X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=roles%2Fops-hardening%2Ftasks%2Fmain.yaml;h=24e52c1cc0dacded00583e3bc6bb6dd62ad2021a;hb=c12b19e860be57972222a13b1abc01638f35d42a;hp=3381cea22ba852b330f7eb92f6d120277b9e2401;hpb=95119f5474d6d585b173fdffcb922d3b2a8c7ac9;p=ta%2Finfra-ansible.git

diff --git a/roles/ops-hardening/tasks/main.yaml b/roles/ops-hardening/tasks/main.yaml
index 3381cea..24e52c1 100644
--- a/roles/ops-hardening/tasks/main.yaml
+++ b/roles/ops-hardening/tasks/main.yaml
@@ -66,6 +66,72 @@
     regexp: '^PASS_MIN_DAYS[\s]*[0-9]*$'
     line: 'PASS_MIN_DAYS   0'
 
+- name: "Set password hash to SHA512"
+  lineinfile:
+    path: /etc/login.defs
+    regexp: '^ENCRYPT_METHOD[\s]*[a-z0-9]*$'
+    line: 'ENCRYPT_METHOD   SHA512'
+
+- name: "Set minimum number of password hash rounds"
+  lineinfile:
+    path: /etc/login.defs
+    regexp: '^SHA_CRYPT_MIN_ROUNDS[\s]*[0-9]*$'
+    line: 'SHA_CRYPT_MIN_ROUNDS   5000'
+
+#
+# Linux Failed password attempts
+#
+- name: "Ensure authconfig is properly configured"
+  command: authconfig --updateall
+  with_items:
+    - /etc/pam.d/system-auth-ac
+    - /etc/pam.d/password-auth-ac
+  when: not (item|exists and item|is_file)
+  tags:
+    - REC-443
+
+- name: "Set Deny for failed password attempts 1"
+  lineinfile:
+    path: "{{item}}"
+    insertbefore: '^auth[\s]*sufficient[\s]*pam_unix.so'
+    line: 'auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=3600 fail_interval=900'
+  with_items:
+    - /etc/pam.d/system-auth-ac
+    - /etc/pam.d/password-auth-ac
+  tags:
+    - REC-443
+
+- name: "Set Deny for failed password attempts 2"
+  lineinfile:
+    path: "{{item}}"
+    insertafter: '^auth[\s]*sufficient[\s]*pam_unix.so'
+    line: 'auth        [default=die]  pam_faillock.so authfail audit deny=3 unlock_time=3600 fail_interval=900'
+  with_items:
+    - /etc/pam.d/system-auth-ac
+    - /etc/pam.d/password-auth-ac
+  tags:
+    - REC-443
+
+- name: "Set Deny for failed password attempts 3"
+  lineinfile:
+    path: "{{item}}"
+    insertbefore: '^account[\s]*required[\s]*pam_unix.so'
+    line: 'account     required      pam_faillock.so'
+  with_items:
+    - /etc/pam.d/system-auth-ac
+    - /etc/pam.d/password-auth-ac
+  tags:
+    - REC-443
+
+- name: "Set Account expiration following inactivity"
+  lineinfile:
+    create: yes
+    path: "/etc/default/useradd"
+    regexp: "^INACTIVE"
+    line: "INACTIVE=35"
+  tags:
+    - REC-443
+
 #
 # YUM config
 #
@@ -140,15 +206,23 @@
 # Set file permissions
 #
 
-- name: "Set set the 600 file permissions"
-  file:
-    path: "{{item}}"
-    state: touch
-    mode: 600
+- name: "Check files exist to determine the proper location of grub.cfg on UEFI systems"
+  stat: path={{item}}
   with_items:
+    - /boot/efi/EFI/centos/grub.cfg
     - /boot/grub2/grub.cfg
     - /var/log/boot.log
     - /var/log/cron
+  register: file_stat
+
+- name: "Set the 600 file permissions"
+  file:
+    path: "{{item.item}}"
+    state: touch
+    mode: "600"
+  with_items: "{{ file_stat.results }}"
+  when:
+    - item.stat.exists == true
 
 #
 # Disable direct root login
@@ -237,6 +311,7 @@
     - { name: 'kernel.core_uses_pid', value: 1 }
     - { name: 'kernel.randomize_va_space', value: 2 }
     - { name: 'kernel.core_pattern', value: '/var/core/core'}
+    - { name: 'kernel.kptr_restrict', value: 2 }
 
 #
 # Configure core dump
@@ -255,6 +330,13 @@
     line: 'Storage=none'
 
 #
+# Confingure kernel dump
+- name: "Disable kernel dump service"
+  shell: systemctl stop kdump.service
+
+- name: "Disable kernel dump service"
+  shell: systemctl disable kdump.service
+
 # Configure syslog
 #
 - name: "Stop rsyslog Service"
@@ -314,10 +396,21 @@
       #define users
       password_pbkdf2 root "{{ grub2_pass }}"
 
+- name: check whether grub-efi exists
+  stat:
+    path: /boot/efi/EFI/centos/grub.cfg
+  register: grub_efi_file_stat
+
 - name: generate grub config
   when: grub2_pass is defined and grub2_pass != 'Empty'
   command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
 
+- name: generate grub-efi config
+  command: /usr/sbin/grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg
+  when:
+    - grub2_pass is defined and grub2_pass != 'Empty'
+    - grub_efi_file_stat.stat.exists == true
+
 #
 #Setting the noexec option to the /dev/shm mount dir
 #
@@ -369,6 +462,75 @@
     state: absent
 
 #
+# tighten USB permissions
+#
+- name: Set USBGuard RestoreControllerDeviceState to false
+  lineinfile:
+    path: /etc/usbguard/usbguard-daemon.conf
+    regexp: '^[#\s]*RestoreControllerDeviceState\s*=\s*[a-z\-]*\s*$'
+    line: 'RestoreControllerDeviceState=false'
+
+- name: Set USBGuard ImplicitPolicyTarget to block
+  lineinfile:
+    path: /etc/usbguard/usbguard-daemon.conf
+    regexp: '^[#\s]*ImplicitPolicyTarget\s*=\s*[a-z\-]*\s*$'
+    line: 'ImplicitPolicyTarget=block'
+
+- name: Apply USBGuard policy in all cases
+  lineinfile:
+    path: /etc/usbguard/usbguard-daemon.conf
+    regexp: "^[#\\s]*{{ item }}\\s*=\\s*[a-z\\-]*\\s*$"
+    line: "{{ item }}=apply-policy"
+  with_items:
+    - PresentControllerPolicy
+    - PresentDevicePolicy
+    - InsertedDevicePolicy
+
+- name: Limit USBGuard IPC to root
+  lineinfile:
+    path: /etc/usbguard/usbguard-daemon.conf
+    regexp: "^[#\\s]*IPCAllowed{{item}}\\s*="
+    line: "IPCAllowed{{item}}=root"
+  with_items:
+    - Users
+    - Groups
+
+- Name: Ban suspect USB devices
+  blockinfile:
+    # this isn't the optimal way to do this, i know, but i don't
+    # want to create a whole new template tree just to add this.
+    path: /etc/usbguard/rules.conf
+    create: yes
+    owner: root
+    group: root
+    mode: 0700
+    insertbefore: BOF
+    # rules.conf doesn't seem to allow comments
+    marker: ''
+    block: |
+     # the akraino REC is targeted at server installs; as such
+     # we're liberal about allowing standard devices on the
+     # assumption we will be deployed in a relatively secure
+     # environment.  The values below were chosen based on the
+     # devices that appear on a nokia OE19 with the virtual console
+     # enabled:
+     # xHCI controller/hub
+     allow with-interface equals { 09:00:00 }
+     # mass media — sites may want to consider restricting
+     # this to 08:06:50 to just get the virtual CDROM and ban
+     # other USB media
+     allow with-interface equals { 08:*:* }
+     # ethernet
+     allow with-interface equals { 02:02:ff }
+     # keyboard/mouse
+     allow with-interface one-of { 03:00:01 03:01:01 }
+     # per usbguard-rules.conf manpage: ban keyboard devices
+     # that expose other, suspicious, interfaces
+     reject with-interface all-of { 08:*:* 03:00:* }
+     reject with-interface all-of { 08:*:* 03:01:* }
+     reject with-interface all-of { 08:*:* e0:*:* }
+     reject with-interface all-of { 08:*:* 02:*:* }
+
 # Setting file permissions
 #