X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=roles%2Fops-hardening%2Ftasks%2Fmain.yaml;h=5558cd0296aa25f0f56cc34493af5fa8d20b1314;hb=3a7fca60d2a33657024ad83011ee233c879b416a;hp=d56e8939acf51f00451265b2dbd4ac6eb6abd998;hpb=74a49ba6ef2ea715fa492db0bcd85c30398688e8;p=ta%2Finfra-ansible.git diff --git a/roles/ops-hardening/tasks/main.yaml b/roles/ops-hardening/tasks/main.yaml index d56e893..5558cd0 100644 --- a/roles/ops-hardening/tasks/main.yaml +++ b/roles/ops-hardening/tasks/main.yaml @@ -66,6 +66,52 @@ regexp: '^PASS_MIN_DAYS[\s]*[0-9]*$' line: 'PASS_MIN_DAYS 0' +# +# Linux Failed password attempts +# + +- name: "Set Deny for failed password attempts 1" + lineinfile: + path: "{{item}}" + insertbefore: '^auth[\s]*sufficient[\s]*pam_unix.so' + line: 'auth required pam_faillock.so preauth silent audit deny=3 unlock_time=3600 fail_interval=900' + with_items: + - /etc/pam.d/system-auth-ac + - /etc/pam.d/password-auth-ac + tags: + - REC-443 + +- name: "Set Deny for failed password attempts 2" + lineinfile: + path: "{{item}}" + insertafter: '^auth[\s]*sufficient[\s]*pam_unix.so' + line: 'auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=3600 fail_interval=900' + with_items: + - /etc/pam.d/system-auth-ac + - /etc/pam.d/password-auth-ac + tags: + - REC-443 + +- name: "Set Deny for failed password attempts 3" + lineinfile: + path: "{{item}}" + insertbefore: '^account[\s]*required[\s]*pam_unix.so' + line: 'account required pam_faillock.so' + with_items: + - /etc/pam.d/system-auth-ac + - /etc/pam.d/password-auth-ac + tags: + - REC-443 + +- name: "Set Account expiration following inactivity" + lineinfile: + create: yes + path: "/etc/default/useradd" + regexp: "^INACTIVE" + line: "INACTIVE=35" + tags: + - REC-443 + # # YUM config # @@ -116,6 +162,7 @@ - cramfs - usb-storage - udf + - nfsd # # Disable interactive boot @@ -139,15 +186,23 @@ # Set file permissions # -- name: "Set set the 600 file permissions" - file: - path: "{{item}}" - state: touch - mode: 600 +- name: "Check files exist to determine the proper location of grub.cfg on UEFI systems" + stat: path={{item}} with_items: + - /boot/efi/EFI/centos/grub.cfg - /boot/grub2/grub.cfg - /var/log/boot.log - /var/log/cron + register: file_stat + +- name: "Set the 600 file permissions" + file: + path: "{{item.item}}" + state: touch + mode: "600" + with_items: "{{ file_stat.results }}" + when: + - item.stat.exists == true # # Disable direct root login @@ -156,6 +211,16 @@ - name: "Direct root Logins Not Allowed" shell: echo > /etc/securetty +- name: Change 'root' shell to nologin + user: + name: root + shell: /sbin/nologin + +- name: Lock 'root' password + user: + name: root + password: '!!' + # # Configure IPv6 # @@ -303,10 +368,21 @@ #define users password_pbkdf2 root "{{ grub2_pass }}" +- name: check whether grub-efi exists + stat: + path: /boot/efi/EFI/centos/grub.cfg + register: grub_efi_file_stat + - name: generate grub config when: grub2_pass is defined and grub2_pass != 'Empty' command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg +- name: generate grub-efi config + command: /usr/sbin/grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg + when: + - grub2_pass is defined and grub2_pass != 'Empty' + - grub_efi_file_stat.stat.exists == true + # #Setting the noexec option to the /dev/shm mount dir # @@ -334,6 +410,29 @@ state: "mounted" fstype: "{{device_fstype.stdout}}" +# +# Disable NFS service +# + +- name: disable NFS related services + service: + name: "{{ item }}" + enabled: no + state: stopped + ignore_errors: yes + with_items: + - nfslock + - rpcgssd + - rpcidmapd + - nfs-idmap + - nfs-server + - nfs + +- name: remove nfs-utils package + yum: + name: nfs-utils + state: absent + # # Setting file permissions #