X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=roles%2Fops-hardening%2Ftasks%2Fmain.yaml;h=1ce68f25c0bd855307545a1d126b77831e4655e0;hb=3711c3e8a073609f097d3346acb8add006a6dabc;hp=193bfe28eea6148e26af56b4961aca18b6109ff8;hpb=546b3966551e02ad91d162ca75d0afad141f5bc2;p=ta%2Finfra-ansible.git diff --git a/roles/ops-hardening/tasks/main.yaml b/roles/ops-hardening/tasks/main.yaml index 193bfe2..1ce68f2 100644 --- a/roles/ops-hardening/tasks/main.yaml +++ b/roles/ops-hardening/tasks/main.yaml @@ -66,9 +66,35 @@ regexp: '^PASS_MIN_DAYS[\s]*[0-9]*$' line: 'PASS_MIN_DAYS 0' +- name: "Set password hash to SHA512" + lineinfile: + path: /etc/login.defs + regexp: '^ENCRYPT_METHOD[\s]*[a-z0-9]*$' + line: 'ENCRYPT_METHOD SHA512' + +- name: "Set minimum number of password hash rounds" + lineinfile: + path: /etc/login.defs + regexp: '^SHA_CRYPT_MIN_ROUNDS[\s]*[0-9]*$' + line: 'SHA_CRYPT_MIN_ROUNDS 5000' + +- name: "Set maximum number of password hash rounds" + lineinfile: + path: /etc/login.defs + regexp: '^SHA_CRYPT_MAX_ROUNDS[\s]*[0-9]*$' + line: 'SHA_CRYPT_MAX_ROUNDS 10000' + # # Linux Failed password attempts # +- name: "Ensure authconfig is properly configured" + command: authconfig --updateall + with_items: + - /etc/pam.d/system-auth-ac + - /etc/pam.d/password-auth-ac + when: not (item|exists and item|is_file) + tags: + - REC-443 - name: "Set Deny for failed password attempts 1" lineinfile: @@ -186,15 +212,23 @@ # Set file permissions # -- name: "Set set the 600 file permissions" - file: - path: "{{item}}" - state: touch - mode: 600 +- name: "Check files exist to determine the proper location of grub.cfg on UEFI systems" + stat: path={{item}} with_items: + - /boot/efi/EFI/centos/grub.cfg - /boot/grub2/grub.cfg - /var/log/boot.log - /var/log/cron + register: file_stat + +- name: "Set the 600 file permissions" + file: + path: "{{item.item}}" + state: touch + mode: "600" + with_items: "{{ file_stat.results }}" + when: + - item.stat.exists == true # # Disable direct root login @@ -283,6 +317,9 @@ - { name: 'kernel.core_uses_pid', value: 1 } - { name: 'kernel.randomize_va_space', value: 2 } - { name: 'kernel.core_pattern', value: '/var/core/core'} + - { name: 'kernel.kptr_restrict', value: 2 } + - { name: 'kernel.sysrq', value: 0 } + - { name: 'kernel.yama.ptrace_scope', value: 3 } # # Configure core dump @@ -301,6 +338,13 @@ line: 'Storage=none' # +# Confingure kernel dump +- name: "Disable kernel dump service" + shell: systemctl stop kdump.service + +- name: "Disable kernel dump service" + shell: systemctl disable kdump.service + # Configure syslog # - name: "Stop rsyslog Service" @@ -360,10 +404,21 @@ #define users password_pbkdf2 root "{{ grub2_pass }}" +- name: check whether grub-efi exists + stat: + path: /boot/efi/EFI/centos/grub.cfg + register: grub_efi_file_stat + - name: generate grub config when: grub2_pass is defined and grub2_pass != 'Empty' command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg +- name: generate grub-efi config + command: /usr/sbin/grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg + when: + - grub2_pass is defined and grub2_pass != 'Empty' + - grub_efi_file_stat.stat.exists == true + # #Setting the noexec option to the /dev/shm mount dir # @@ -415,6 +470,75 @@ state: absent # +# tighten USB permissions +# +- name: Set USBGuard RestoreControllerDeviceState to false + lineinfile: + path: /etc/usbguard/usbguard-daemon.conf + regexp: '^[#\s]*RestoreControllerDeviceState\s*=\s*[a-z\-]*\s*$' + line: 'RestoreControllerDeviceState=false' + +- name: Set USBGuard ImplicitPolicyTarget to block + lineinfile: + path: /etc/usbguard/usbguard-daemon.conf + regexp: '^[#\s]*ImplicitPolicyTarget\s*=\s*[a-z\-]*\s*$' + line: 'ImplicitPolicyTarget=block' + +- name: Apply USBGuard policy in all cases + lineinfile: + path: /etc/usbguard/usbguard-daemon.conf + regexp: "^[#\\s]*{{ item }}\\s*=\\s*[a-z\\-]*\\s*$" + line: "{{ item }}=apply-policy" + with_items: + - PresentControllerPolicy + - PresentDevicePolicy + - InsertedDevicePolicy + +- name: Limit USBGuard IPC to root + lineinfile: + path: /etc/usbguard/usbguard-daemon.conf + regexp: "^[#\\s]*IPCAllowed{{item}}\\s*=" + line: "IPCAllowed{{item}}=root" + with_items: + - Users + - Groups + +- Name: Ban suspect USB devices + blockinfile: + # this isn't the optimal way to do this, i know, but i don't + # want to create a whole new template tree just to add this. + path: /etc/usbguard/rules.conf + create: yes + owner: root + group: root + mode: 0700 + insertbefore: BOF + # rules.conf doesn't seem to allow comments + marker: '' + block: | + # the akraino REC is targeted at server installs; as such + # we're liberal about allowing standard devices on the + # assumption we will be deployed in a relatively secure + # environment. The values below were chosen based on the + # devices that appear on a nokia OE19 with the virtual console + # enabled: + # xHCI controller/hub + allow with-interface equals { 09:00:00 } + # mass media — sites may want to consider restricting + # this to 08:06:50 to just get the virtual CDROM and ban + # other USB media + allow with-interface equals { 08:*:* } + # ethernet + allow with-interface equals { 02:02:ff } + # keyboard/mouse + allow with-interface one-of { 03:00:01 03:01:01 } + # per usbguard-rules.conf manpage: ban keyboard devices + # that expose other, suspicious, interfaces + reject with-interface all-of { 08:*:* 03:00:* } + reject with-interface all-of { 08:*:* 03:01:* } + reject with-interface all-of { 08:*:* e0:*:* } + reject with-interface all-of { 08:*:* 02:*:* } + # Setting file permissions #