openstack
/
openstack-ansible-security
Code Issues Proposed changes
openstack-ansible-security/tasks/auth.yml

451 lines
12 KiB
YAML
Raw Blame History

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: V-38475 - Set minimum length for passwords
lineinfile:
dest: /etc/login.defs
regexp: "^(#)?PASS_MIN_LEN"
line: "PASS_MIN_LEN {{ security_password_minimum_length }}"
when: security_password_minimum_length is defined
tags:
- auth
- cat2
- V-38475
- name: V-38477 - Set minimum time for password changes
lineinfile:
dest: /etc/login.defs
regexp: "^(#)?PASS_MIN_DAYS"
line: "PASS_MIN_DAYS {{ security_password_minimum_days }}"
when: security_password_minimum_days is defined
tags:
- auth
- cat2
- V-38477
- name: V-38479 - Set maximum age for passwords
lineinfile:
dest: /etc/login.defs
regexp: "^(#)?PASS_MAX_DAYS"
line: "PASS_MAX_DAYS {{ security_password_maximum_days }}"
when: security_password_maximum_days is defined
tags:
- auth
- cat2
- V-38479
- name: V-38480 - Warn users prior to password expiration
lineinfile:
dest: /etc/login.defs
regexp: "^(#)?PASS_WARN_DAYS"
line: "PASS_WARN_DAYS {{ security_password_warn_age }}"
when: security_password_warn_age is defined
tags:
- auth
- cat3
- V-38480
- name: V-38496 - Get all system accounts
shell: "awk -F: '$1 !~ /^root$/ && $3 < 500 {print $1}' /etc/passwd"
register: v38496_system_users
always_run: True
tags:
- auth
- cat2
- V-38496
- name: V-38496 - Loop through system accounts to find unlocked accounts
shell: "awk -F: '$1 ~ /^{{ item }}$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow"
register: v38496_unlocked_system_users
always_run: True
with_items: v38496_system_users.stdout_lines
tags:
- auth
- cat2
- V-38496
- name: V-38496 - Gather problematic system accounts
set_fact:
v38496_violations: |
{% for i in v38496_unlocked_system_users.results %}
{% if i.stdout|length > 0 %}
{{ i.stdout }}
{% endif %}
{% endfor %}
tags:
- auth
- cat2
- V-38496
# The playbook will fail here if any default system accounts besides root are
# not locked.
- name: V-38496 - Default operating system accounts (other than root) must be locked
fail:
msg: "FAILED: System accounts are unlocked: {{ v38496_violations|trim|replace('\n',', ') }}"
when: v38496_violations|length > 0
tags:
- auth
- cat2
- V-38496
# RHEL 6 keeps this content in /etc/pam.d/system-auth, but Ubuntu keeps it in
# /etc/pam.d/common-auth
- name: V-38497 - The system must not have accounts configured with blank or null passwords.
lineinfile:
dest: "{{ pam_auth_file }}"
state: present
regexp: "^(.*)nullok_secure(.*)$"
line: '\1\2'
backup: yes
backrefs: yes
when: security_pam_remove_nullok | bool
tags:
- auth
- cat1
- V-38497
- name: Check if /etc/hosts.equiv exists (for V-38491)
stat:
path: /etc/hosts.equiv
register: v38491_equiv_check
changed_when: v38491_equiv_check.stat.exists == True
tags:
- auth
- cat1
- V-38491
- name: Check if root has a .rhosts file (for V-38491)
stat:
path: /root/.rhosts
register: v38491_rhosts_check
changed_when: v38491_rhosts_check.stat.exists == True
tags:
- auth
- cat1
- V-38491
- name: V-38491 - No .rhosts or hosts.equiv present on system
fail:
msg: "FAILED: Remove all .rhosts and hosts.equiv files"
when: v38491_equiv_check.stat.exists == True or v38491_rhosts_check.stat.exists == True
tags:
- auth
- cat1
- V-38491
- name: Check for accounts with UID 0 other than root (for V-38500)
shell: "awk -F: '($1 != \"root\") && ($3 == 0) {print}' /etc/passwd | wc -l"
register: v38500_result
changed_when: v38500_result.stdout != '0'
always_run: True
tags:
- auth
- cat2
- V-38500
- name: V-38500 - The root account must be the only account with UID 0
fail:
msg: "FAILED: Another account besides root has UID 0"
when: v38500_result.stdout != '0'
tags:
- auth
- cat2
- V-38500
# Opt-in required for fail2ban (see documentation and defaults/main.yml)
# Ubuntu doesn't offer pam_faillock, but fail2ban provides a decent alternative
# for ssh-based authentication. See the documentation for details.
- name: V-38501 - The system must disable accounts after excessive login failures (install fail2ban)
apt:
name: fail2ban
state: present
when: security_install_fail2ban | bool
tags:
- auth
- cat2
- V-38501
# Ban the offending IP for 15 minutes to meet the spirit of the STIG.
# Yes, the bantime we want to modify has two spaces before the equal sign.
- name: V-38501 - The system must disable accounts after excessive login failures (configure fail2ban)
template:
src: jail.local.j2
dest: /etc/fail2ban/jail.d/jail.local
when: security_install_fail2ban | bool
notify:
- restart fail2ban
tags:
- auth
- cat2
- V-38501
- name: V-38591 - Remove rshd with apt
apt:
name: rsh-server
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_rsh_server | bool
tags:
- auth
- cat1
- V-38591
- name: V-38591 - Remove rshd with yum
yum:
name: rsh-server
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_rsh_server | bool
tags:
- auth
- cat1
- V-38591
- name: V-38587 - Remove telnet-server with apt
apt:
name: "{{ telnet_server_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'apt'
- security_remove_telnet_server | bool
tags:
- auth
- cat1
- V-38587
- name: V-38587 - Remove telnet-server with yum
yum:
name: "{{ telnet_server_pkg }}"
state: absent
when:
- ansible_pkg_mgr == 'yum'
- security_remove_telnet_server | bool
tags:
- auth
- cat1
- V-38587
- name: Search /etc/passwd for password hashes (for V-38499)
shell: "awk -F: '($2 != \"x\") {print}' /etc/passwd | wc -l"
register: v38499_result
changed_when: False
always_run: True
tags:
- auth
- cat2
- V-38499
- name: V-38499 - The /etc/passwd file must not contain password hashes
fail:
msg: "FAILED: Remove password hashes from /etc/password to remediate"
when: "v38499_result.stdout != '0'"
tags:
- auth
- cat2
- V-38499
- name: V-38450 - The /etc/passwd file must be owned by root
file:
path: /etc/passwd
owner: root
tags:
- auth
- cat2
- V-38450
- name: V-38451 - The /etc/passwd file must be group-owned by root
file:
path: /etc/passwd
group: root
tags:
- auth
- cat2
- V-38451
# Ubuntu's default is 0644 already
- name: V-38457 - The /etc/passwd file must have mode 0644 or less permissive
file:
path: /etc/passwd
mode: 0644
tags:
- auth
- cat2
- V-38457
# SHA512 is the minimum requirement and it happens to be Ubuntu 14.04's default
# hashing algorithm as well.
- name: Check password hashing algorithm used by PAM (for V-38574)
shell: "grep '^\\s*password.*pam_unix.*sha512' {{ pam_password_file }}"
register: v38574_result
changed_when: False
failed_when: False
always_run: True
tags:
- auth
- cat2
- V-38574
# If SHA512 isn't in use for some reason, we should fail and display an error.
- name: V-38574 - System must use FIPS 140-2 approved hashing algorithm for passwords (PAM)
fail:
msg: "FAILED: Must use SHA512 for password hashing (via PAM)"
when: v38574_result.rc != 0
tags:
- auth
- cat2
- V-38574
- name: Check password hashing algorithm used in login.defs (for V-38576)
shell: "grep '^ENCRYPT_METHOD.*SHA512' /etc/login.defs"
register: v38576_result
changed_when: v38576_result.rc != 0
always_run: True
tags:
- auth
- cat2
- V-38576
# If SHA512 isn't in use for some reason, we should fail and display an error.
- name: V-38576 - System must use FIPS 140-2 approved hashing algorithm for passwords (login.defs)
debug:
msg: "FAILED: Must use SHA512 for password hashing (in /etc/login.defs)"
when: v38576_result.rc != 0
failed_when: v38576_result.rc != 0
tags:
- auth
- cat2
- V-38576
# Neither Ubuntu or openstack-ansible installs libuser by default, so there's
# no need to install it here unless the deployer has it installed for some
# reason.
- name: Check if libuser is installed (for V-38577)
shell: "dpkg --status libuser | grep '^Status.*ok installed'"
register: v38577_libuser_check
changed_when: False
failed_when: False
always_run: True
tags:
- auth
- cat2
- V-38577
# Only look at libuser.conf when we are sure that libuser is installed
- name: If libuser is installed, verify hashing algorithm in use (for V-38577)
shell: "grep '^crypt_style = sha512' /etc/libuser.conf"
register: v38577_result
when: v38577_libuser_check.rc == 0
changed_when: v38577_result.rc != 0
tags:
- auth
- cat2
- V-38577
# If libuser is installed *AND* it's using unacceptable password hashing
# algorithms, throw an error and a failure.
- name: V-38577 - System must use FIPS 140-2 approved hashing algorithm for passwords (libuser)
debug:
msg: "FAILED: libuser isn't configured to use SHA512 hashing for passwords"
when: v38577_libuser_check.rc == 0 and v38577_result.rc != 0
failed_when: v38577_libuser_check.rc == 0 and v38577_result.rc != 0
tags:
- auth
- cat2
- V-38577
- name: V-38681 - Check for missing GID's in /etc/group
shell: "pwck -r | grep 'no group'"
register: v38681_result
changed_when: False
failed_when: v38681_result.rc > 1
always_run: True
tags:
- auth
- cat3
- V-38681
- name: V-38681 - All GID's in /etc/passwd must be defined in /etc/group
fail:
msg: "FAILED: GID's in /etc/passwd aren't in /etc/group"
when: v38681_result.rc != 1
tags:
- auth
- cat3
- V-38681
- name: V-38692 - Lock inactive accounts
lineinfile:
dest: /etc/default_useradd
regexp: "^(#)?INACTIVE"
line: "INACTIVE {{ security_inactive_account_lock_days }}"
when: security_inactive_account_lock_days is defined
tags:
- auth
- cat3
- V-38692
- name: Checking for accounts with non-unique usernames (for V-38683)
shell: pwck -rq | wc -l
register: v38683_result
changed_when: False
always_run: True
tags:
- auth
- cat3
- V-38683
- name: V-38683 - All accounts on the system must have unique user/account names
fail:
msg: "FAILED: Found accounts without unique usernames"
when: v38683_result.stdout != '0'
tags:
- auth
- cat3
- V-38683
# This should be updated to use the find module when Ansible 2.0 is available.
- name: Search for sudoers files (for V-58901)
shell: find /etc/sudoers* -type f
register: v58901_result
always_run: True
tags:
- auth
- cat2
- V-58901
# The lineinfile module can't be used here since we may need to comment out
# multiple lines.
- name: Comment out sudoers lines with NOPASSWD present (for V-58901)
shell: "sed -e '/NOPASSWD/ s/^#*/#/' -i {{ item }}"
with_items: v58901_result.stdout_lines
when: security_sudoers_remove_nopasswd | bool
tags:
- auth
- cat2
- V-58901
# The lineinfile module can't be used here since we may need to comment out
# multiple lines.
- name: Comment out sudoers lines with !authenticate present (for V-58901)
shell: "sed -e '/!authenticate/ s/^#*/#/' -i {{ item }}"
with_items: v58901_result.stdout_lines
when: security_sudoers_remove_authenticate | bool
tags:
- auth
- cat2
- V-58901
View Git Blame Copy Permalink