Move tasks to 'accounts' file
Several tasks in the auth.yml file were actually more closely related to accounts rather than authentication. This patch moves tasks from the auth.yml into accounts.yml and adjusts the docs to match. This should alleviate confusion and allow deployers to fine-tune their Ansible playbook runs. Change-Id: I962014ba9022dd256dc04da6b4ac0860797fbc24
This commit is contained in:
parent
ed8364ec4b
commit
6e761efc9c
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-71903
|
id: V-71903
|
||||||
status: opt-in
|
status: opt-in
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
The password quality requirements from the STIG are examples of good security
|
The password quality requirements from the STIG are examples of good security
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-71905
|
id: V-71905
|
||||||
status: opt-in
|
status: opt-in
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
The password quality requirements from the STIG are examples of good security
|
The password quality requirements from the STIG are examples of good security
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-71907
|
id: V-71907
|
||||||
status: opt-in
|
status: opt-in
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
The password quality requirements from the STIG are examples of good security
|
The password quality requirements from the STIG are examples of good security
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-71909
|
id: V-71909
|
||||||
status: opt-in
|
status: opt-in
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
The password quality requirements from the STIG are examples of good security
|
The password quality requirements from the STIG are examples of good security
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-71911
|
id: V-71911
|
||||||
status: opt-in
|
status: opt-in
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
The password quality requirements from the STIG are examples of good security
|
The password quality requirements from the STIG are examples of good security
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-71913
|
id: V-71913
|
||||||
status: opt-in
|
status: opt-in
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
The password quality requirements from the STIG are examples of good security
|
The password quality requirements from the STIG are examples of good security
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-71915
|
id: V-71915
|
||||||
status: opt-in
|
status: opt-in
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
The password quality requirements from the STIG are examples of good security
|
The password quality requirements from the STIG are examples of good security
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-71917
|
id: V-71917
|
||||||
status: opt-in
|
status: opt-in
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
The password quality requirements from the STIG are examples of good security
|
The password quality requirements from the STIG are examples of good security
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-71919
|
id: V-71919
|
||||||
status: implemented
|
status: implemented
|
||||||
tag: implemented
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
The PAM configuration file for password storage is checked to ensure that
|
The PAM configuration file for password storage is checked to ensure that
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-71921
|
id: V-71921
|
||||||
status: implemented
|
status: implemented
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
The default password storage mechanism for Ubuntu 16.04, CentOS 7, and Red Hat
|
The default password storage mechanism for Ubuntu 16.04, CentOS 7, and Red Hat
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-71923
|
id: V-71923
|
||||||
status: implemented - red hat only
|
status: implemented - red hat only
|
||||||
tag: misc
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
The role ensures that ``crypt_style`` is set to ``sha512`` in
|
The role ensures that ``crypt_style`` is set to ``sha512`` in
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-71925
|
id: V-71925
|
||||||
status: opt-in
|
status: opt-in
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
Although the STIG requires that all passwords have a minimum lifetime set, this
|
Although the STIG requires that all passwords have a minimum lifetime set, this
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-71927
|
id: V-71927
|
||||||
status: implemented
|
status: implemented
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
The tasks in the security role search for accounts with a minimum lifetime
|
The tasks in the security role search for accounts with a minimum lifetime
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-71929
|
id: V-71929
|
||||||
status: opt-in
|
status: opt-in
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
Although the STIG requires that all passwords have a maximum lifetime set, this
|
Although the STIG requires that all passwords have a maximum lifetime set, this
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-71931
|
id: V-71931
|
||||||
status: implemented
|
status: implemented
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
If any users have a maximum password age on their current password set to a
|
If any users have a maximum password age on their current password set to a
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-71933
|
id: V-71933
|
||||||
status: opt-in
|
status: opt-in
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
Although the STIG requires that five passwords are remembered to prevent re-
|
Although the STIG requires that five passwords are remembered to prevent re-
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-71935
|
id: V-71935
|
||||||
status: opt-in
|
status: opt-in
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
Although the STIG requires that passwords have a minimum length of 15
|
Although the STIG requires that passwords have a minimum length of 15
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-71941
|
id: V-71941
|
||||||
status: opt-in
|
status: opt-in
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
The STIG requires that user accounts are disabled when their password expires.
|
The STIG requires that user accounts are disabled when their password expires.
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-71951
|
id: V-71951
|
||||||
status: implemented
|
status: implemented
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
The tasks in the Ansible role set a four second delay between failed login
|
The tasks in the Ansible role set a four second delay between failed login
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-71995
|
id: V-71995
|
||||||
status: opt-in - Ubuntu only
|
status: opt-in - Ubuntu only
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
The STIG requires that the umask for all authenticated users is ``077``. This
|
The STIG requires that the umask for all authenticated users is ``077``. This
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-72003
|
id: V-72003
|
||||||
status: implemented
|
status: implemented
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
If any users are found with invalid GIDs, those users are printed in the
|
If any users are found with invalid GIDs, those users are printed in the
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-72005
|
id: V-72005
|
||||||
status: implemented
|
status: implemented
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
If an account with UID 0 other than ``root`` exists on the system, the playbook
|
If an account with UID 0 other than ``root`` exists on the system, the playbook
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-72011
|
id: V-72011
|
||||||
status: implemented
|
status: implemented
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
The usernames of all users without home directories assigned are provided in
|
The usernames of all users without home directories assigned are provided in
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-72013
|
id: V-72013
|
||||||
status: implemented
|
status: implemented
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
The ``CREATE_HOME`` variable is set to ``yes`` by the tasks in the security
|
The ``CREATE_HOME`` variable is set to ``yes`` by the tasks in the security
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-72015
|
id: V-72015
|
||||||
status: implemented
|
status: implemented
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
Each interactive user on the system is checked to verify that their assigned
|
Each interactive user on the system is checked to verify that their assigned
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: V-73159
|
id: V-73159
|
||||||
status: opt-in
|
status: opt-in
|
||||||
tag: auth
|
tag: accounts
|
||||||
---
|
---
|
||||||
|
|
||||||
The security role can require new or changed passwords to follow the pwquality
|
The security role can require new or changed passwords to follow the pwquality
|
||||||
|
255
tasks/rhel7stig/accounts.yml
Normal file
255
tasks/rhel7stig/accounts.yml
Normal file
@ -0,0 +1,255 @@
|
|||||||
|
---
|
||||||
|
# Copyright 2017, Rackspace US, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
- name: Check if /etc/security/pwquality.conf exists
|
||||||
|
stat:
|
||||||
|
path: /etc/security/pwquality.conf
|
||||||
|
check_mode: no
|
||||||
|
register: pwquality_config_check
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
|
- name: Set password quality requirements
|
||||||
|
blockinfile:
|
||||||
|
dest: /etc/security/pwquality.conf
|
||||||
|
backup: yes
|
||||||
|
insertbefore: EOF
|
||||||
|
marker: "# {mark} Added by openstack-ansible-security role"
|
||||||
|
state: present
|
||||||
|
block: "{{ lookup('template', 'pwquality.conf.j2') }}"
|
||||||
|
when:
|
||||||
|
- pwquality_config_check.stat.exists
|
||||||
|
tags:
|
||||||
|
- accounts
|
||||||
|
- medium
|
||||||
|
- V-71903
|
||||||
|
- V-71905
|
||||||
|
- V-71907
|
||||||
|
- V-71909
|
||||||
|
- V-71911
|
||||||
|
- V-71913
|
||||||
|
- V-71915
|
||||||
|
- V-71917
|
||||||
|
- V-71935
|
||||||
|
|
||||||
|
- name: Check for SHA512 password storage in PAM
|
||||||
|
command: "grep pam_unix.so {{ pam_password_file }}"
|
||||||
|
register: password_sha512_check
|
||||||
|
changed_when: False
|
||||||
|
check_mode: no
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
|
- name: Print warning if PAM is not using SHA512 for password storage
|
||||||
|
debug:
|
||||||
|
msg: >
|
||||||
|
PAM is not using SHA512 for password storage. This is a security issue.
|
||||||
|
when:
|
||||||
|
- password_sha512_check is defined
|
||||||
|
- "'sha512' not in password_sha512_check.stdout"
|
||||||
|
tags:
|
||||||
|
- accounts
|
||||||
|
- medium
|
||||||
|
- V-71919
|
||||||
|
|
||||||
|
- name: Ensure libuser is storing passwords using SHA512
|
||||||
|
ini_file:
|
||||||
|
dest: /etc/libuser.conf
|
||||||
|
section: defaults
|
||||||
|
option: crypt_style
|
||||||
|
value: sha512
|
||||||
|
backup: yes
|
||||||
|
when:
|
||||||
|
- security_libuser_crypt_style_sha512 | bool
|
||||||
|
- ansible_os_family | lower == 'redhat'
|
||||||
|
tags:
|
||||||
|
- accounts
|
||||||
|
- medium
|
||||||
|
- V-71923
|
||||||
|
|
||||||
|
- name: Get all user accounts with a password lifetime limit under 24 hours
|
||||||
|
shell: "awk -F: '$4 < 1 {print $1}' /etc/shadow"
|
||||||
|
check_mode: no
|
||||||
|
changed_when: False
|
||||||
|
register: password_lifetime_check
|
||||||
|
tags:
|
||||||
|
- accounts
|
||||||
|
- medium
|
||||||
|
- V-71927
|
||||||
|
- skip_ansible_lint
|
||||||
|
|
||||||
|
- name: Print warning about accounts with password lifetimes under 24 hours
|
||||||
|
debug:
|
||||||
|
msg: |
|
||||||
|
Accounts were found with a minimum password lifetime limit under 24 hours:
|
||||||
|
{{ password_lifetime_check.stdout_lines | join(', ') }}
|
||||||
|
when:
|
||||||
|
- password_lifetime_check.stdout_lines is defined
|
||||||
|
tags:
|
||||||
|
- accounts
|
||||||
|
- medium
|
||||||
|
- V-71927
|
||||||
|
|
||||||
|
- name: Print warning for accounts with a password lifetime over 60 days
|
||||||
|
debug:
|
||||||
|
msg: |
|
||||||
|
The following user accounts have an existing password with a lifetime of
|
||||||
|
greater than 60 days:
|
||||||
|
{%- for user in user_list.users %}
|
||||||
|
{% if user['shadow']['max_days'] > 60 %}
|
||||||
|
{{ user['name'] }} has an expiration of {{ user['shadow']['max_days'] }} days
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
tags:
|
||||||
|
- accounts
|
||||||
|
- medium
|
||||||
|
- V-71931
|
||||||
|
|
||||||
|
- name: Ensure that users cannot reuse one of their last 5 passwords
|
||||||
|
lineinfile:
|
||||||
|
dest: "{{ pam_password_file }}"
|
||||||
|
regexp: '^(password\s+[a-z0-9\=\[\] ]+\s+pam_unix\.so.+?)\s+(?:remember=\d+)?$'
|
||||||
|
line: '\1 remember={{ security_password_remember_password }}'
|
||||||
|
backrefs: yes
|
||||||
|
state: present
|
||||||
|
when:
|
||||||
|
- security_password_remember_password is defined
|
||||||
|
tags:
|
||||||
|
- accounts
|
||||||
|
- medium
|
||||||
|
- V-71933
|
||||||
|
|
||||||
|
- name: Ensure accounts are disabled if the password expires
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/default/useradd
|
||||||
|
regexp: '^[#\s]*INACTIVE'
|
||||||
|
line: 'INACTIVE=0'
|
||||||
|
when:
|
||||||
|
- security_disable_account_if_password_expires | bool
|
||||||
|
tags:
|
||||||
|
- accounts
|
||||||
|
- medium
|
||||||
|
- V-71941
|
||||||
|
|
||||||
|
- name: Apply shadow-utils configurations
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/login.defs
|
||||||
|
regexp: "^{{ item.parameter }}"
|
||||||
|
line: "{{ item.parameter }} {{ item.value }}"
|
||||||
|
state: present
|
||||||
|
when:
|
||||||
|
- item.value != ''
|
||||||
|
- item.ansible_os_family == 'all' or item.ansible_os_family == ansible_os_family
|
||||||
|
with_items: "{{ shadow_utils_rhel7 }}"
|
||||||
|
tags:
|
||||||
|
- accounts
|
||||||
|
- medium
|
||||||
|
- V-71921
|
||||||
|
- V-71925
|
||||||
|
- V-71929
|
||||||
|
- V-71951
|
||||||
|
- V-71995
|
||||||
|
- V-72013
|
||||||
|
|
||||||
|
- name: Print warning for groups in /etc/passwd that are not in /etc/group
|
||||||
|
debug:
|
||||||
|
msg: >
|
||||||
|
The following users have GIDs in /etc/passwd that do not exist in /etc/group:
|
||||||
|
{{ user_list.users | selectattr('group', 'equalto', False) | map(attribute='name') | join(', ') }}
|
||||||
|
when:
|
||||||
|
- user_list is defined
|
||||||
|
- user_list.users | selectattr('group', 'equalto', False) | list | length > 0
|
||||||
|
tags:
|
||||||
|
- accounts
|
||||||
|
- low
|
||||||
|
- V-72003
|
||||||
|
|
||||||
|
- name: Get all accounts with UID 0
|
||||||
|
shell: "awk -F: '$3 == 0 {print $1}' /etc/passwd"
|
||||||
|
changed_when: False
|
||||||
|
check_mode: no
|
||||||
|
register: root_user_check
|
||||||
|
tags:
|
||||||
|
- accounts
|
||||||
|
- high
|
||||||
|
- V-72005
|
||||||
|
- skip_ansible_lint
|
||||||
|
|
||||||
|
- name: Print warnings for non-root users with UID 0
|
||||||
|
fail:
|
||||||
|
msg: |
|
||||||
|
Only the 'root' user should have UID 0. Other users were found:
|
||||||
|
{{ root_user_check.stdout_lines | join(', ') }}"
|
||||||
|
when:
|
||||||
|
- root_user_check.stdout != 'root'
|
||||||
|
tags:
|
||||||
|
- accounts
|
||||||
|
- high
|
||||||
|
- V-72005
|
||||||
|
|
||||||
|
- name: Print warning for local interactive users without a home directory assigned
|
||||||
|
debug:
|
||||||
|
msg: |
|
||||||
|
The following users do not have a home directory assigned:
|
||||||
|
{{ user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | join(', ') }}
|
||||||
|
when:
|
||||||
|
- user_list is defined
|
||||||
|
- user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | list | length > 0
|
||||||
|
tags:
|
||||||
|
- accounts
|
||||||
|
- medium
|
||||||
|
- V-72011
|
||||||
|
|
||||||
|
- name: Check each user to see if its home directory exists on the filesystem
|
||||||
|
stat:
|
||||||
|
path: "{{ item['dir'] }}"
|
||||||
|
when:
|
||||||
|
- item['dir'] != ''
|
||||||
|
with_items: "{{ user_list.users }}"
|
||||||
|
register: home_directory_checks
|
||||||
|
tags:
|
||||||
|
- accounts
|
||||||
|
- medium
|
||||||
|
- V-72015
|
||||||
|
|
||||||
|
- name: Print warning for users with an assigned home directory that does not exist
|
||||||
|
debug:
|
||||||
|
msg: |
|
||||||
|
These users have a home directory assigned, but the directory does not exist:
|
||||||
|
{% for check in home_directory_checks.results %}
|
||||||
|
{% if not check.stat.exists %}
|
||||||
|
{{ check.item.name }} ({{ check.item.dir }} does not exist)
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
when:
|
||||||
|
- home_directory_checks.results | selectattr('stat.exists', 'sameas', false) | list | length > 0
|
||||||
|
tags:
|
||||||
|
- accounts
|
||||||
|
- medium
|
||||||
|
- V-72015
|
||||||
|
|
||||||
|
- name: Use pwquality when passwords are changed or created
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/pam.d/passwd
|
||||||
|
line: "password required pam_pwquality.so retry=3"
|
||||||
|
state: present
|
||||||
|
when:
|
||||||
|
- security_enable_pwquality_password_set | bool
|
||||||
|
tags:
|
||||||
|
- accounts
|
||||||
|
- medium
|
||||||
|
- V-73159
|
||||||
|
|
||||||
|
|
@ -13,96 +13,6 @@
|
|||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
- name: Get a list of users on the system to use throughout the auth tasks
|
|
||||||
action: get_users
|
|
||||||
register: user_list
|
|
||||||
check_mode: no
|
|
||||||
tags:
|
|
||||||
- always
|
|
||||||
|
|
||||||
- name: Check if /etc/security/pwquality.conf exists
|
|
||||||
stat:
|
|
||||||
path: /etc/security/pwquality.conf
|
|
||||||
check_mode: no
|
|
||||||
register: pwquality_config_check
|
|
||||||
tags:
|
|
||||||
- always
|
|
||||||
|
|
||||||
- name: Set password quality requirements
|
|
||||||
blockinfile:
|
|
||||||
dest: /etc/security/pwquality.conf
|
|
||||||
backup: yes
|
|
||||||
insertbefore: EOF
|
|
||||||
marker: "# {mark} Added by openstack-ansible-security role"
|
|
||||||
state: present
|
|
||||||
block: "{{ lookup('template', 'pwquality.conf.j2') }}"
|
|
||||||
when:
|
|
||||||
- pwquality_config_check.stat.exists
|
|
||||||
tags:
|
|
||||||
- auth
|
|
||||||
- medium
|
|
||||||
- V-71903
|
|
||||||
- V-71905
|
|
||||||
- V-71907
|
|
||||||
- V-71909
|
|
||||||
- V-71911
|
|
||||||
- V-71913
|
|
||||||
- V-71915
|
|
||||||
- V-71917
|
|
||||||
- V-71935
|
|
||||||
|
|
||||||
- name: Use pwquality when passwords are changed or created
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/pam.d/passwd
|
|
||||||
line: "password required pam_pwquality.so retry=3"
|
|
||||||
state: present
|
|
||||||
when:
|
|
||||||
- security_enable_pwquality_password_set | bool
|
|
||||||
tags:
|
|
||||||
- auth
|
|
||||||
- medium
|
|
||||||
- V-73159
|
|
||||||
|
|
||||||
- name: Check for SHA512 password storage in PAM
|
|
||||||
command: "grep pam_unix.so {{ pam_password_file }}"
|
|
||||||
register: password_sha512_check
|
|
||||||
changed_when: False
|
|
||||||
check_mode: no
|
|
||||||
tags:
|
|
||||||
- always
|
|
||||||
|
|
||||||
- name: V-71919 - The PAM system service must be configured to store only encrypted representations of passwords.
|
|
||||||
debug:
|
|
||||||
msg: >
|
|
||||||
PAM is not using SHA512 for password storage. This is a security issue.
|
|
||||||
when:
|
|
||||||
- password_sha512_check is defined
|
|
||||||
- "'sha512' not in password_sha512_check.stdout"
|
|
||||||
tags:
|
|
||||||
- auth
|
|
||||||
- medium
|
|
||||||
- V-71919
|
|
||||||
|
|
||||||
- name: Configure shadow-utils configuration
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/login.defs
|
|
||||||
regexp: "^{{ item.parameter }}"
|
|
||||||
line: "{{ item.parameter }} {{ item.value }}"
|
|
||||||
state: present
|
|
||||||
when:
|
|
||||||
- item.value != ''
|
|
||||||
- item.ansible_os_family == 'all' or item.ansible_os_family == ansible_os_family
|
|
||||||
with_items: "{{ shadow_utils_rhel7 }}"
|
|
||||||
tags:
|
|
||||||
- auth
|
|
||||||
- medium
|
|
||||||
- V-71921
|
|
||||||
- V-71925
|
|
||||||
- V-71929
|
|
||||||
- V-71951
|
|
||||||
- V-71995
|
|
||||||
- V-72013
|
|
||||||
|
|
||||||
# NOTE(mhayden): pam_faildelay expects the `delay` parameter to be in
|
# NOTE(mhayden): pam_faildelay expects the `delay` parameter to be in
|
||||||
# microseconds.
|
# microseconds.
|
||||||
- name: Set pam_faildelay configuration on Ubuntu
|
- name: Set pam_faildelay configuration on Ubuntu
|
||||||
@ -120,74 +30,7 @@
|
|||||||
- medium
|
- medium
|
||||||
- V-71951
|
- V-71951
|
||||||
|
|
||||||
- name: V-71923 - User and group account administration utilities must be configured to store only encrypted representations of passwords.
|
- name: Prevent users with blank or null passwords from authenticating (Debian/Ubuntu)
|
||||||
ini_file:
|
|
||||||
dest: /etc/libuser.conf
|
|
||||||
section: defaults
|
|
||||||
option: crypt_style
|
|
||||||
value: sha512
|
|
||||||
backup: yes
|
|
||||||
when:
|
|
||||||
- security_libuser_crypt_style_sha512 | bool
|
|
||||||
- ansible_os_family | lower == 'redhat'
|
|
||||||
tags:
|
|
||||||
- auth
|
|
||||||
- medium
|
|
||||||
- V-71923
|
|
||||||
|
|
||||||
- name: Get all user accounts with a password lifetime limit under 24 hours
|
|
||||||
shell: "awk -F: '$4 < 1 {print $1}' /etc/shadow"
|
|
||||||
check_mode: no
|
|
||||||
changed_when: False
|
|
||||||
register: password_lifetime_check
|
|
||||||
tags:
|
|
||||||
- auth
|
|
||||||
- medium
|
|
||||||
- V-71927
|
|
||||||
- skip_ansible_lint
|
|
||||||
|
|
||||||
- name: V-71927 - Passwords must be restricted to a 24 hours/1 day minimum lifetime.
|
|
||||||
debug:
|
|
||||||
msg: |
|
|
||||||
Accounts were found with a minimum password lifetime limit under 24 hours:
|
|
||||||
{{ password_lifetime_check.stdout_lines | join(', ') }}
|
|
||||||
when:
|
|
||||||
- password_lifetime_check.stdout_lines is defined
|
|
||||||
tags:
|
|
||||||
- auth
|
|
||||||
- medium
|
|
||||||
- V-71927
|
|
||||||
|
|
||||||
- name: V-71933 - Passwords must be prohibited from reuse for a minimum of five generations.
|
|
||||||
lineinfile:
|
|
||||||
dest: "{{ pam_password_file }}"
|
|
||||||
regexp: '^(password\s+[a-z0-9\=\[\] ]+\s+pam_unix\.so.+?)\s+(?:remember=\d+)?$'
|
|
||||||
line: '\1 remember={{ security_password_remember_password }}'
|
|
||||||
backrefs: yes
|
|
||||||
state: present
|
|
||||||
when:
|
|
||||||
- security_password_remember_password is defined
|
|
||||||
tags:
|
|
||||||
- auth
|
|
||||||
- medium
|
|
||||||
- V-71933
|
|
||||||
|
|
||||||
- name: V-71931 - Existing passwords must be restricted to a 60-day maximum lifetime.
|
|
||||||
debug:
|
|
||||||
msg: |
|
|
||||||
The following user accounts have an existing password with a lifetime of
|
|
||||||
greater than 60 days:
|
|
||||||
{%- for user in user_list.users %}
|
|
||||||
{% if user['shadow']['max_days'] > 60 %}
|
|
||||||
{{ user['name'] }} has an expiration of {{ user['shadow']['max_days'] }} days
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
tags:
|
|
||||||
- auth
|
|
||||||
- medium
|
|
||||||
- V-71931
|
|
||||||
|
|
||||||
- name: V-71937 - The system must not have accounts configured with blank or null passwords
|
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: "{{ pam_auth_file }}"
|
dest: "{{ pam_auth_file }}"
|
||||||
state: present
|
state: present
|
||||||
@ -203,7 +46,7 @@
|
|||||||
- high
|
- high
|
||||||
- V-71937
|
- V-71937
|
||||||
|
|
||||||
- name: V-71937 - The system must not have accounts configured with blank or null passwords
|
- name: Prevent users with blank or null passwords from authenticating (Red Hat)
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: "{{ pam_auth_file }}"
|
dest: "{{ pam_auth_file }}"
|
||||||
state: present
|
state: present
|
||||||
@ -222,18 +65,6 @@
|
|||||||
- high
|
- high
|
||||||
- V-71937
|
- V-71937
|
||||||
|
|
||||||
- name: V-71941 - The operating system must disable account identifiers if the password expires.
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/default/useradd
|
|
||||||
regexp: '^[#\s]*INACTIVE'
|
|
||||||
line: 'INACTIVE=0'
|
|
||||||
when:
|
|
||||||
- security_disable_account_if_password_expires | bool
|
|
||||||
tags:
|
|
||||||
- auth
|
|
||||||
- medium
|
|
||||||
- V-71941
|
|
||||||
|
|
||||||
- name: V-71945 - If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked.
|
- name: V-71945 - If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked.
|
||||||
blockinfile:
|
blockinfile:
|
||||||
dest: pam_password_file
|
dest: pam_password_file
|
||||||
@ -333,83 +164,6 @@
|
|||||||
- V-71961
|
- V-71961
|
||||||
- V-71963
|
- V-71963
|
||||||
|
|
||||||
- name: Get all accounts with UID 0
|
|
||||||
shell: "awk -F: '$3 == 0 {print $1}' /etc/passwd"
|
|
||||||
changed_when: False
|
|
||||||
check_mode: no
|
|
||||||
register: root_user_check
|
|
||||||
tags:
|
|
||||||
- auth
|
|
||||||
- high
|
|
||||||
- V-72005
|
|
||||||
- skip_ansible_lint
|
|
||||||
|
|
||||||
- name: Check for groups in /etc/passwd that are not in /etc/group
|
|
||||||
debug:
|
|
||||||
msg: >
|
|
||||||
The following users have GIDs in /etc/passwd that do not exist in /etc/group:
|
|
||||||
{{ user_list.users | selectattr('group', 'equalto', False) | map(attribute='name') | join(', ') }}
|
|
||||||
when:
|
|
||||||
- user_list is defined
|
|
||||||
- user_list.users | selectattr('group', 'equalto', False) | list | length > 0
|
|
||||||
tags:
|
|
||||||
- auth
|
|
||||||
- low
|
|
||||||
- V-72003
|
|
||||||
|
|
||||||
- name: V-72005 - The root account must be the only account having unrestricted access to the system
|
|
||||||
fail:
|
|
||||||
msg: |
|
|
||||||
Only the 'root' user should have UID 0. Other users were found:
|
|
||||||
{{ root_user_check.stdout_lines | join(', ') }}"
|
|
||||||
when:
|
|
||||||
- root_user_check.stdout != 'root'
|
|
||||||
tags:
|
|
||||||
- auth
|
|
||||||
- high
|
|
||||||
- V-72005
|
|
||||||
|
|
||||||
- name: V-72011 - All local interactive users must have a home directory assigned in the /etc/passwd file.
|
|
||||||
debug:
|
|
||||||
msg: |
|
|
||||||
The following users do not have a home directory assigned:
|
|
||||||
{{ user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | join(', ') }}
|
|
||||||
when:
|
|
||||||
- user_list is defined
|
|
||||||
- user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | list | length > 0
|
|
||||||
tags:
|
|
||||||
- auth
|
|
||||||
- medium
|
|
||||||
- V-72011
|
|
||||||
|
|
||||||
- name: Check each user to see if its home directory exists on the filesystem
|
|
||||||
stat:
|
|
||||||
path: "{{ item['dir'] }}"
|
|
||||||
when:
|
|
||||||
- item['dir'] != ''
|
|
||||||
with_items: "{{ user_list.users }}"
|
|
||||||
register: home_directory_checks
|
|
||||||
tags:
|
|
||||||
- auth
|
|
||||||
- medium
|
|
||||||
- V-72015
|
|
||||||
|
|
||||||
- name: V-72015 - All local interactive user home directories defined in the /etc/passwd file must exist.
|
|
||||||
debug:
|
|
||||||
msg: |
|
|
||||||
These users have a home directory assigned, but the directory does not exist:
|
|
||||||
{% for check in home_directory_checks.results %}
|
|
||||||
{% if not check.stat.exists %}
|
|
||||||
{{ check.item.name }} ({{ check.item.dir }} does not exist)
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
when:
|
|
||||||
- home_directory_checks.results | selectattr('stat.exists', 'sameas', false) | list | length > 0
|
|
||||||
tags:
|
|
||||||
- auth
|
|
||||||
- medium
|
|
||||||
- V-72015
|
|
||||||
|
|
||||||
- name: V-72217 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
|
- name: V-72217 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
|
||||||
blockinfile:
|
blockinfile:
|
||||||
dest: /etc/security/limits.d/openstack-ansible-security-maxlogins.conf
|
dest: /etc/security/limits.d/openstack-ansible-security-maxlogins.conf
|
||||||
|
@ -49,6 +49,13 @@
|
|||||||
- always
|
- always
|
||||||
- skip_ansible_lint
|
- skip_ansible_lint
|
||||||
|
|
||||||
|
- name: Get a list of users on the system to use throughout the auth tasks
|
||||||
|
action: get_users
|
||||||
|
register: user_list
|
||||||
|
check_mode: no
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
# Package installations and removals must come first so that configuration
|
# Package installations and removals must come first so that configuration
|
||||||
# changes can be made later.
|
# changes can be made later.
|
||||||
- include: packages.yml
|
- include: packages.yml
|
||||||
@ -65,6 +72,7 @@
|
|||||||
# each file are tagged with the same name (for example, tasks in `auth.yml`
|
# each file are tagged with the same name (for example, tasks in `auth.yml`
|
||||||
# are tagged with `auth`). Also, the tag name matches up with the "STIG
|
# are tagged with `auth`). Also, the tag name matches up with the "STIG
|
||||||
# Controls by Tag" section of the role documentation.
|
# Controls by Tag" section of the role documentation.
|
||||||
|
- include: accounts.yml
|
||||||
- include: aide.yml
|
- include: aide.yml
|
||||||
- include: auditd.yml
|
- include: auditd.yml
|
||||||
- include: auth.yml
|
- include: auth.yml
|
||||||
|
Loading…
Reference in New Issue
Block a user