From 546b3966551e02ad91d162ca75d0afad141f5bc2 Mon Sep 17 00:00:00 2001 From: "gabor.illes" Date: Wed, 6 Nov 2019 10:29:53 -0500 Subject: [PATCH] REC-443 OpenScap Security Scan fixes Deny failed password attempts in linux Audit rules update SSH key rename in ansible Change-Id: Ifce65c8303d602bb1441bfccedf537ca0f8bede4 Signed-off-by: gabor.illes --- roles/audit/templates/50-file-changes.rules.j2 | 8 +++-- roles/audit/templates/99-finalize.rules.j2 | 4 +-- roles/manage_linux_user/tasks/main.yml | 4 +-- roles/ops-hardening/tasks/main.yaml | 46 ++++++++++++++++++++++++++ 4 files changed, 55 insertions(+), 7 deletions(-) diff --git a/roles/audit/templates/50-file-changes.rules.j2 b/roles/audit/templates/50-file-changes.rules.j2 index af0ca75..f01ba55 100644 --- a/roles/audit/templates/50-file-changes.rules.j2 +++ b/roles/audit/templates/50-file-changes.rules.j2 @@ -1,11 +1,13 @@ ## file changes +-w /opt/nokia/bin/hostcli -p aw -k hostcli +-w /usr/bin/openstack -p aw -k openstackcli -w /boot/ -p rwxa -k dir_boot -w /opt/ -p aw -k dir_opt -w /etc/ -p rwa -k dir_etc --w /usr/bin -p aw -k usr-bin --w /usr/sbin -p aw -k usr-sbin +-w /usr/bin -p rwxa -k usr-bin +-w /usr/sbin -p rwxa -k usr-sbin -w /usr/libexec -p aw -k usr-libexex --w /usr/local -p rwxa -k usr-local +-w /usr/local -p awx -k usr-local -w /mnt/symptomreport/ -p awr -k symptomreport -w /usr/lib -p aw -k usr-lib -w /usr/lib64 -p aw -k usr-lib64 diff --git a/roles/audit/templates/99-finalize.rules.j2 b/roles/audit/templates/99-finalize.rules.j2 index bc0fd92..2b41af4 100644 --- a/roles/audit/templates/99-finalize.rules.j2 +++ b/roles/audit/templates/99-finalize.rules.j2 @@ -1,4 +1,4 @@ ## Make the configuration immutable - reboot is required to change audit rules -#-e 2 +-e 2 ## Temporarily the value is set to 1 until the upgrade issue will be solved. --e 1 +#-e 1 diff --git a/roles/manage_linux_user/tasks/main.yml b/roles/manage_linux_user/tasks/main.yml index 9640717..500be58 100644 --- a/roles/manage_linux_user/tasks/main.yml +++ b/roles/manage_linux_user/tasks/main.yml @@ -24,7 +24,7 @@ - name: "remove the old public ssh key" file: - path: /home/{{ item.name }}/.ssh/{{ item.name }} + path: /home/{{ item.name }}/.ssh/authorized_keys state: absent with_items: "{{ linuxuser | default([]) }}" @@ -41,7 +41,7 @@ - name: "add a new public ssh key" when: item.state == 'present' and item.public_key != "" lineinfile: - path: /home/{{ item.name }}/.ssh/{{ item.name }} + path: /home/{{ item.name }}/.ssh/authorized_keys create: yes regexp: '.*' state: "{{ item.state | default('absent') }}" diff --git a/roles/ops-hardening/tasks/main.yaml b/roles/ops-hardening/tasks/main.yaml index 3381cea..193bfe2 100644 --- a/roles/ops-hardening/tasks/main.yaml +++ b/roles/ops-hardening/tasks/main.yaml @@ -66,6 +66,52 @@ regexp: '^PASS_MIN_DAYS[\s]*[0-9]*$' line: 'PASS_MIN_DAYS 0' +# +# Linux Failed password attempts +# + +- name: "Set Deny for failed password attempts 1" + lineinfile: + path: "{{item}}" + insertbefore: '^auth[\s]*sufficient[\s]*pam_unix.so' + line: 'auth required pam_faillock.so preauth silent audit deny=3 unlock_time=3600 fail_interval=900' + with_items: + - /etc/pam.d/system-auth-ac + - /etc/pam.d/password-auth-ac + tags: + - REC-443 + +- name: "Set Deny for failed password attempts 2" + lineinfile: + path: "{{item}}" + insertafter: '^auth[\s]*sufficient[\s]*pam_unix.so' + line: 'auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=3600 fail_interval=900' + with_items: + - /etc/pam.d/system-auth-ac + - /etc/pam.d/password-auth-ac + tags: + - REC-443 + +- name: "Set Deny for failed password attempts 3" + lineinfile: + path: "{{item}}" + insertbefore: '^account[\s]*required[\s]*pam_unix.so' + line: 'account required pam_faillock.so' + with_items: + - /etc/pam.d/system-auth-ac + - /etc/pam.d/password-auth-ac + tags: + - REC-443 + +- name: "Set Account expiration following inactivity" + lineinfile: + create: yes + path: "/etc/default/useradd" + regexp: "^INACTIVE" + line: "INACTIVE=35" + tags: + - REC-443 + # # YUM config # -- 2.16.6