--- # Copyright 2015, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - name: V-38475 - Set minimum length for passwords lineinfile: dest: /etc/login.defs regexp: "^(#)?PASS_MIN_LEN" line: "PASS_MIN_LEN {{ password_minimum_length }}" when: password_minimum_length is defined tags: - auth - cat2 - V-38475 - name: V-38477 - Set minimum time for password changes lineinfile: dest: /etc/login.defs regexp: "^(#)?PASS_MIN_DAYS" line: "PASS_MIN_DAYS {{ password_minimum_days }}" when: password_minimum_days is defined tags: - auth - cat2 - V-38477 - name: V-38479 - Set maximum age for passwords lineinfile: dest: /etc/login.defs regexp: "^(#)?PASS_MAX_DAYS" line: "PASS_MAX_DAYS {{ password_maximum_days }}" when: password_maximum_days is defined tags: - auth - cat2 - V-38479 - name: V-38480 - Warn users prior to password expiration lineinfile: dest: /etc/login.defs regexp: "^(#)?PASS_WARN_DAYS" line: "PASS_WARN_DAYS {{ password_warn_age }}" when: password_warn_age is defined tags: - auth - cat3 - V-38480 - name: V-38496 - Get all system accounts shell: "awk -F: '$1 !~ /^root$/ && $3 < 500 {print $1}' /etc/passwd" register: v38496_system_users always_run: True tags: - auth - cat2 - V-38496 - name: V-38496 - Loop through system accounts to find unlocked accounts shell: "awk -F: '$1 ~ /^{{ item }}$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow" register: v38496_unlocked_system_users always_run: True with_items: v38496_system_users.stdout_lines tags: - auth - cat2 - V-38496 - name: V-38496 - Gather problematic system accounts set_fact: v38496_violations: | {% for i in v38496_unlocked_system_users.results %} {% if i.stdout|length > 0 %} {{ i.stdout }} {% endif %} {% endfor %} tags: - auth - cat2 - V-38496 # The playbook will fail here if any default system accounts besides root are # not locked. - name: V-38496 - Default operating system accounts (other than root) must be locked fail: msg: "FAILED: System accounts are unlocked: {{ v38496_violations|trim|replace('\n',', ') }}" when: v38496_violations|length > 0 tags: - auth - cat2 - V-38496 # RHEL 6 keeps this content in /etc/pam.d/system-auth, but Ubuntu keeps it in # /etc/pam.d/common-auth - name: V-38497 - The system must not have accounts configured with blank or null passwords. lineinfile: dest: /etc/pam.d/common-auth state: present regexp: "^(.*)nullok_secure(.*)$" line: '\1\2' backup: yes backrefs: yes when: pam_remove_nullok | bool tags: - auth - cat1 - V-38497 - name: Check if /etc/hosts.equiv exists (for V-38491) stat: path: /etc/hosts.equiv register: v38491_equiv_check changed_when: v38491_equiv_check.stat.exists == True tags: - auth - cat1 - V-38491 - name: Check if root has a .rhosts file (for V-38491) stat: path: /root/.rhosts register: v38491_rhosts_check changed_when: v38491_rhosts_check.stat.exists == True tags: - auth - cat1 - V-38491 - name: V-38491 - No .rhosts or hosts.equiv present on system fail: msg: "FAILED: Remove all .rhosts and hosts.equiv files" when: v38491_equiv_check.stat.exists == True or v38491_rhosts_check.stat.exists == True tags: - auth - cat1 - V-38491 - name: Check for accounts with UID 0 other than root (for V-38500) shell: "awk -F: '($1 != \"root\") && ($3 == 0) {print}' /etc/passwd | wc -l" register: v38500_result changed_when: v38500_result.stdout != '0' always_run: True tags: - auth - cat2 - V-38500 - name: V-38500 - The root account must be the only account with UID 0 fail: msg: "FAILED: Another account besides root has UID 0" when: v38500_result.stdout != '0' tags: - auth - cat2 - V-38500 # Opt-in required for fail2ban (see documentation and defaults/main.yml) # Ubuntu doesn't offer pam_faillock, but fail2ban provides a decent alternative # for ssh-based authentication. See the documentation for details. - name: V-38501 - The system must disable accounts after excessive login failures (install fail2ban) apt: name: fail2ban state: present when: install_fail2ban | bool tags: - auth - cat2 - V-38501 # Ban the offending IP for 15 minutes to meet the spirit of the STIG. # Yes, the bantime we want to modify has two spaces before the equal sign. - name: V-38501 - The system must disable accounts after excessive login failures (configure fail2ban) template: src: jail.local.j2 dest: /etc/fail2ban/jail.d/jail.local when: install_fail2ban | bool notify: - restart fail2ban tags: - auth - cat2 - V-38501 - name: V-38591 - Remove rshd apt: name: rsh-server state: absent when: remove_services['rsh-server'] | bool tags: - auth - cat1 - V-38591 - name: V-38587 - Remove telnet-server apt: name: telnetd state: absent when: remove_services['telnet_server'] | bool tags: - auth - cat1 - V-38587 - name: Search /etc/passwd for password hashes (for V-38499) shell: "awk -F: '($2 != \"x\") {print}' /etc/passwd | wc -l" register: v38499_result changed_when: False always_run: True tags: - auth - cat2 - V-38499 - name: V-38499 - The /etc/passwd file must not contain password hashes fail: msg: "FAILED: Remove password hashes from /etc/password to remediate" when: "v38499_result.stdout != '0'" tags: - auth - cat2 - V-38499 - name: V-38450 - The /etc/passwd file must be owned by root file: path: /etc/passwd owner: root tags: - auth - cat2 - V-38450 - name: V-38451 - The /etc/passwd file must be group-owned by root file: path: /etc/passwd group: root tags: - auth - cat2 - V-38451 # Ubuntu's default is 0644 already - name: V-38457 - The /etc/passwd file must have mode 0644 or less permissive file: path: /etc/passwd mode: 0644 tags: - auth - cat2 - V-38457 # SHA512 is the minimum requirement and it happens to be Ubuntu 14.04's default # hashing algorithm as well. - name: Check password hashing algorithm used by PAM (for V-38574) shell: "grep '^\\s*password.*pam_unix.*sha512' /etc/pam.d/common-password" register: v38574_result changed_when: False failed_when: False always_run: True tags: - auth - cat2 - V-38574 # If SHA512 isn't in use for some reason, we should fail and display an error. - name: V-38574 - System must use FIPS 140-2 approved hashing algorithm for passwords (PAM) fail: msg: "FAILED: Must use SHA512 for password hashing (via PAM)" when: v38574_result.rc != 0 tags: - auth - cat2 - V-38574 - name: Check password hashing algorithm used in login.defs (for V-38576) shell: "grep '^ENCRYPT_METHOD.*SHA512' /etc/login.defs" register: v38576_result changed_when: v38576_result.rc != 0 always_run: True tags: - auth - cat2 - V-38576 # If SHA512 isn't in use for some reason, we should fail and display an error. - name: V-38576 - System must use FIPS 140-2 approved hashing algorithm for passwords (login.defs) debug: msg: "FAILED: Must use SHA512 for password hashing (in /etc/login.defs)" when: v38576_result.rc != 0 failed_when: v38576_result.rc != 0 tags: - auth - cat2 - V-38576 # Neither Ubuntu or openstack-ansible installs libuser by default, so there's # no need to install it here unless the deployer has it installed for some # reason. - name: Check if libuser is installed (for V-38577) shell: "dpkg --status libuser | grep '^Status.*ok installed'" register: v38577_libuser_check changed_when: False failed_when: False always_run: True tags: - auth - cat2 - V-38577 # Only look at libuser.conf when we are sure that libuser is installed - name: If libuser is installed, verify hashing algorithm in use (for V-38577) shell: "grep '^crypt_style = sha512' /etc/libuser.conf" register: v38577_result when: v38577_libuser_check.rc == 0 changed_when: v38577_result.rc != 0 tags: - auth - cat2 - V-38577 # If libuser is installed *AND* it's using unacceptable password hashing # algorithms, throw an error and a failure. - name: V-38577 - System must use FIPS 140-2 approved hashing algorithm for passwords (libuser) debug: msg: "FAILED: libuser isn't configured to use SHA512 hashing for passwords" when: v38577_libuser_check.rc == 0 and v38577_result.rc != 0 failed_when: v38577_libuser_check.rc == 0 and v38577_result.rc != 0 tags: - auth - cat2 - V-38577 - name: V-38681 - Check for missing GID's in /etc/group shell: "pwck -r | grep 'no group'" register: v38681_result changed_when: False failed_when: v38681_result.rc > 1 always_run: True tags: - auth - cat3 - V-38681 - name: V-38681 - All GID's in /etc/passwd must be defined in /etc/group fail: msg: "FAILED: GID's in /etc/passwd aren't in /etc/group" when: v38681_result.rc != 1 tags: - auth - cat3 - V-38681 - name: V-38692 - Lock inactive accounts lineinfile: dest: /etc/default_useradd regexp: "^(#)?INACTIVE" line: "INACTIVE {{ inactive_account_lock_days }}" when: inactive_account_lock_days is defined tags: - auth - cat3 - V-38692 - name: Checking for accounts with non-unique usernames (for V-38683) shell: pwck -rq | wc -l register: v38683_result changed_when: False always_run: True tags: - auth - cat3 - V-38683 - name: V-38683 - All accounts on the system must have unique user/account names fail: msg: "FAILED: Found accounts without unique usernames" when: v38683_result.stdout != '0' tags: - auth - cat3 - V-38683 # This should be updated to use the find module when Ansible 2.0 is available. - name: Search for sudoers files (for V-58901) shell: find /etc/sudoers* -type f register: v58901_result always_run: True tags: - auth - cat2 - V-58901 # The lineinfile module can't be used here since we may need to comment out # multiple lines. - name: Comment out sudoers lines with NOPASSWD present (for V-58901) shell: "sed -e '/NOPASSWD/ s/^#*/#/' -i {{ item }}" with_items: v58901_result.stdout_lines when: sudoers_remove_nopasswd | bool tags: - auth - cat2 - V-58901 # The lineinfile module can't be used here since we may need to comment out # multiple lines. - name: Comment out sudoers lines with !authenticate present (for V-58901) shell: "sed -e '/!authenticate/ s/^#*/#/' -i {{ item }}" with_items: v58901_result.stdout_lines when: sudoers_remove_authenticate | bool tags: - auth - cat2 - V-58901