openstack
/
ansible-hardening
Code Issues Proposed changes
ansible-hardening/tasks/auth.yml

332 lines
8.4 KiB
YAML
Raw Blame History

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: V-38475 - Set minimum length for passwords
lineinfile:
dest: /etc/login.defs
regexp: "^(#)?PASS_MIN_LEN"
line: "PASS_MIN_LEN {{ password_minimum_length }}"
when: password_minimum_length is defined
tags:
- auth
- cat2
- V-38475
- name: V-38477 - Set minimum time for password changes
lineinfile:
dest: /etc/login.defs
regexp: "^(#)?PASS_MIN_DAYS"
line: "PASS_MIN_DAYS {{ password_minimum_days }}"
when: password_minimum_days is defined
tags:
- auth
- cat2
- V-38477
- name: V-38479 - Set maximum age for passwords
lineinfile:
dest: /etc/login.defs
regexp: "^(#)?PASS_MAX_DAYS"
line: "PASS_MAX_DAYS {{ password_maximum_days }}"
when: password_maximum_days is defined
tags:
- auth
- cat2
- V-38479
- name: V-38480 - Warn users prior to password expiration
lineinfile:
dest: /etc/login.defs
regexp: "^(#)?PASS_WARN_DAYS"
line: "PASS_WARN_DAYS {{ password_warn_age }}"
when: password_warn_age is defined
tags:
- auth
- cat3
- V-38480
# The awk line here comes from the STIG itself. It does the following:
# * splits each line of /etc/shadow on colons (:)
# * ignores any lines that start with root
# * searches 2nd field (password) for accounts that don't start with ! (that
# would be a locked account)
# * returns a list of those accounts other than root which aren't locked
# This list should be completely empty for a properly secured system.
- name: Check for default system accounts other than root that aren't locked (for V-38496)
shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 \":\" $2}' /etc/shadow | wc -l"
register: v38496_result
changed_when: v38496_result.stdout != '0'
failed_when: False
tags:
- auth
- cat2
- V-38496
# The playbook will fail here if any default system accounts besides root are
# not locked.
- name: V-38496 - Default operating system accounts (other than root) must be locked
fail:
msg: "FAILED: Lock default system user accounts (other than root)"
when: v38496_result.stdout != '0'
tags:
- auth
- cat2
- V-38496
# RHEL 6 keeps this content in /etc/pam.d/system-auth, but Ubuntu keeps it in
# /etc/pam.d/common-auth
- name: V-38497 - The system must not have accounts configured with blank or null passwords.
command: grep nullok /etc/pam.d/common-auth
register: v38497_result
changed_when: False
failed_when: False
tags:
- auth
- cat1
- V-38497
# Print a warning about making a change. We ought to figure out a better way
# to capture this later.
- name: V-38497 - The system must not have accounts configured with blank or null passwords.
fail:
msg: "FAILED: Remove 'nullok' from /etc/pam.d/system-auth for better security."
when: "v38497_result.rc == 0"
tags:
- auth
- cat1
- V-38497
- name: Check if /etc/hosts.equiv exists (for V-38491)
stat:
path: /etc/hosts.equiv
register: v38491_equiv_check
changed_when: v38491_equiv_check.stat.exists == True
tags:
- auth
- cat1
- V-38491
- name: Check if root has a .rhosts file (for V-38491)
stat:
path: /root/.rhosts
register: v38491_rhosts_check
changed_when: v38491_rhosts_check.stat.exists == True
tags:
- auth
- cat1
- V-38491
- name: V-38491 - No .rhosts or hosts.equiv present on system
fail:
msg: "FAILED: Remove all .rhosts and hosts.equiv files"
when: v38491_equiv_check.stat.exists == True or v38491_rhosts_check.stat.exists == True
tags:
- auth
- cat1
- V-38491
- name: Check for accounts with UID 0 other than root (for V-38500)
shell: "awk -F: '($1 != \"root\") && ($3 == 0) {print}' /etc/passwd | wc -l"
register: v38500_result
changed_when: v38500_result.stdout != '0'
tags:
- auth
- cat2
- V-38500
- name: V-38500 - The root account must be the only account with UID 0
fail:
msg: "FAILED: Another account besides root has UID 0"
when: v38500_result.stdout != '0'
tags:
- auth
- cat2
- V-38500
# Opt-in required for fail2ban (see documentation and defaults/main.yml)
# Ubuntu doesn't offer pam_faillock, but fail2ban provides a decent alternative
# for ssh-based authentication. See the documentation for details.
- name: V-38501 - The system must disable accounts after excessive login failures (install fail2ban)
apt:
name: fail2ban
state: present
when: install_fail2ban | bool
tags:
- auth
- cat2
- V-38501
# Ban the offending IP for 15 minutes to meet the spirit of the STIG.
# Yes, the bantime we want to modify has two spaces before the equal sign.
- name: V-38501 - The system must disable accounts after excessive login failures (configure fail2ban)
template:
src: jail.local.j2
dest: /etc/fail2ban/jail.d/jail.local
when: install_fail2ban | bool
notify:
- restart fail2ban
tags:
- auth
- cat2
- V-38501
- name: V-38591 - Remove rshd
apt:
name: rsh-server
state: absent
when: remove_services['rsh-server'] | bool
tags:
- auth
- cat1
- V-38591
- name: V-38587 - Remove telnet-server
apt:
name: telnetd
state: absent
when: remove_services['telnet_server'] | bool
tags:
- auth
- cat1
- V-38587
- name: Search /etc/passwd for password hashes (for V-38499)
shell: "awk -F: '($2 != \"x\") {print}' /etc/passwd | wc -l"
register: v38499_result
changed_when: False
tags:
- auth
- cat2
- V-38499
- name: V-38499 - The /etc/passwd file must not contain password hashes
fail:
msg: "FAILED: Remove password hashes from /etc/password to remediate"
when: "v38499_result.stdout != '0'"
tags:
- auth
- cat2
- V-38499
- name: V-38450 - The /etc/passwd file must be owned by root
file:
path: /etc/passwd
owner: root
tags:
- auth
- cat2
- V-38450
- name: V-38451 - The /etc/passwd file must be group-owned by root
file:
path: /etc/passwd
group: root
tags:
- auth
- cat2
- V-38451
- name: V38457 - The /etc/passwd file must have mode 0644 or less permissive
file:
path: /etc/passwd
mode: 0644
tags:
- auth
- cat2
- V-38457
- name: Check if vsftpd installed (for V-38599)
shell: dpkg --status vsftpd
register: v38599_result
changed_when: False
failed_when: False
tags:
- auth
- cat2
- V-38599
- name: Copy login banner (for V-38599)
copy:
src: login_banner.txt
dest: /etc/issue.net
when: v38599_result.rc == 0
notify:
- restart vsftpd
tags:
- auth
- cat2
- V-38599
- name: V-38599 - Set warning banner for FTPS/FTP logins
lineinfile:
dest: /etc/vsftpd/vsftpd.conf
regexp: "^(#)?banner_file"
line: "banner_file=/etc/issue.net"
when: v38599_result.rc == 0
notify:
- restart vsftpd
tags:
- auth
- cat2
- V-38599
- name: V-38681 - Check for missing GID's in /etc/group
shell: "pwck -r | grep 'no group'"
register: v38681_result
changed_when: False
failed_when: v38681_result.rc > 1
tags:
- auth
- cat3
- V-38681
- name: V-38681 - All GID's in /etc/passwd must be defined in /etc/group
fail:
msg: "FAILED: GID's in /etc/passwd aren't in /etc/group"
when: v38681_result.rc != 1
tags:
- auth
- cat3
- V-38681
- name: V-38692 - Lock inactive accounts
lineinfile:
dest: /etc/default_useradd
regexp: "^(#)?INACTIVE"
line: "INACTIVE {{ inactive_account_lock_days }}"
when: inactive_account_lock_days is defined
tags:
- auth
- cat3
- V-38692
- name: Checking for accounts with non-unique usernames (for V-38683)
shell: pwck -rq | wc -l
register: v38683_result
changed_when: False
tags:
- auth
- cat3
- V-38683
- name: V-38683 - All accounts on the system must have unique user/account names
fail:
msg: "FAILED: Found accounts without unique usernames"
when: v38683_result.stdout != '0'
tags:
- auth
- cat3
- V-38683
View Git Blame Copy Permalink