openstack
/
ansible-hardening
Code Issues Proposed changes

Move tasks to 'accounts' file 

Several tasks in the auth.yml file were actually more closely related
to accounts rather than authentication. This patch moves tasks from
the auth.yml into accounts.yml and adjusts the docs to match.

This should alleviate confusion and allow deployers to fine-tune
their Ansible playbook runs.

Change-Id: I962014ba9022dd256dc04da6b4ac0860797fbc24
This commit is contained in:
Major Hayden 2017-05-20 13:36:57 -05:00
parent ed8364ec4b
commit 6e761efc9c
No known key found for this signature in database
GPG Key ID: 737051E0C1011FB1
29 changed files with 291 additions and 274 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/metadata/rhel7/V-71903.rst
View File

@ -1,7 +1,7 @@
---
id: V-71903
status: opt-in
tag: auth
tag: accounts
---
The password quality requirements from the STIG are examples of good security

2
doc/metadata/rhel7/V-71905.rst
View File

@ -1,7 +1,7 @@
---
id: V-71905
status: opt-in
tag: auth
tag: accounts
---
The password quality requirements from the STIG are examples of good security

2
doc/metadata/rhel7/V-71907.rst
View File

@ -1,7 +1,7 @@
---
id: V-71907
status: opt-in
tag: auth
tag: accounts
---
The password quality requirements from the STIG are examples of good security

2
doc/metadata/rhel7/V-71909.rst
View File

@ -1,7 +1,7 @@
---
id: V-71909
status: opt-in
tag: auth
tag: accounts
---
The password quality requirements from the STIG are examples of good security

2
doc/metadata/rhel7/V-71911.rst
View File

@ -1,7 +1,7 @@
---
id: V-71911
status: opt-in
tag: auth
tag: accounts
---
The password quality requirements from the STIG are examples of good security

2
doc/metadata/rhel7/V-71913.rst
View File

@ -1,7 +1,7 @@
---
id: V-71913
status: opt-in
tag: auth
tag: accounts
---
The password quality requirements from the STIG are examples of good security

2
doc/metadata/rhel7/V-71915.rst
View File

@ -1,7 +1,7 @@
---
id: V-71915
status: opt-in
tag: auth
tag: accounts
---
The password quality requirements from the STIG are examples of good security

2
doc/metadata/rhel7/V-71917.rst
View File

@ -1,7 +1,7 @@
---
id: V-71917
status: opt-in
tag: auth
tag: accounts
---
The password quality requirements from the STIG are examples of good security

2
doc/metadata/rhel7/V-71919.rst
View File

@ -1,7 +1,7 @@
---
id: V-71919
status: implemented
tag: implemented
tag: accounts
---
The PAM configuration file for password storage is checked to ensure that

2
doc/metadata/rhel7/V-71921.rst
View File

@ -1,7 +1,7 @@
---
id: V-71921
status: implemented
tag: auth
tag: accounts
---
The default password storage mechanism for Ubuntu 16.04, CentOS 7, and Red Hat

2
doc/metadata/rhel7/V-71923.rst
View File

@ -1,7 +1,7 @@
---
id: V-71923
status: implemented - red hat only
tag: misc
tag: accounts
---
The role ensures that ``crypt_style`` is set to ``sha512`` in

2
doc/metadata/rhel7/V-71925.rst
View File

@ -1,7 +1,7 @@
---
id: V-71925
status: opt-in
tag: auth
tag: accounts
---
Although the STIG requires that all passwords have a minimum lifetime set, this

2
doc/metadata/rhel7/V-71927.rst
View File

@ -1,7 +1,7 @@
---
id: V-71927
status: implemented
tag: auth
tag: accounts
---
The tasks in the security role search for accounts with a minimum lifetime

2
doc/metadata/rhel7/V-71929.rst
View File

@ -1,7 +1,7 @@
---
id: V-71929
status: opt-in
tag: auth
tag: accounts
---
Although the STIG requires that all passwords have a maximum lifetime set, this

2
doc/metadata/rhel7/V-71931.rst
View File

@ -1,7 +1,7 @@
---
id: V-71931
status: implemented
tag: auth
tag: accounts
---
If any users have a maximum password age on their current password set to a

2
doc/metadata/rhel7/V-71933.rst
View File

@ -1,7 +1,7 @@
---
id: V-71933
status: opt-in
tag: auth
tag: accounts
---
Although the STIG requires that five passwords are remembered to prevent re-

2
doc/metadata/rhel7/V-71935.rst
View File

@ -1,7 +1,7 @@
---
id: V-71935
status: opt-in
tag: auth
tag: accounts
---
Although the STIG requires that passwords have a minimum length of 15

2
doc/metadata/rhel7/V-71941.rst
View File

@ -1,7 +1,7 @@
---
id: V-71941
status: opt-in
tag: auth
tag: accounts
---
The STIG requires that user accounts are disabled when their password expires.

2
doc/metadata/rhel7/V-71951.rst
View File

@ -1,7 +1,7 @@
---
id: V-71951
status: implemented
tag: auth
tag: accounts
---
The tasks in the Ansible role set a four second delay between failed login

2
doc/metadata/rhel7/V-71995.rst
View File

@ -1,7 +1,7 @@
---
id: V-71995
status: opt-in - Ubuntu only
tag: auth
tag: accounts
---
The STIG requires that the umask for all authenticated users is ``077``. This

2
doc/metadata/rhel7/V-72003.rst
View File

@ -1,7 +1,7 @@
---
id: V-72003
status: implemented
tag: auth
tag: accounts
---
If any users are found with invalid GIDs, those users are printed in the

2
doc/metadata/rhel7/V-72005.rst
View File

@ -1,7 +1,7 @@
---
id: V-72005
status: implemented
tag: auth
tag: accounts
---
If an account with UID 0 other than ``root`` exists on the system, the playbook

2
doc/metadata/rhel7/V-72011.rst
View File

@ -1,7 +1,7 @@
---
id: V-72011
status: implemented
tag: auth
tag: accounts
---
The usernames of all users without home directories assigned are provided in

2
doc/metadata/rhel7/V-72013.rst
View File

@ -1,7 +1,7 @@
---
id: V-72013
status: implemented
tag: auth
tag: accounts
---
The ``CREATE_HOME`` variable is set to ``yes`` by the tasks in the security

2
doc/metadata/rhel7/V-72015.rst
View File

@ -1,7 +1,7 @@
---
id: V-72015
status: implemented
tag: auth
tag: accounts
---
Each interactive user on the system is checked to verify that their assigned

2
doc/metadata/rhel7/V-73159.rst
View File

@ -1,7 +1,7 @@
---
id: V-73159
status: opt-in
tag: auth
tag: accounts
---
The security role can require new or changed passwords to follow the pwquality

255
tasks/rhel7stig/accounts.yml Normal file
View File

@ -0,0 +1,255 @@
---
# Copyright 2017, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Check if /etc/security/pwquality.conf exists
stat:
path: /etc/security/pwquality.conf
check_mode: no
register: pwquality_config_check
tags:
- always
- name: Set password quality requirements
blockinfile:
dest: /etc/security/pwquality.conf
backup: yes
insertbefore: EOF
marker: "# {mark} Added by openstack-ansible-security role"
state: present
block: "{{ lookup('template', 'pwquality.conf.j2') }}"
when:
- pwquality_config_check.stat.exists
tags:
- accounts
- medium
- V-71903
- V-71905
- V-71907
- V-71909
- V-71911
- V-71913
- V-71915
- V-71917
- V-71935
- name: Check for SHA512 password storage in PAM
command: "grep pam_unix.so {{ pam_password_file }}"
register: password_sha512_check
changed_when: False
check_mode: no
tags:
- always
- name: Print warning if PAM is not using SHA512 for password storage
debug:
msg: >
PAM is not using SHA512 for password storage. This is a security issue.
when:
- password_sha512_check is defined
- "'sha512' not in password_sha512_check.stdout"
tags:
- accounts
- medium
- V-71919
- name: Ensure libuser is storing passwords using SHA512
ini_file:
dest: /etc/libuser.conf
section: defaults
option: crypt_style
value: sha512
backup: yes
when:
- security_libuser_crypt_style_sha512 | bool
- ansible_os_family | lower == 'redhat'
tags:
- accounts
- medium
- V-71923
- name: Get all user accounts with a password lifetime limit under 24 hours
shell: "awk -F: '$4 < 1 {print $1}' /etc/shadow"
check_mode: no
changed_when: False
register: password_lifetime_check
tags:
- accounts
- medium
- V-71927
- skip_ansible_lint
- name: Print warning about accounts with password lifetimes under 24 hours
debug:
msg: |
Accounts were found with a minimum password lifetime limit under 24 hours:
{{ password_lifetime_check.stdout_lines | join(', ') }}
when:
- password_lifetime_check.stdout_lines is defined
tags:
- accounts
- medium
- V-71927
- name: Print warning for accounts with a password lifetime over 60 days
debug:
msg: |
The following user accounts have an existing password with a lifetime of
greater than 60 days:
{%- for user in user_list.users %}
{% if user['shadow']['max_days'] > 60 %}
{{ user['name'] }} has an expiration of {{ user['shadow']['max_days'] }} days
{% endif %}
{% endfor %}
tags:
- accounts
- medium
- V-71931
- name: Ensure that users cannot reuse one of their last 5 passwords
lineinfile:
dest: "{{ pam_password_file }}"
regexp: '^(password\s+[a-z0-9\=\[\] ]+\s+pam_unix\.so.+?)\s+(?:remember=\d+)?$'
line: '\1 remember={{ security_password_remember_password }}'
backrefs: yes
state: present
when:
- security_password_remember_password is defined
tags:
- accounts
- medium
- V-71933
- name: Ensure accounts are disabled if the password expires
lineinfile:
dest: /etc/default/useradd
regexp: '^[#\s]*INACTIVE'
line: 'INACTIVE=0'
when:
- security_disable_account_if_password_expires | bool
tags:
- accounts
- medium
- V-71941
- name: Apply shadow-utils configurations
lineinfile:
dest: /etc/login.defs
regexp: "^{{ item.parameter }}"
line: "{{ item.parameter }} {{ item.value }}"
state: present
when:
- item.value != ''
- item.ansible_os_family == 'all' or item.ansible_os_family == ansible_os_family
with_items: "{{ shadow_utils_rhel7 }}"
tags:
- accounts
- medium
- V-71921
- V-71925
- V-71929
- V-71951
- V-71995
- V-72013
- name: Print warning for groups in /etc/passwd that are not in /etc/group
debug:
msg: >
The following users have GIDs in /etc/passwd that do not exist in /etc/group:
{{ user_list.users | selectattr('group', 'equalto', False) | map(attribute='name') | join(', ') }}
when:
- user_list is defined
- user_list.users | selectattr('group', 'equalto', False) | list | length > 0
tags:
- accounts
- low
- V-72003
- name: Get all accounts with UID 0
shell: "awk -F: '$3 == 0 {print $1}' /etc/passwd"
changed_when: False
check_mode: no
register: root_user_check
tags:
- accounts
- high
- V-72005
- skip_ansible_lint
- name: Print warnings for non-root users with UID 0
fail:
msg: |
Only the 'root' user should have UID 0. Other users were found:
{{ root_user_check.stdout_lines | join(', ') }}"
when:
- root_user_check.stdout != 'root'
tags:
- accounts
- high
- V-72005
- name: Print warning for local interactive users without a home directory assigned
debug:
msg: |
The following users do not have a home directory assigned:
{{ user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | join(', ') }}
when:
- user_list is defined
- user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | list | length > 0
tags:
- accounts
- medium
- V-72011
- name: Check each user to see if its home directory exists on the filesystem
stat:
path: "{{ item['dir'] }}"
when:
- item['dir'] != ''
with_items: "{{ user_list.users }}"
register: home_directory_checks
tags:
- accounts
- medium
- V-72015
- name: Print warning for users with an assigned home directory that does not exist
debug:
msg: |
These users have a home directory assigned, but the directory does not exist:
{% for check in home_directory_checks.results %}
{% if not check.stat.exists %}
{{ check.item.name }} ({{ check.item.dir }} does not exist)
{% endif %}
{% endfor %}
when:
- home_directory_checks.results | selectattr('stat.exists', 'sameas', false) | list | length > 0
tags:
- accounts
- medium
- V-72015
- name: Use pwquality when passwords are changed or created
lineinfile:
dest: /etc/pam.d/passwd
line: "password required pam_pwquality.so retry=3"
state: present
when:
- security_enable_pwquality_password_set | bool
tags:
- accounts
- medium
- V-73159

250
tasks/rhel7stig/auth.yml
View File

@ -13,96 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Get a list of users on the system to use throughout the auth tasks
action: get_users
register: user_list
check_mode: no
tags:
- always
- name: Check if /etc/security/pwquality.conf exists
stat:
path: /etc/security/pwquality.conf
check_mode: no
register: pwquality_config_check
tags:
- always
- name: Set password quality requirements
blockinfile:
dest: /etc/security/pwquality.conf
backup: yes
insertbefore: EOF
marker: "# {mark} Added by openstack-ansible-security role"
state: present
block: "{{ lookup('template', 'pwquality.conf.j2') }}"
when:
- pwquality_config_check.stat.exists
tags:
- auth
- medium
- V-71903
- V-71905
- V-71907
- V-71909
- V-71911
- V-71913
- V-71915
- V-71917
- V-71935
- name: Use pwquality when passwords are changed or created
lineinfile:
dest: /etc/pam.d/passwd
line: "password required pam_pwquality.so retry=3"
state: present
when:
- security_enable_pwquality_password_set | bool
tags:
- auth
- medium
- V-73159
- name: Check for SHA512 password storage in PAM
command: "grep pam_unix.so {{ pam_password_file }}"
register: password_sha512_check
changed_when: False
check_mode: no
tags:
- always
- name: V-71919 - The PAM system service must be configured to store only encrypted representations of passwords.
debug:
msg: >
PAM is not using SHA512 for password storage. This is a security issue.
when:
- password_sha512_check is defined
- "'sha512' not in password_sha512_check.stdout"
tags:
- auth
- medium
- V-71919
- name: Configure shadow-utils configuration
lineinfile:
dest: /etc/login.defs
regexp: "^{{ item.parameter }}"
line: "{{ item.parameter }} {{ item.value }}"
state: present
when:
- item.value != ''
- item.ansible_os_family == 'all' or item.ansible_os_family == ansible_os_family
with_items: "{{ shadow_utils_rhel7 }}"
tags:
- auth
- medium
- V-71921
- V-71925
- V-71929
- V-71951
- V-71995
- V-72013
# NOTE(mhayden): pam_faildelay expects the `delay` parameter to be in
# microseconds.
- name: Set pam_faildelay configuration on Ubuntu
@ -120,74 +30,7 @@
- medium
- V-71951
- name: V-71923 - User and group account administration utilities must be configured to store only encrypted representations of passwords.
ini_file:
dest: /etc/libuser.conf
section: defaults
option: crypt_style
value: sha512
backup: yes
when:
- security_libuser_crypt_style_sha512 | bool
- ansible_os_family | lower == 'redhat'
tags:
- auth
- medium
- V-71923
- name: Get all user accounts with a password lifetime limit under 24 hours
shell: "awk -F: '$4 < 1 {print $1}' /etc/shadow"
check_mode: no
changed_when: False
register: password_lifetime_check
tags:
- auth
- medium
- V-71927
- skip_ansible_lint
- name: V-71927 - Passwords must be restricted to a 24 hours/1 day minimum lifetime.
debug:
msg: |
Accounts were found with a minimum password lifetime limit under 24 hours:
{{ password_lifetime_check.stdout_lines | join(', ') }}
when:
- password_lifetime_check.stdout_lines is defined
tags:
- auth
- medium
- V-71927
- name: V-71933 - Passwords must be prohibited from reuse for a minimum of five generations.
lineinfile:
dest: "{{ pam_password_file }}"
regexp: '^(password\s+[a-z0-9\=\[\] ]+\s+pam_unix\.so.+?)\s+(?:remember=\d+)?$'
line: '\1 remember={{ security_password_remember_password }}'
backrefs: yes
state: present
when:
- security_password_remember_password is defined
tags:
- auth
- medium
- V-71933
- name: V-71931 - Existing passwords must be restricted to a 60-day maximum lifetime.
debug:
msg: |
The following user accounts have an existing password with a lifetime of
greater than 60 days:
{%- for user in user_list.users %}
{% if user['shadow']['max_days'] > 60 %}
{{ user['name'] }} has an expiration of {{ user['shadow']['max_days'] }} days
{% endif %}
{% endfor %}
tags:
- auth
- medium
- V-71931
- name: V-71937 - The system must not have accounts configured with blank or null passwords
- name: Prevent users with blank or null passwords from authenticating (Debian/Ubuntu)
lineinfile:
dest: "{{ pam_auth_file }}"
state: present
@ -203,7 +46,7 @@
- high
- V-71937
- name: V-71937 - The system must not have accounts configured with blank or null passwords
- name: Prevent users with blank or null passwords from authenticating (Red Hat)
lineinfile:
dest: "{{ pam_auth_file }}"
state: present
@ -222,18 +65,6 @@
- high
- V-71937
- name: V-71941 - The operating system must disable account identifiers if the password expires.
lineinfile:
dest: /etc/default/useradd
regexp: '^[#\s]*INACTIVE'
line: 'INACTIVE=0'
when:
- security_disable_account_if_password_expires | bool
tags:
- auth
- medium
- V-71941
- name: V-71945 - If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked.
blockinfile:
dest: pam_password_file
@ -333,83 +164,6 @@
- V-71961
- V-71963
- name: Get all accounts with UID 0
shell: "awk -F: '$3 == 0 {print $1}' /etc/passwd"
changed_when: False
check_mode: no
register: root_user_check
tags:
- auth
- high
- V-72005
- skip_ansible_lint
- name: Check for groups in /etc/passwd that are not in /etc/group
debug:
msg: >
The following users have GIDs in /etc/passwd that do not exist in /etc/group:
{{ user_list.users | selectattr('group', 'equalto', False) | map(attribute='name') | join(', ') }}
when:
- user_list is defined
- user_list.users | selectattr('group', 'equalto', False) | list | length > 0
tags:
- auth
- low
- V-72003
- name: V-72005 - The root account must be the only account having unrestricted access to the system
fail:
msg: |
Only the 'root' user should have UID 0. Other users were found:
{{ root_user_check.stdout_lines | join(', ') }}"
when:
- root_user_check.stdout != 'root'
tags:
- auth
- high
- V-72005
- name: V-72011 - All local interactive users must have a home directory assigned in the /etc/passwd file.
debug:
msg: |
The following users do not have a home directory assigned:
{{ user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | join(', ') }}
when:
- user_list is defined
- user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | list | length > 0
tags:
- auth
- medium
- V-72011
- name: Check each user to see if its home directory exists on the filesystem
stat:
path: "{{ item['dir'] }}"
when:
- item['dir'] != ''
with_items: "{{ user_list.users }}"
register: home_directory_checks
tags:
- auth
- medium
- V-72015
- name: V-72015 - All local interactive user home directories defined in the /etc/passwd file must exist.
debug:
msg: |
These users have a home directory assigned, but the directory does not exist:
{% for check in home_directory_checks.results %}
{% if not check.stat.exists %}
{{ check.item.name }} ({{ check.item.dir }} does not exist)
{% endif %}
{% endfor %}
when:
- home_directory_checks.results | selectattr('stat.exists', 'sameas', false) | list | length > 0
tags:
- auth
- medium
- V-72015
- name: V-72217 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
blockinfile:
dest: /etc/security/limits.d/openstack-ansible-security-maxlogins.conf

8
tasks/rhel7stig/main.yml
View File

@ -49,6 +49,13 @@
- always
- skip_ansible_lint
- name: Get a list of users on the system to use throughout the auth tasks
action: get_users
register: user_list
check_mode: no
tags:
- always
# Package installations and removals must come first so that configuration
# changes can be made later.
- include: packages.yml
@ -65,6 +72,7 @@
# each file are tagged with the same name (for example, tasks in `auth.yml`
# are tagged with `auth`). Also, the tag name matches up with the "STIG
# Controls by Tag" section of the role documentation.
- include: accounts.yml
- include: aide.yml
- include: auditd.yml
- include: auth.yml