
backup: yes
|
|
backrefs: yes
|
|
when: security_pam_remove_nullok | bool
|
|
tags:
|
|
- auth
|
|
- cat1
|
|
- V-38497
|
|
|
|
- name: Check if /etc/hosts.equiv exists (for V-38491)
|
|
stat:
|
|
path: /etc/hosts.equiv
|
|
register: v38491_equiv_check
|
|
changed_when: v38491_equiv_check.stat.exists == True
|
|
tags:
|
|
- auth
|
|
- cat1
|
|
- V-38491
|
|
|
|
- name: Check if root has a .rhosts file (for V-38491)
|
|
stat:
|
|
path: /root/.rhosts
|
|
register: v38491_rhosts_check
|
|
changed_when: v38491_rhosts_check.stat.exists == True
|
|
tags:
|
|
- auth
|
|
- cat1
|
|
- V-38491
|
|
|
|
- name: V-38491 - No .rhosts or hosts.equiv present on system
|
|
fail:
|
|
msg: "FAILED: Remove all .rhosts and hosts.equiv files"
|
|
when: v38491_equiv_check.stat.exists == True or v38491_rhosts_check.stat.exists == True
|
|
tags:
|
|
- auth
|
|
- cat1
|
|
- V-38491
|
|
|
|
- name: Check for accounts with UID 0 other than root (for V-38500)
|
|
shell: "awk -F: '($1 != \"root\") && ($3 == 0) {print}' /etc/passwd | wc -l"
|
|
register: v38500_result
|
|
changed_when: v38500_result.stdout != '0'
|
|
always_run: True
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38500
|
|
|
|
- name: V-38500 - The root account must be the only account with UID 0
|
|
fail:
|
|
msg: "FAILED: Another account besides root has UID 0"
|
|
when: v38500_result.stdout != '0'
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38500
|
|
|
|
# Opt-in required for fail2ban (see documentation and defaults/main.yml)
|
|
# Ubuntu doesn't offer pam_faillock, but fail2ban provides a decent alternative
|
|
# for ssh-based authentication. See the documentation for details.
|
|
- name: V-38501 - The system must disable accounts after excessive login failures (install fail2ban)
|
|
apt:
|
|
name: fail2ban
|
|
state: present
|
|
when: security_install_fail2ban | bool
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38501
|
|
|
|
# Ban the offending IP for 15 minutes to meet the spirit of the STIG.
|
|
# Yes, the bantime we want to modify has two spaces before the equal sign.
|
|
- name: V-38501 - The system must disable accounts after excessive login failures (configure fail2ban)
|
|
template:
|
|
src: jail.local.j2
|
|
dest: /etc/fail2ban/jail.d/jail.local
|
|
when: security_install_fail2ban | bool
|
|
notify:
|
|
- restart fail2ban
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38501
|
|
|
|
- name: V-38591 - Remove rshd with apt
|
|
apt:
|
|
name: rsh-server
|
|
state: absent
|
|
when:
|
|
- ansible_pkg_mgr == 'apt'
|
|
- security_remove_rsh_server | bool
|
|
tags:
|
|
- auth
|
|
- cat1
|
|
- V-38591
|
|
|
|
- name: V-38591 - Remove rshd with yum
|
|
yum:
|
|
name: rsh-server
|
|
state: absent
|
|
when:
|
|
- ansible_pkg_mgr == 'yum'
|
|
- security_remove_rsh_server | bool
|
|
tags:
|
|
- auth
|
|
- cat1
|
|
- V-38591
|
|
|
|
- name: V-38587 - Remove telnet-server with apt
|
|
apt:
|
|
name: "{{ telnet_server_pkg }}"
|
|
state: absent
|
|
when:
|
|
- ansible_pkg_mgr == 'apt'
|
|
- security_remove_telnet_server | bool
|
|
tags:
|
|
- auth
|
|
- cat1
|
|
- V-38587
|
|
|
|
- name: V-38587 - Remove telnet-server with yum
|
|
yum:
|
|
name: "{{ telnet_server_pkg }}"
|
|
state: absent
|
|
when:
|
|
- ansible_pkg_mgr == 'yum'
|
|
- security_remove_telnet_server | bool
|
|
tags:
|
|
- auth
|
|
- cat1
|
|
- V-38587
|
|
|
|
- name: Search /etc/passwd for password hashes (for V-38499)
|
|
shell: "awk -F: '($2 != \"x\") {print}' /etc/passwd | wc -l"
|
|
register: v38499_result
|
|
changed_when: False
|
|
always_run: True
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38499
|
|
|
|
- name: V-38499 - The /etc/passwd file must not contain password hashes
|
|
fail:
|
|
msg: "FAILED: Remove password hashes from /etc/password to remediate"
|
|
when: "v38499_result.stdout != '0'"
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38499
|
|
|
|
- name: V-38450 - The /etc/passwd file must be owned by root
|
|
file:
|
|
path: /etc/passwd
|
|
owner: root
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38450
|
|
|
|
- name: V-38451 - The /etc/passwd file must be group-owned by root
|
|
file:
|
|
path: /etc/passwd
|
|
group: root
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38451
|
|
|
|
# Ubuntu's default is 0644 already
|
|
- name: V-38457 - The /etc/passwd file must have mode 0644 or less permissive
|
|
file:
|
|
path: /etc/passwd
|
|
mode: 0644
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38457
|
|
|
|
# SHA512 is the minimum requirement and it happens to be Ubuntu 14.04's default
|
|
# hashing algorithm as well.
|
|
- name: Check password hashing algorithm used by PAM (for V-38574)
|
|
shell: "grep '^\\s*password.*pam_unix.*sha512' {{ pam_password_file }}"
|
|
register: v38574_result
|
|
changed_when: False
|
|
failed_when: False
|
|
always_run: True
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38574
|
|
|
|
# If SHA512 isn't in use for some reason, we should fail and display an error.
|
|
- name: V-38574 - System must use FIPS 140-2 approved hashing algorithm for passwords (PAM)
|
|
fail:
|
|
msg: "FAILED: Must use SHA512 for password hashing (via PAM)"
|
|
when: v38574_result.rc != 0
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38574
|
|
|
|
- name: Check password hashing algorithm used in login.defs (for V-38576)
|
|
shell: "grep '^ENCRYPT_METHOD.*SHA512' /etc/login.defs"
|
|
register: v38576_result
|
|
changed_when: v38576_result.rc != 0
|
|
always_run: True
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38576
|
|
|
|
# If SHA512 isn't in use for some reason, we should fail and display an error.
|
|
- name: V-38576 - System must use FIPS 140-2 approved hashing algorithm for passwords (login.defs)
|
|
debug:
|
|
msg: "FAILED: Must use SHA512 for password hashing (in /etc/login.defs)"
|
|
when: v38576_result.rc != 0
|
|
failed_when: v38576_result.rc != 0
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38576
|
|
|
|
# Neither Ubuntu or openstack-ansible installs libuser by default, so there's
|
|
# no need to install it here unless the deployer has it installed for some
|
|
# reason.
|
|
- name: Check if libuser is installed (for V-38577)
|
|
shell: "dpkg --status libuser | grep '^Status.*ok installed'"
|
|
register: v38577_libuser_check
|
|
changed_when: False
|
|
failed_when: False
|
|
always_run: True
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38577
|
|
|
|
# Only look at libuser.conf when we are sure that libuser is installed
|
|
- name: If libuser is installed, verify hashing algorithm in use (for V-38577)
|
|
shell: "grep '^crypt_style = sha512' /etc/libuser.conf"
|
|
register: v38577_result
|
|
when: v38577_libuser_check.rc == 0
|
|
changed_when: v38577_result.rc != 0
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38577
|
|
|
|
# If libuser is installed *AND* it's using unacceptable password hashing
|
|
# algorithms, throw an error and a failure.
|
|
- name: V-38577 - System must use FIPS 140-2 approved hashing algorithm for passwords (libuser)
|
|
debug:
|
|
msg: "FAILED: libuser isn't configured to use SHA512 hashing for passwords"
|
|
when: v38577_libuser_check.rc == 0 and v38577_result.rc != 0
|
|
failed_when: v38577_libuser_check.rc == 0 and v38577_result.rc != 0
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-38577
|
|
|
|
- name: V-38681 - Check for missing GID's in /etc/group
|
|
shell: "pwck -r | grep 'no group'"
|
|
register: v38681_result
|
|
changed_when: False
|
|
failed_when: v38681_result.rc > 1
|
|
always_run: True
|
|
tags:
|
|
- auth
|
|
- cat3
|
|
- V-38681
|
|
|
|
- name: V-38681 - All GID's in /etc/passwd must be defined in /etc/group
|
|
fail:
|
|
msg: "FAILED: GID's in /etc/passwd aren't in /etc/group"
|
|
when: v38681_result.rc != 1
|
|
tags:
|
|
- auth
|
|
- cat3
|
|
- V-38681
|
|
|
|
- name: V-38692 - Lock inactive accounts
|
|
lineinfile:
|
|
dest: /etc/default_useradd
|
|
regexp: "^(#)?INACTIVE"
|
|
line: "INACTIVE {{ security_inactive_account_lock_days }}"
|
|
when: security_inactive_account_lock_days is defined
|
|
tags:
|
|
- auth
|
|
- cat3
|
|
- V-38692
|
|
|
|
- name: Checking for accounts with non-unique usernames (for V-38683)
|
|
shell: pwck -rq | wc -l
|
|
register: v38683_result
|
|
changed_when: False
|
|
always_run: True
|
|
tags:
|
|
- auth
|
|
- cat3
|
|
- V-38683
|
|
|
|
- name: V-38683 - All accounts on the system must have unique user/account names
|
|
fail:
|
|
msg: "FAILED: Found accounts without unique usernames"
|
|
when: v38683_result.stdout != '0'
|
|
tags:
|
|
- auth
|
|
- cat3
|
|
- V-38683
|
|
|
|
# This should be updated to use the find module when Ansible 2.0 is available.
|
|
- name: Search for sudoers files (for V-58901)
|
|
shell: find /etc/sudoers* -type f
|
|
register: v58901_result
|
|
always_run: True
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-58901
|
|
|
|
# The lineinfile module can't be used here since we may need to comment out
|
|
# multiple lines.
|
|
- name: Comment out sudoers lines with NOPASSWD present (for V-58901)
|
|
shell: "sed -e '/NOPASSWD/ s/^#*/#/' -i {{ item }}"
|
|
with_items: v58901_result.stdout_lines
|
|
when: security_sudoers_remove_nopasswd | bool
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-58901
|
|
|
|
# The lineinfile module can't be used here since we may need to comment out
|
|
# multiple lines.
|
|
- name: Comment out sudoers lines with !authenticate present (for V-58901)
|
|
shell: "sed -e '/!authenticate/ s/^#*/#/' -i {{ item }}"
|
|
with_items: v58901_result.stdout_lines
|
|
when: security_sudoers_remove_authenticate | bool
|
|
tags:
|
|
- auth
|
|
- cat2
|
|
- V-58901
|