More small changes to satisfy lynis scans. Mostly low-impact,
except for a fix to vol_mgmt.sh to ensure that newly-created
volume mounts are more likely to have appropriate permissions.
Signed-off-by: dave kormann <davek@research.att.com>
Change-Id: I384646458db9638487c928379590ed94f6b4be48
Name: infra-ansible
Version: %{_version}
Name: infra-ansible
Version: %{_version}
Summary: Contains ansible playbook and roles for Akraino rec blueprint
License: %{_platform_licence}
Source0: %{name}-%{version}.tar.gz
Summary: Contains ansible playbook and roles for Akraino rec blueprint
License: %{_platform_licence}
Source0: %{name}-%{version}.tar.gz
regexp: '^SHA_CRYPT_MIN_ROUNDS[\s]*[0-9]*$'
line: 'SHA_CRYPT_MIN_ROUNDS 5000'
regexp: '^SHA_CRYPT_MIN_ROUNDS[\s]*[0-9]*$'
line: 'SHA_CRYPT_MIN_ROUNDS 5000'
+- name: "Set maximum number of password hash rounds"
+ lineinfile:
+ path: /etc/login.defs
+ regexp: '^SHA_CRYPT_MAX_ROUNDS[\s]*[0-9]*$'
+ line: 'SHA_CRYPT_MAX_ROUNDS 10000'
+
#
# Linux Failed password attempts
#
#
# Linux Failed password attempts
#
- { name: 'kernel.randomize_va_space', value: 2 }
- { name: 'kernel.core_pattern', value: '/var/core/core'}
- { name: 'kernel.kptr_restrict', value: 2 }
- { name: 'kernel.randomize_va_space', value: 2 }
- { name: 'kernel.core_pattern', value: '/var/core/core'}
- { name: 'kernel.kptr_restrict', value: 2 }
+ - { name: 'kernel.sysrq', value: 0 }
+ - { name: 'kernel.yama.ptrace_scope', value: 3 }
+# mirror the permissions of the existing directory
+oPerm=`stat -c '%a' ${evac_dir}`
+'
if [ ! -b $mount_vol_dev ];then
echo "Provided volume $mount_vol_dev is not a block device!!"
exit 1
if [ ! -b $mount_vol_dev ];then
echo "Provided volume $mount_vol_dev is not a block device!!"
exit 1
mount $evac_dir
chown ${owner}:${group} ${evac_dir}
mount $evac_dir
chown ${owner}:${group} ${evac_dir}
+chmod ${oPerm} ${evac_dir}
cp -rpf $tmp_dir/* ${evac_dir}/
rm -rf $tmp_dir
cp -rpf $tmp_dir/* ${evac_dir}/
rm -rf $tmp_dir
insertafter: '^[\s]*ListenAddress 0.0.0.0'
line: 'ListenAddress ::'
insertafter: '^[\s]*ListenAddress 0.0.0.0'
line: 'ListenAddress ::'
+- name: Enable verbose logging for SSH daemon
+ ssh_conf:
+ regexp: '[\s]*LogLevel"
+ values: "LogLevel VERBOSE"
+
- name: "Disable Kerberos Authentication"
ssh_conf:
regexp: '[\s]*KerberosAuthentication'
- name: "Disable Kerberos Authentication"
ssh_conf:
regexp: '[\s]*KerberosAuthentication'