openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/tasks/rhel7stig/auth.yml
Dmitriy Rabotyagov db5c6f2d66 Fix linters and metadata 
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Change-Id: I1920cd05ac5b4d32ad12bce42d9161a568f288b6
2023-07-17 14:25:21 +02:00

273 lines
7.6 KiB
YAML
Raw Blame History

---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# NOTE(mhayden): pam_faildelay expects the `delay` parameter to be in
# microseconds.
- name: Set pam_faildelay configuration on Ubuntu
lineinfile:
dest: /etc/pam.d/login
regexp: '^(auth[\s]+optional[\s]+pam_faildelay.so).*$'
line: '\1 delay={{ (security_shadow_utils_fail_delay | int) * 10**6 }}'
state: present
backrefs: yes
when:
- security_shadow_utils_fail_delay is defined
- ansible_facts['os_family'] | lower == 'debian'
tags:
- auth
- medium
- V-71951
- name: Prevent users with blank or null passwords from authenticating (Debian/Ubuntu)
lineinfile:
dest: "{{ pam_auth_file }}"
state: present
regexp: "^(.*)nullok_secure(.*)$"
line: '\1\2'
backup: yes
backrefs: yes
when:
- ansible_facts['os_family'] == 'Debian'
- security_disallow_blank_password_login | bool
tags:
- auth
- high
- V-71937
- name: Prevent users with blank or null passwords from authenticating (Red Hat)
lineinfile:
dest: "{{ item[1] }}"
state: present
regexp: "^({{ item[0] }}.*sufficient.*)nullok(.*)$"
line: '\1\2'
backup: yes
backrefs: yes
loop: "{{ ['auth', 'password'] | product(['{{ pam_auth_file }}', '{{ pam_password_file }}']) | list }}"
when:
- ansible_facts['os_family'] == 'RedHat'
- security_disallow_blank_password_login | bool
tags:
- auth
- high
- V-71937
- name: Prevent users with blank or null passwords from authenticating (SUSE)
lineinfile:
dest: "{{ item }}"
state: present
regexp: "^(.*required.*)nullok(.*)$"
line: '\1\2'
backup: yes
backrefs: yes
with_items:
- "{{ pam_auth_file }}"
- "{{ pam_password_file }}"
when:
- ansible_facts['pkg_mgr'] == 'zypper'
- security_disallow_blank_password_login | bool
tags:
- auth
- high
- V-71937
- name: Lock accounts after three failed login attempts a 15 minute period
blockinfile:
dest: "{{ pam_password_file }}"
state: present
marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
insertbefore: EOF
block: "{{ lookup('template', 'pam_faillock.j2') }}"
when:
- ansible_facts['pkg_mgr'] == 'dnf'
- security_pam_faillock_enable | bool
tags:
- auth
- medium
- V-71943
- V-71945
# NOTE(mhayden): The unusual regex here ensures that we're omitting any lines
# that are commented out. Some commented lines may be preprended with spaces,
# so we need to account for that as well.
#
# First step is to find lines with 'nopasswd' in them and then omit any of
# those lines that have a '#' as the first character or '#' as the first
# character following a space (or series of spaces).
- name: Check for 'nopasswd' in sudoers files
shell: 'grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ | egrep -v "^([[:space:]]*)?(#|$)" || echo "not found"' # noqa risky-shell-pipe
register: sudoers_nopasswd_check
changed_when: False
when:
- security_sudoers_nopasswd_check_enable | bool
tags:
- auth
- medium
- V-71947
- name: V-71947 - Users must provide a password for privilege escalation.
debug:
msg: >
The 'NOPASSWD' directive was found in the sudoers configuration files.
Remove the directive to ensure that all users must provide a password to
run commands as the root user.
when:
- sudoers_nopasswd_check is not skipped
- sudoers_nopasswd_check.stdout != 'not found'
tags:
- auth
- medium
- V-71947
- skip_ansible_lint
- name: Check for '!authenticate' in sudoers files
shell: grep -ir '\!authenticate' /etc/sudoers /etc/sudoers.d/ || echo 'not found'
register: sudoers_authenticate_check
changed_when: False
tags:
- auth
- medium
- V-71949
- name: V-71949 - Users must re-authenticate for privilege escalation.
debug:
msg: >
The '!authenticate' directive was found in the sudoers configuration
files. Remove the directive to ensure that all users must provide a
password to run commands as the root user each time they use sudo.
when:
- sudoers_authenticate_check is not skipped
- sudoers_authenticate_check.stdout != 'not found'
tags:
- auth
- medium
- V-71949
- skip_ansible_lint
- name: Check if sssd.conf exists
stat:
path: /etc/sssd/sssd.conf
register: sssd_conf_check
check_mode: no
tags:
- always
# NOTE(mhayden): Some systems, such as ARM, don't have grub at all. This task
# should be skipped on those systems.
- name: Check if GRUB2 custom file exists
stat:
path: "{{ grub_custom_file }}"
register: grub_custom_file_check
check_mode: no
tags:
- always
- name: Set a GRUB 2 password for single-user/maintenance modes
block:
- name: Define password options for grub
blockinfile:
path: "{{ grub_custom_file }}"
insertbefore: EOF
marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
block: |
set superusers="root"
password_pbkdf2 root {{ security_grub_password_hash }}
state: present
notify:
- Update grub config
- name: Set CLASS for grub file
lineinfile:
path: "{{ grub_linux_file }}"
regexp: '^CLASS=.*'
line: 'CLASS="--class gnu-linux --class gnu --class os --unrestricted"'
state: present
backrefs: yes
notify:
- Update grub config
when:
- grub_custom_file_check.stat.exists | bool
- security_require_grub_authentication | bool
tags:
- auth
- high
- V-71961
- V-71963
- name: V-72217 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
blockinfile:
dest: /etc/security/limits.d/ansible-hardening-maxlogins.conf
create: yes
mode: "0644"
block: |
# Deployed by the ansible-hardening role
# V-72217 - Limit concurrent sessions for all accounts/types
* hard maxlogins {{ security_rhel7_concurrent_session_limit }}
when:
- security_rhel7_concurrent_session_limit is defined
tags:
- auth
- low
- V-72217
- name: Check for pam_lastlog in PAM configuration
command: "grep pam_lastlog {{ pam_postlogin_file }}"
register: pam_lastlog_check
changed_when: False
failed_when: False
check_mode: no
tags:
- always
- name: V-72275 - Display date/time of last logon after logon
debug:
msg: >
The 'pam_lastlog' directive is missing in {{ pam_postlogin_file }}.
This is required by V-72275.
when:
- pam_lastlog_check.rc != 0
tags:
- low
- auth
- V-72275
- name: Ensure .shosts find has finished
async_status:
jid: "{{ shosts_find.ansible_job_id }}"
failed_when: False
changed_when: False
register: job_result
until: job_result.finished
retries: 60
when:
- shosts_find is not skipped
tags:
- high
- auth
- V-72277
- V-72279
- name: Remove .shosts or shosts.equiv files
file:
path: "{{ item.path }}"
state: absent
with_items: "{{ job_result.files }}"
when:
- job_result is not skipped
- security_rhel7_remove_shosts_files | bool
tags:
- high
- auth
- V-72277
- V-72279
View Git Blame Copy Permalink