From 2dfb03eebd138f9c7d52d962ab7468eb248fd23e Mon Sep 17 00:00:00 2001
From: dave kormann <davek@research.att.com>
Date: Wed, 27 Jan 2021 14:27:04 -0500
Subject: [PATCH] FIX: More security hardening

More hardening to meet akraino security requirements.  Main visible change
should be tightening up v6 routing and redirect handling.  Applications
may want to enable these if they require v6 forwarding.

Signed-off-by: dave kormann  <davek@research.att.com>
Change-Id: Ia9162322221d21d7f4490f1a2141d9bbf76b10a9
---
 infra-ansible.spec                  |  2 +-
 roles/ops-hardening/tasks/main.yaml | 16 ++++++++++++----
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/infra-ansible.spec b/infra-ansible.spec
index 3f66181..85ad64d 100644
--- a/infra-ansible.spec
+++ b/infra-ansible.spec
@@ -15,7 +15,7 @@
 
 Name:           infra-ansible
 Version:        %{_version}
-Release:        12%{?dist}
+Release:        13%{?dist}
 Summary:        Contains ansible playbook and roles for Akraino rec blueprint
 License:        %{_platform_licence}
 Source0:        %{name}-%{version}.tar.gz
diff --git a/roles/ops-hardening/tasks/main.yaml b/roles/ops-hardening/tasks/main.yaml
index 1ce68f2..fdf6512 100644
--- a/roles/ops-hardening/tasks/main.yaml
+++ b/roles/ops-hardening/tasks/main.yaml
@@ -76,7 +76,7 @@
   lineinfile:
     path: /etc/login.defs
     regexp: '^SHA_CRYPT_MIN_ROUNDS[\s]*[0-9]*$'
-    line: 'SHA_CRYPT_MIN_ROUNDS   5000'
+    line: 'SHA_CRYPT_MIN_ROUNDS   10000'
 
 - name: "Set maximum number of password hash rounds"
   lineinfile:
@@ -230,6 +230,14 @@
   when:
     - item.stat.exists == true
 
+- name: Limit access to the assembler binary
+  file:
+    path: "/usr/bin/as"
+    state: file
+    mode: "0700"
+    owner: root
+    group: root
+
 #
 # Disable direct root login
 #
@@ -273,8 +281,7 @@
     state: absent
     regexp: '^tcp6.*'
 
-- name: Disable automatic ipv6 configuration
-  when: ansible_default_ipv6|length > 0
+- name: Disable automatic ipv6 configuration and routing
   sysctl:
     name: "{{ item.name }}"
     value: "{{ item.value }}"
@@ -282,12 +289,13 @@
     reload: yes
   with_items:
     - { name: 'net.ipv6.conf.all.accept_source_route', value: 0 }
+    - { name: 'net.ipv6.conf.default.accept_source_route', value: 0 }
     - { name: 'net.ipv6.conf.all.accept_ra', value: 0 }
     - { name: 'net.ipv6.conf.default.accept_ra', value: 0 }
     - { name: 'net.ipv6.conf.all.accept_redirects', value: 0 }
     - { name: 'net.ipv6.conf.default.accept_redirects', value: 0 }
-    - { name: 'net.ipv6.conf.default.accept_source_route', value: 0 }
     - { name: 'net.ipv6.conf.all.forwarding', value: 0 }
+    - { name: 'net.ipv6.conf.default.forwarding', value: 0 }
 
 #
 # Configure kernel parameters
-- 
2.16.6