X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;ds=sidebyside;f=roles%2Fops-hardening%2Ftasks%2Fmain.yaml;h=fdf6512a635c7e7edc89e29d4acbfe54e8515ce9;hb=2dfb03eebd138f9c7d52d962ab7468eb248fd23e;hp=5558cd0296aa25f0f56cc34493af5fa8d20b1314;hpb=3a7fca60d2a33657024ad83011ee233c879b416a;p=ta%2Finfra-ansible.git diff --git a/roles/ops-hardening/tasks/main.yaml b/roles/ops-hardening/tasks/main.yaml index 5558cd0..fdf6512 100644 --- a/roles/ops-hardening/tasks/main.yaml +++ b/roles/ops-hardening/tasks/main.yaml @@ -66,9 +66,35 @@ regexp: '^PASS_MIN_DAYS[\s]*[0-9]*$' line: 'PASS_MIN_DAYS 0' +- name: "Set password hash to SHA512" + lineinfile: + path: /etc/login.defs + regexp: '^ENCRYPT_METHOD[\s]*[a-z0-9]*$' + line: 'ENCRYPT_METHOD SHA512' + +- name: "Set minimum number of password hash rounds" + lineinfile: + path: /etc/login.defs + regexp: '^SHA_CRYPT_MIN_ROUNDS[\s]*[0-9]*$' + line: 'SHA_CRYPT_MIN_ROUNDS 10000' + +- name: "Set maximum number of password hash rounds" + lineinfile: + path: /etc/login.defs + regexp: '^SHA_CRYPT_MAX_ROUNDS[\s]*[0-9]*$' + line: 'SHA_CRYPT_MAX_ROUNDS 10000' + # # Linux Failed password attempts # +- name: "Ensure authconfig is properly configured" + command: authconfig --updateall + with_items: + - /etc/pam.d/system-auth-ac + - /etc/pam.d/password-auth-ac + when: not (item|exists and item|is_file) + tags: + - REC-443 - name: "Set Deny for failed password attempts 1" lineinfile: @@ -204,6 +230,14 @@ when: - item.stat.exists == true +- name: Limit access to the assembler binary + file: + path: "/usr/bin/as" + state: file + mode: "0700" + owner: root + group: root + # # Disable direct root login # @@ -247,8 +281,7 @@ state: absent regexp: '^tcp6.*' -- name: Disable automatic ipv6 configuration - when: ansible_default_ipv6|length > 0 +- name: Disable automatic ipv6 configuration and routing sysctl: name: "{{ item.name }}" value: "{{ item.value }}" @@ -256,12 +289,13 @@ reload: yes with_items: - { name: 'net.ipv6.conf.all.accept_source_route', value: 0 } + - { name: 'net.ipv6.conf.default.accept_source_route', value: 0 } - { name: 'net.ipv6.conf.all.accept_ra', value: 0 } - { name: 'net.ipv6.conf.default.accept_ra', value: 0 } - { name: 'net.ipv6.conf.all.accept_redirects', value: 0 } - { name: 'net.ipv6.conf.default.accept_redirects', value: 0 } - - { name: 'net.ipv6.conf.default.accept_source_route', value: 0 } - { name: 'net.ipv6.conf.all.forwarding', value: 0 } + - { name: 'net.ipv6.conf.default.forwarding', value: 0 } # # Configure kernel parameters @@ -291,6 +325,9 @@ - { name: 'kernel.core_uses_pid', value: 1 } - { name: 'kernel.randomize_va_space', value: 2 } - { name: 'kernel.core_pattern', value: '/var/core/core'} + - { name: 'kernel.kptr_restrict', value: 2 } + - { name: 'kernel.sysrq', value: 0 } + - { name: 'kernel.yama.ptrace_scope', value: 3 } # # Configure core dump @@ -309,6 +346,13 @@ line: 'Storage=none' # +# Confingure kernel dump +- name: "Disable kernel dump service" + shell: systemctl stop kdump.service + +- name: "Disable kernel dump service" + shell: systemctl disable kdump.service + # Configure syslog # - name: "Stop rsyslog Service" @@ -434,6 +478,75 @@ state: absent # +# tighten USB permissions +# +- name: Set USBGuard RestoreControllerDeviceState to false + lineinfile: + path: /etc/usbguard/usbguard-daemon.conf + regexp: '^[#\s]*RestoreControllerDeviceState\s*=\s*[a-z\-]*\s*$' + line: 'RestoreControllerDeviceState=false' + +- name: Set USBGuard ImplicitPolicyTarget to block + lineinfile: + path: /etc/usbguard/usbguard-daemon.conf + regexp: '^[#\s]*ImplicitPolicyTarget\s*=\s*[a-z\-]*\s*$' + line: 'ImplicitPolicyTarget=block' + +- name: Apply USBGuard policy in all cases + lineinfile: + path: /etc/usbguard/usbguard-daemon.conf + regexp: "^[#\\s]*{{ item }}\\s*=\\s*[a-z\\-]*\\s*$" + line: "{{ item }}=apply-policy" + with_items: + - PresentControllerPolicy + - PresentDevicePolicy + - InsertedDevicePolicy + +- name: Limit USBGuard IPC to root + lineinfile: + path: /etc/usbguard/usbguard-daemon.conf + regexp: "^[#\\s]*IPCAllowed{{item}}\\s*=" + line: "IPCAllowed{{item}}=root" + with_items: + - Users + - Groups + +- Name: Ban suspect USB devices + blockinfile: + # this isn't the optimal way to do this, i know, but i don't + # want to create a whole new template tree just to add this. + path: /etc/usbguard/rules.conf + create: yes + owner: root + group: root + mode: 0700 + insertbefore: BOF + # rules.conf doesn't seem to allow comments + marker: '' + block: | + # the akraino REC is targeted at server installs; as such + # we're liberal about allowing standard devices on the + # assumption we will be deployed in a relatively secure + # environment. The values below were chosen based on the + # devices that appear on a nokia OE19 with the virtual console + # enabled: + # xHCI controller/hub + allow with-interface equals { 09:00:00 } + # mass media — sites may want to consider restricting + # this to 08:06:50 to just get the virtual CDROM and ban + # other USB media + allow with-interface equals { 08:*:* } + # ethernet + allow with-interface equals { 02:02:ff } + # keyboard/mouse + allow with-interface one-of { 03:00:01 03:01:01 } + # per usbguard-rules.conf manpage: ban keyboard devices + # that expose other, suspicious, interfaces + reject with-interface all-of { 08:*:* 03:00:* } + reject with-interface all-of { 08:*:* 03:01:* } + reject with-interface all-of { 08:*:* e0:*:* } + reject with-interface all-of { 08:*:* 02:*:* } + # Setting file permissions #