From 407c56bb4dab1eac542f37c5b0b25cb63133b2f0 Mon Sep 17 00:00:00 2001 From: dave kormann Date: Sun, 15 Nov 2020 23:57:24 -0500 Subject: [PATCH] FIX: Compliance with Akraino security requirements This change modifies the SSH and sysctl configurations to comply with Akraino requirements. Among the changes: o Zeroize kernel pointer values in logs o Allow only members of the 'cloudadmin' group to log in via SSH o Limit active SSH sessions to 2 per user o Configure USBGuard with a rudimentary set of permissions Signed-off-by: dave kormann Change-Id: If52aa278b502f487091ed864b8e82acc7ff8f732 --- roles/ops-hardening/tasks/main.yaml | 82 ++++++++++++++++++++++++++++++++ roles/ssh_conf_hardening/tasks/main.yaml | 19 +++++++- 2 files changed, 99 insertions(+), 2 deletions(-) diff --git a/roles/ops-hardening/tasks/main.yaml b/roles/ops-hardening/tasks/main.yaml index 3b75d16..7aab166 100644 --- a/roles/ops-hardening/tasks/main.yaml +++ b/roles/ops-hardening/tasks/main.yaml @@ -66,6 +66,18 @@ regexp: '^PASS_MIN_DAYS[\s]*[0-9]*$' line: 'PASS_MIN_DAYS 0' +- name: "Set password hash to SHA512" + lineinfile: + path: /etc/login.defs + regexp: '^ENCRYPT_METHOD[\s]*[a-z0-9]*$' + line: 'ENCRYPT_METHOD SHA512' + +- name: "Set minimum number of password hash rounds" + lineinfile: + path: /etc/login.defs + regexp: '^SHA_CRYPT_MIN_ROUNDS[\s]*[0-9]*$' + line: 'SHA_CRYPT_MIN_ROUNDS 5000' + # # Linux Failed password attempts # @@ -299,6 +311,7 @@ - { name: 'kernel.core_uses_pid', value: 1 } - { name: 'kernel.randomize_va_space', value: 2 } - { name: 'kernel.core_pattern', value: '/var/core/core'} + - { name: 'kernel.kptr_restrict', value: 2 } # # Configure core dump @@ -442,6 +455,75 @@ state: absent # +# tighten USB permissions +# +- name: Set USBGuard RestoreControllerDeviceState to false + lineinfile: + path: /etc/usbguard/usbguard-daemon.conf + regexp: '^[#\s]*RestoreControllerDeviceState\s*=\s*[a-z\-]*\s*$' + line: 'RestoreControllerDeviceState=false' + +- name: Set USBGuard ImplicitPolicyTarget to block + lineinfile: + path: /etc/usbguard/usbguard-daemon.conf + regexp: '^[#\s]*ImplicitPolicyTarget\s*=\s*[a-z\-]*\s*$' + line: 'ImplicitPolicyTarget=block' + +- name: Apply USBGuard policy in all cases + lineinfile: + path: /etc/usbguard/usbguard-daemon.conf + regexp: "^[#\\s]*{{ item }}\\s*=\\s*[a-z\\-]*\\s*$" + line: "{{ item }}=apply-policy" + with_items: + - PresentControllerPolicy + - PresentDevicePolicy + - InsertedDevicePolicy + +- name: Limit USBGuard IPC to root + lineinfile: + path: /etc/usbguard/usbguard-daemon.conf + regexp: "^[#\\s]*IPCAllowed{{item}}\\s*=" + line: "IPCAllowed{{item}}=root" + with_items: + - Users + - Groups + +- Name: Ban suspect USB devices + blockinfile: + # this isn't the optimal way to do this, i know, but i don't + # want to create a whole new template tree just to add this. + path: /etc/usbguard/rules.conf + create: yes + owner: root + group: root + mode: 0700 + insertbefore: BOF + # rules.conf doesn't seem to allow comments + marker: '' + block: | + # the akraino REC is targeted at server installs; as such + # we're liberal about allowing standard devices on the + # assumption we will be deployed in a relatively secure + # environment. The values below were chosen based on the + # devices that appear on a nokia OE19 with the virtual console + # enabled: + # xHCI controller/hub + allow with-interface equals { 09:00:00 } + # mass media — sites may want to consider restricting + # this to 08:06:50 to just get the virtual CDROM and ban + # other USB media + allow with-interface equals { 08:*:* } + # ethernet + allow with-interface equals { 02:02:ff } + # keyboard/mouse + allow with-interface one-of { 03:00:01 03:01:01 } + # per usbguard-rules.conf manpage: ban keyboard devices + # that expose other, suspicious, interfaces + reject with-interface all-of { 08:*:* 03:00:* } + reject with-interface all-of { 08:*:* 03:01:* } + reject with-interface all-of { 08:*:* e0:*:* } + reject with-interface all-of { 08:*:* 02:*:* } + # Setting file permissions # diff --git a/roles/ssh_conf_hardening/tasks/main.yaml b/roles/ssh_conf_hardening/tasks/main.yaml index 1058a52..256620c 100644 --- a/roles/ssh_conf_hardening/tasks/main.yaml +++ b/roles/ssh_conf_hardening/tasks/main.yaml @@ -62,7 +62,7 @@ - name: User Alive Interval setting ssh_conf: regexp: '[\s]*ClientAliveInterval' - values: "ClientAliveInterval 900\n" + values: "ClientAliveInterval 300\n" - name: Disable the X11forwarding ssh_conf: @@ -107,13 +107,23 @@ - name: MaxAuthTries setting ssh_conf: regexp: '[\s]*MaxAuthTries' - values: "MaxAuthTries 6\n" + values: "MaxAuthTries 3\n" + +- name: "Limit interactive session count to 2" + ssh_conf: + regexp: '[\s]*MaxSessions" + values: "MaxSessions 2\n" - name: Banner creation ssh_conf: regexp: '[\s]*Banner' values: "Banner /etc/banner\n" +- name: "Disable Keepalive" + ssh_conf: + regexp: '[\s]*TCPKeepAlive' + values: "TCPKeepAlive no\n" + - name: "Enable the Ipv6" lineinfile: path: /etc/ssh/sshd_config @@ -140,6 +150,11 @@ regexp: '[\s]*ClientAliveCountMax' values: "ClientAliveCountMax 0\n" +- name: "Limit logins to members of {{ users['admin_user_name'] }} group" + ssh_conf: + regexp: '[\s]*AllowGroups' + values: "AllowGroups {{ users['admin_user_name'] }}\n" + - name: "Disable SSH Support for User Known Hosts" ssh_conf: regexp: '[\s]*IgnoreUserKnownHosts' -- 2.16.6