Browse Source

Implements management of `/etc/login.defs`

Enables management of shadow password directives in login.defs

By allowing operators to set values in login.defs, they are able
to improve password security for newly created system accounts.

This change will in turn allow operators to adhere with security
hardening frameworks, such as STIG DISA & CIS Security Benchmarks.

bp login-defs

Change-Id: Id4fe88cb9569f18f27f94c35b5c27a85fe7947ae
Depends-On: Iec8c032adb44593da3770d3c6bb5a4655e463637
changes/85/457985/12
lhinds 4 years ago
parent
commit
502fde7a64
  1. 6
      capabilities-map.yaml
  2. 1
      ci/environments/scenario001-multinode-containers.yaml
  3. 2
      environments/hyperconverged-ceph.yaml
  4. 9
      environments/login-defs.yaml
  5. 1
      overcloud-resource-registry-puppet.j2.yaml
  6. 66
      puppet/services/login-defs.yaml
  7. 1
      roles/BlockStorage.yaml
  8. 1
      roles/CephStorage.yaml
  9. 1
      roles/Compute.yaml
  10. 1
      roles/ComputeHCI.yaml
  11. 1
      roles/ComputeOvsDpdk.yaml
  12. 1
      roles/ComputeSriov.yaml
  13. 1
      roles/Controller.yaml
  14. 2
      roles/ControllerOpenstack.yaml
  15. 1
      roles/Database.yaml
  16. 1
      roles/IronicConductor.yaml
  17. 1
      roles/Messaging.yaml
  18. 1
      roles/Networker.yaml
  19. 1
      roles/ObjectStorage.yaml
  20. 1
      roles/Telemetry.yaml
  21. 1
      roles/Undercloud.yaml
  22. 1
      roles/UndercloudLight.yaml
  23. 5
      roles_data.yaml
  24. 1
      roles_data_undercloud.yaml

6
capabilities-map.yaml

@ -531,6 +531,11 @@ topics:
environments:
- file: environments/securetty.yaml
title: SecureTTY Values
- title: login.defs values
description: Set values within /etc/login.defs
environments:
- file: environments/login-defs.yaml
title: login.defs Values
- title: Additional Services
description:
@ -642,3 +647,4 @@ topics:
description:
requires:
- overcloud-resource-registry-puppet.yaml

1
ci/environments/scenario001-multinode-containers.yaml

@ -36,6 +36,7 @@ parameter_defaults:
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::Keystone
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::GlanceApi
- OS::TripleO::Services::HeatApi
- OS::TripleO::Services::HeatApiCfn

2
environments/hyperconverged-ceph.yaml

@ -52,3 +52,5 @@ parameter_defaults:
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::OVNController
- OS::TripleO::Services::RsyslogSidecar
- OS::TripleO::Services::LoginDefs

9
environments/login-defs.yaml

@ -0,0 +1,9 @@
resource_registry:
OS::TripleO::Services::LoginDefs: ../puppet/services/login-defs.yaml
parameter_defaults:
PasswordMaxDays: 60
PasswordMinDays: 1
PasswordMinLen: 5
PasswordWarnAge: 7
FailDelay: 4

1
overcloud-resource-registry-puppet.j2.yaml

@ -302,6 +302,7 @@ resource_registry:
OS::TripleO::Services::VRTSHyperScale: OS::Heat::None
OS::TripleO::Services::SkydiveAgent: OS::Heat::None
OS::TripleO::Services::SkydiveAnalyzer: OS::Heat::None
OS::TripleO::Services::LoginDefs: OS::Heat::None
# Logging
OS::TripleO::Services::Logging::BarbicanApi: docker/services/logging/files/barbican-api.yaml

66
puppet/services/login-defs.yaml

@ -0,0 +1,66 @@
heat_template_version: pike
description: >
Configure login.defs values
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
PasswordMaxDays:
default: {}
description: Set the maximum age allowed for passwords
type: number
PasswordMinDays:
default: {}
description: Set the minimum age allowed for passwords
type: number
PasswordWarnAge:
default: {}
description: Set the warning period for password expiration
type: number
PasswordMinLen:
default: {}
description: Set the minimum length allowed for passwords
type: number
FailDelay:
default: {}
description: The period of time between password retries
type: number
outputs:
role_data:
description: Parameters for configuration of the login.defs file
value:
service_name: login_defs
config_settings:
tripleo::profile::base::login_defs::password_max_days: {get_param: PasswordMaxDays}
tripleo::profile::base::login_defs::password_min_days: {get_param: PasswordMinDays}
tripleo::profile::base::login_defs::password_warn_age: {get_param: PasswordWarnAge}
tripleo::profile::base::login_defs::password_min_len: {get_param: PasswordMinLen}
tripleo::profile::base::login_defs::fail_delay: {get_param: FailDelay}
step_config: |
include ::tripleo::profile::base::login_defs

1
roles/BlockStorage.yaml

@ -19,6 +19,7 @@
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::ContainersLogrotateCrond

1
roles/CephStorage.yaml

@ -16,6 +16,7 @@
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::ContainersLogrotateCrond

1
roles/Compute.yaml

@ -36,6 +36,7 @@
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::NeutronBgpVpnBagpipe
- OS::TripleO::Services::NeutronLinuxbridgeAgent

1
roles/ComputeHCI.yaml

@ -27,6 +27,7 @@
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::NeutronBgpVpnBagpipe
- OS::TripleO::Services::NeutronLinuxbridgeAgent

1
roles/ComputeOvsDpdk.yaml

@ -27,6 +27,7 @@
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::NeutronBgpVpnBagpipe
- OS::TripleO::Services::NovaCompute

1
roles/ComputeSriov.yaml

@ -27,6 +27,7 @@
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::NeutronBgpVpnBagpipe
- OS::TripleO::Services::NeutronSriovAgent

1
roles/Controller.yaml

@ -76,6 +76,7 @@
- OS::TripleO::Services::Keepalived
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::Keystone
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::ManilaApi
- OS::TripleO::Services::ManilaBackendCephFs
- OS::TripleO::Services::ManilaBackendIsilon

2
roles/ControllerOpenstack.yaml

@ -61,6 +61,7 @@
- OS::TripleO::Services::Keepalived
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::Keystone
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::ManilaApi
- OS::TripleO::Services::ManilaBackendCephFs
- OS::TripleO::Services::ManilaBackendIsilon
@ -118,4 +119,3 @@
- OS::TripleO::Services::Tuned
- OS::TripleO::Services::Vpp
- OS::TripleO::Services::Zaqar

1
roles/Database.yaml

@ -16,6 +16,7 @@
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQL
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::Ntp

1
roles/IronicConductor.yaml

@ -15,6 +15,7 @@
- OS::TripleO::Services::IronicConductor
- OS::TripleO::Services::IronicPxe
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::ContainersLogrotateCrond

1
roles/Messaging.yaml

@ -15,6 +15,7 @@
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::ContainersLogrotateCrond
- OS::TripleO::Services::Pacemaker

1
roles/Networker.yaml

@ -16,6 +16,7 @@
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::NeutronDhcpAgent
- OS::TripleO::Services::NeutronL2gwAgent

1
roles/ObjectStorage.yaml

@ -24,6 +24,7 @@
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::ContainersLogrotateCrond

1
roles/Telemetry.yaml

@ -21,6 +21,7 @@
- OS::TripleO::Services::GnocchiMetricd
- OS::TripleO::Services::GnocchiStatsd
- OS::TripleO::Services::Keystone
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQL
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::ContainersLogrotateCrond

1
roles/Undercloud.yaml

@ -23,6 +23,7 @@
- OS::TripleO::Services::IronicPxe
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Keystone
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::Memcached
- OS::TripleO::Services::MistralApi
- OS::TripleO::Services::MistralEngine

1
roles/UndercloudLight.yaml

@ -19,6 +19,7 @@
- OS::TripleO::Services::HeatApiCfn
- OS::TripleO::Services::HeatEngine
- OS::TripleO::Services::Keystone
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::Memcached
- OS::TripleO::Services::MistralApi
- OS::TripleO::Services::MistralEngine

5
roles_data.yaml

@ -79,6 +79,7 @@
- OS::TripleO::Services::Keepalived
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::Keystone
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::ManilaApi
- OS::TripleO::Services::ManilaBackendCephFs
- OS::TripleO::Services::ManilaBackendIsilon
@ -187,6 +188,7 @@
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::NeutronBgpVpnBagpipe
- OS::TripleO::Services::NeutronLinuxbridgeAgent
@ -230,6 +232,7 @@
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::ContainersLogrotateCrond
@ -268,6 +271,7 @@
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::ContainersLogrotateCrond
@ -300,6 +304,7 @@
- OS::TripleO::Services::Docker
- OS::TripleO::Services::Fluentd
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::MySQLClient
- OS::TripleO::Services::Ntp
- OS::TripleO::Services::ContainersLogrotateCrond

1
roles_data_undercloud.yaml

@ -26,6 +26,7 @@
- OS::TripleO::Services::IronicPxe
- OS::TripleO::Services::Iscsid
- OS::TripleO::Services::Keystone
- OS::TripleO::Services::LoginDefs
- OS::TripleO::Services::Memcached
- OS::TripleO::Services::MistralApi
- OS::TripleO::Services::MistralEngine

Loading…
Cancel
Save