More hardening to meet akraino security requirements. Main visible change
should be tightening up v6 routing and redirect handling. Applications
may want to enable these if they require v6 forwarding.
Signed-off-by: dave kormann <davek@research.att.com>
Change-Id: Ia9162322221d21d7f4490f1a2141d9bbf76b10a9
Name: infra-ansible
Version: %{_version}
Name: infra-ansible
Version: %{_version}
Summary: Contains ansible playbook and roles for Akraino rec blueprint
License: %{_platform_licence}
Source0: %{name}-%{version}.tar.gz
Summary: Contains ansible playbook and roles for Akraino rec blueprint
License: %{_platform_licence}
Source0: %{name}-%{version}.tar.gz
lineinfile:
path: /etc/login.defs
regexp: '^SHA_CRYPT_MIN_ROUNDS[\s]*[0-9]*$'
lineinfile:
path: /etc/login.defs
regexp: '^SHA_CRYPT_MIN_ROUNDS[\s]*[0-9]*$'
- line: 'SHA_CRYPT_MIN_ROUNDS 5000'
+ line: 'SHA_CRYPT_MIN_ROUNDS 10000'
- name: "Set maximum number of password hash rounds"
lineinfile:
- name: "Set maximum number of password hash rounds"
lineinfile:
when:
- item.stat.exists == true
when:
- item.stat.exists == true
+- name: Limit access to the assembler binary
+ file:
+ path: "/usr/bin/as"
+ state: file
+ mode: "0700"
+ owner: root
+ group: root
+
#
# Disable direct root login
#
#
# Disable direct root login
#
state: absent
regexp: '^tcp6.*'
state: absent
regexp: '^tcp6.*'
-- name: Disable automatic ipv6 configuration
- when: ansible_default_ipv6|length > 0
+- name: Disable automatic ipv6 configuration and routing
sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
reload: yes
with_items:
- { name: 'net.ipv6.conf.all.accept_source_route', value: 0 }
reload: yes
with_items:
- { name: 'net.ipv6.conf.all.accept_source_route', value: 0 }
+ - { name: 'net.ipv6.conf.default.accept_source_route', value: 0 }
- { name: 'net.ipv6.conf.all.accept_ra', value: 0 }
- { name: 'net.ipv6.conf.default.accept_ra', value: 0 }
- { name: 'net.ipv6.conf.all.accept_redirects', value: 0 }
- { name: 'net.ipv6.conf.default.accept_redirects', value: 0 }
- { name: 'net.ipv6.conf.all.accept_ra', value: 0 }
- { name: 'net.ipv6.conf.default.accept_ra', value: 0 }
- { name: 'net.ipv6.conf.all.accept_redirects', value: 0 }
- { name: 'net.ipv6.conf.default.accept_redirects', value: 0 }
- - { name: 'net.ipv6.conf.default.accept_source_route', value: 0 }
- { name: 'net.ipv6.conf.all.forwarding', value: 0 }
- { name: 'net.ipv6.conf.all.forwarding', value: 0 }
+ - { name: 'net.ipv6.conf.default.forwarding', value: 0 }
#
# Configure kernel parameters
#
# Configure kernel parameters