REC-443 OpenScap Security Scan fixes

Deny failed password attempts in linux
Audit rules update
SSH key rename in ansible

Change-Id: Ifce65c8303d602bb1441bfccedf537ca0f8bede4
Signed-off-by: gabor.illes <gabor.illes@nokia.com>

diff --git a/roles/audit/templates/50-file-changes.rules.j2 b/roles/audit/templates/50-file-changes.rules.j2
index af0ca75..f01ba55 100644 (file)
--- a/roles/audit/templates/50-file-changes.rules.j2
+++ b/roles/audit/templates/50-file-changes.rules.j2
@@ -1,11 +1,13 @@
 ## file changes
+-w /opt/nokia/bin/hostcli -p aw -k hostcli
+-w /usr/bin/openstack -p aw -k openstackcli
 -w /boot/ -p rwxa -k dir_boot
 -w /opt/ -p aw -k dir_opt
 -w /etc/ -p rwa -k dir_etc
--w /usr/bin -p aw -k usr-bin
--w /usr/sbin -p aw -k usr-sbin
+-w /usr/bin -p rwxa -k usr-bin
+-w /usr/sbin -p rwxa -k usr-sbin
 -w /usr/libexec -p aw -k usr-libexex
--w /usr/local -p rwxa -k usr-local
+-w /usr/local -p awx -k usr-local
 -w /mnt/symptomreport/ -p awr -k symptomreport
 -w /usr/lib -p aw -k usr-lib
 -w /usr/lib64 -p aw -k usr-lib64

diff --git a/roles/audit/templates/99-finalize.rules.j2 b/roles/audit/templates/99-finalize.rules.j2
index bc0fd92..2b41af4 100644 (file)
--- a/roles/audit/templates/99-finalize.rules.j2
+++ b/roles/audit/templates/99-finalize.rules.j2
@@ -1,4 +1,4 @@
 ## Make the configuration immutable - reboot is required to change audit rules
-#-e 2
+-e 2
 ## Temporarily the value is set to 1 until the upgrade issue will be solved.
--e 1
+#-e 1

diff --git a/roles/manage_linux_user/tasks/main.yml b/roles/manage_linux_user/tasks/main.yml
index 9640717..500be58 100644 (file)
--- a/roles/manage_linux_user/tasks/main.yml
+++ b/roles/manage_linux_user/tasks/main.yml
@@ -24,7 +24,7 @@
 
 - name: "remove the old public ssh key"
   file:
-    path: /home/{{ item.name }}/.ssh/{{ item.name }}
+    path: /home/{{ item.name }}/.ssh/authorized_keys
     state: absent
   with_items: "{{ linuxuser | default([]) }}"
 
@@ -41,7 +41,7 @@
 - name: "add a new public ssh key"
   when: item.state == 'present' and item.public_key != ""
   lineinfile:
-    path: /home/{{ item.name }}/.ssh/{{ item.name }}
+    path: /home/{{ item.name }}/.ssh/authorized_keys
     create: yes
     regexp: '.*'
     state: "{{ item.state | default('absent') }}"

diff --git a/roles/ops-hardening/tasks/main.yaml b/roles/ops-hardening/tasks/main.yaml
index 3381cea..193bfe2 100644 (file)
--- a/roles/ops-hardening/tasks/main.yaml
+++ b/roles/ops-hardening/tasks/main.yaml
@@ -66,6 +66,52 @@
     regexp: '^PASS_MIN_DAYS[\s]*[0-9]*$'
     line: 'PASS_MIN_DAYS   0'
 
+#
+# Linux Failed password attempts
+#
+
+- name: "Set Deny for failed password attempts 1"
+  lineinfile:
+    path: "{{item}}"
+    insertbefore: '^auth[\s]*sufficient[\s]*pam_unix.so'
+    line: 'auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=3600 fail_interval=900'
+  with_items:
+    - /etc/pam.d/system-auth-ac
+    - /etc/pam.d/password-auth-ac
+  tags:
+    - REC-443
+
+- name: "Set Deny for failed password attempts 2"
+  lineinfile:
+    path: "{{item}}"
+    insertafter: '^auth[\s]*sufficient[\s]*pam_unix.so'
+    line: 'auth        [default=die]  pam_faillock.so authfail audit deny=3 unlock_time=3600 fail_interval=900'
+  with_items:
+    - /etc/pam.d/system-auth-ac
+    - /etc/pam.d/password-auth-ac
+  tags:
+    - REC-443
+
+- name: "Set Deny for failed password attempts 3"
+  lineinfile:
+    path: "{{item}}"
+    insertbefore: '^account[\s]*required[\s]*pam_unix.so'
+    line: 'account     required      pam_faillock.so'
+  with_items:
+    - /etc/pam.d/system-auth-ac
+    - /etc/pam.d/password-auth-ac
+  tags:
+    - REC-443
+
+- name: "Set Account expiration following inactivity"
+  lineinfile:
+    create: yes
+    path: "/etc/default/useradd"
+    regexp: "^INACTIVE"
+    line: "INACTIVE=35"
+  tags:
+    - REC-443
+
 #
 # YUM config
 #