From 3711c3e8a073609f097d3346acb8add006a6dabc Mon Sep 17 00:00:00 2001
From: dave kormann <davek@research.att.com>
Date: Wed, 23 Dec 2020 12:28:14 -0500
Subject: [PATCH] More security compliance modifications

More small changes to satisfy lynis scans.  Mostly low-impact,
except for a fix to vol_mgmt.sh to ensure that newly-created
volume mounts are more likely to have appropriate permissions.

Signed-off-by: dave kormann  <davek@research.att.com>
Change-Id: I384646458db9638487c928379590ed94f6b4be48
---
 infra-ansible.spec                        | 2 +-
 roles/ops-hardening/tasks/main.yaml       | 8 ++++++++
 roles/partfs_rootdisk/scripts/vol_mgmt.sh | 4 ++++
 roles/ssh_conf_hardening/tasks/main.yaml  | 5 +++++
 4 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/infra-ansible.spec b/infra-ansible.spec
index b873d1a..97eb198 100644
--- a/infra-ansible.spec
+++ b/infra-ansible.spec
@@ -15,7 +15,7 @@
 
 Name:           infra-ansible
 Version:        %{_version}
-Release:        9%{?dist}
+Release:        10%{?dist}
 Summary:        Contains ansible playbook and roles for Akraino rec blueprint
 License:        %{_platform_licence}
 Source0:        %{name}-%{version}.tar.gz
diff --git a/roles/ops-hardening/tasks/main.yaml b/roles/ops-hardening/tasks/main.yaml
index 24e52c1..1ce68f2 100644
--- a/roles/ops-hardening/tasks/main.yaml
+++ b/roles/ops-hardening/tasks/main.yaml
@@ -78,6 +78,12 @@
     regexp: '^SHA_CRYPT_MIN_ROUNDS[\s]*[0-9]*$'
     line: 'SHA_CRYPT_MIN_ROUNDS   5000'
 
+- name: "Set maximum number of password hash rounds"
+  lineinfile:
+    path: /etc/login.defs
+    regexp: '^SHA_CRYPT_MAX_ROUNDS[\s]*[0-9]*$'
+    line: 'SHA_CRYPT_MAX_ROUNDS   10000'
+
 #
 # Linux Failed password attempts
 #
@@ -312,6 +318,8 @@
     - { name: 'kernel.randomize_va_space', value: 2 }
     - { name: 'kernel.core_pattern', value: '/var/core/core'}
     - { name: 'kernel.kptr_restrict', value: 2 }
+    - { name: 'kernel.sysrq', value: 0 }
+    - { name: 'kernel.yama.ptrace_scope', value: 3 }
 
 #
 # Configure core dump
diff --git a/roles/partfs_rootdisk/scripts/vol_mgmt.sh b/roles/partfs_rootdisk/scripts/vol_mgmt.sh
index 85214fe..f99c3fe 100755
--- a/roles/partfs_rootdisk/scripts/vol_mgmt.sh
+++ b/roles/partfs_rootdisk/scripts/vol_mgmt.sh
@@ -54,6 +54,9 @@ if [ ! -d $evac_dir ];then
   mkdir -p "$evac_dir"
 fi
 
+# mirror the permissions of the existing directory
+oPerm=`stat -c '%a' ${evac_dir}`
+'
 if [ ! -b $mount_vol_dev ];then
   echo "Provided volume $mount_vol_dev is not a block device!!"
   exit 1
@@ -115,6 +118,7 @@ rm -rf ${evac_dir}/*
 mount $evac_dir
 
 chown ${owner}:${group} ${evac_dir}
+chmod ${oPerm} ${evac_dir}
 
 cp -rpf $tmp_dir/* ${evac_dir}/
 rm -rf $tmp_dir
diff --git a/roles/ssh_conf_hardening/tasks/main.yaml b/roles/ssh_conf_hardening/tasks/main.yaml
index 66d4bce..b9d86f5 100644
--- a/roles/ssh_conf_hardening/tasks/main.yaml
+++ b/roles/ssh_conf_hardening/tasks/main.yaml
@@ -130,6 +130,11 @@
     insertafter: '^[\s]*ListenAddress 0.0.0.0'
     line: 'ListenAddress ::'
 
+- name: Enable verbose logging for SSH daemon
+  ssh_conf:
+    regexp: '[\s]*LogLevel"
+    values: "LogLevel VERBOSE"
+
 - name: "Disable Kerberos Authentication"
   ssh_conf:
     regexp: '[\s]*KerberosAuthentication'
-- 
2.16.6