FIX: More security hardening

More hardening to meet akraino security requirements.  Main visible change
should be tightening up v6 routing and redirect handling.  Applications
may want to enable these if they require v6 forwarding.

Signed-off-by: dave kormann  <davek@research.att.com>
Change-Id: Ia9162322221d21d7f4490f1a2141d9bbf76b10a9

diff --git a/infra-ansible.spec b/infra-ansible.spec
index 3f66181..85ad64d 100644 (file)
--- a/infra-ansible.spec
+++ b/infra-ansible.spec
@@ -15,7 +15,7 @@
 
 Name:           infra-ansible
 Version:        %{_version}
-Release:        12%{?dist}
+Release:        13%{?dist}
 Summary:        Contains ansible playbook and roles for Akraino rec blueprint
 License:        %{_platform_licence}
 Source0:        %{name}-%{version}.tar.gz

diff --git a/roles/ops-hardening/tasks/main.yaml b/roles/ops-hardening/tasks/main.yaml
index 1ce68f2..fdf6512 100644 (file)
--- a/roles/ops-hardening/tasks/main.yaml
+++ b/roles/ops-hardening/tasks/main.yaml
@@ -76,7 +76,7 @@
   lineinfile:
     path: /etc/login.defs
     regexp: '^SHA_CRYPT_MIN_ROUNDS[\s]*[0-9]*$'
-    line: 'SHA_CRYPT_MIN_ROUNDS   5000'
+    line: 'SHA_CRYPT_MIN_ROUNDS   10000'
 
 - name: "Set maximum number of password hash rounds"
   lineinfile:
@@ -230,6 +230,14 @@
   when:
     - item.stat.exists == true
 
+- name: Limit access to the assembler binary
+  file:
+    path: "/usr/bin/as"
+    state: file
+    mode: "0700"
+    owner: root
+    group: root
+
 #
 # Disable direct root login
 #
@@ -273,8 +281,7 @@
     state: absent
     regexp: '^tcp6.*'
 
-- name: Disable automatic ipv6 configuration
-  when: ansible_default_ipv6|length > 0
+- name: Disable automatic ipv6 configuration and routing
   sysctl:
     name: "{{ item.name }}"
     value: "{{ item.value }}"
@@ -282,12 +289,13 @@
     reload: yes
   with_items:
     - { name: 'net.ipv6.conf.all.accept_source_route', value: 0 }
+    - { name: 'net.ipv6.conf.default.accept_source_route', value: 0 }
     - { name: 'net.ipv6.conf.all.accept_ra', value: 0 }
     - { name: 'net.ipv6.conf.default.accept_ra', value: 0 }
     - { name: 'net.ipv6.conf.all.accept_redirects', value: 0 }
     - { name: 'net.ipv6.conf.default.accept_redirects', value: 0 }
-    - { name: 'net.ipv6.conf.default.accept_source_route', value: 0 }
     - { name: 'net.ipv6.conf.all.forwarding', value: 0 }
+    - { name: 'net.ipv6.conf.default.forwarding', value: 0 }
 
 #
 # Configure kernel parameters