openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/tasks/rhel7stig/auth.yml
Markos Chandras d6ead42b8f tasks: Add missing tags for async tasks 
When running the role using a specific tag (eg -t auth), some tasks
try to check the status of the async ones and they fail because the
async task was never executed due to missing the 'always' tag. We can
fix that by adding the missing tags to the async tasks.

For example,

TASK [ansible-hardening : Remove .shosts or shosts.equiv files]
******************************************************************************************************************************
fatal: [localhost]: FAILED! => {"failed": true, "msg": "'job_result' is undefined"}

So we add the appropriate tags to the async tasks.

Change-Id: I24a23fb485f2269ae6f627533b3a725f6699d230
2017-12-13 12:55:43 +00:00

258 lines
6.9 KiB
YAML
Raw Blame History

---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# NOTE(mhayden): pam_faildelay expects the `delay` parameter to be in
# microseconds.
- name: Set pam_faildelay configuration on Ubuntu
lineinfile:
dest: /etc/pam.d/login
regexp: '^(auth[\s]+optional[\s]+pam_faildelay.so).*$'
line: '\1 delay={{ (security_shadow_utils_fail_delay | int) * 10**6 }}'
state: present
backrefs: yes
when:
- security_shadow_utils_fail_delay is defined
- ansible_os_family | lower == 'debian'
tags:
- auth
- medium
- V-71951
- name: Prevent users with blank or null passwords from authenticating (Debian/Ubuntu)
lineinfile:
dest: "{{ pam_auth_file }}"
state: present
regexp: "^(.*)nullok_secure(.*)$"
line: '\1\2'
backup: yes
backrefs: yes
when:
- ansible_os_family == 'Debian'
- security_disallow_blank_password_login | bool
tags:
- auth
- high
- V-71937
- name: Prevent users with blank or null passwords from authenticating (Red Hat)
lineinfile:
dest: "{{ pam_auth_file }}"
state: present
regexp: "^({{ item }}.*sufficient.*)nullok(.*)$"
line: '\1\2'
backup: yes
backrefs: yes
with_items:
- auth
- password
when:
- ansible_os_family == 'RedHat'
- security_disallow_blank_password_login | bool
tags:
- auth
- high
- V-71937
- name: Prevent users with blank or null passwords from authenticating (SUSE)
lineinfile:
dest: "{{ item }}"
state: present
regexp: "^(.*required.*)nullok(.*)$"
line: '\1\2'
backup: yes
backrefs: yes
with_items:
- "{{ pam_auth_file }}"
- "{{ pam_password_file }}"
when:
- ansible_pkg_mgr == 'zypper'
- security_disallow_blank_password_login | bool
tags:
- auth
- high
- V-71937
- name: Lock accounts after three failed login attempts a 15 minute period
blockinfile:
dest: "{{ pam_password_file }}"
state: present
marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
insertbefore: EOF
block: "{{ lookup('template', 'pam_faillock.j2') }}"
when:
- ansible_pkg_mgr in ['yum', 'zypper']
- security_pam_faillock_enable | bool
tags:
- auth
- medium
- V-71943
- V-71945
# NOTE(mhayden): The unusual regex here ensures that we're omitting any lines
# that are commented out. Some commented lines may be preprended with spaces,
# so we need to account for that as well.
#
# First step is to find lines with 'nopasswd' in them and then omit any of
# those lines that have a '#' as the first character or '#' as the first
# character following a space (or series of spaces).
- name: Check for 'nopasswd' in sudoers files
shell: 'grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ | egrep -v "^([[:space:]]*)?(#|$)" || echo "not found"'
register: sudoers_nopasswd_check
changed_when: False
tags:
- auth
- medium
- V-71947
- name: V-71947 - Users must provide a password for privilege escalation.
debug:
msg: >
The 'NOPASSWD' directive was found in the sudoers configuration files.
Remove the directive to ensure that all users must provide a password to
run commands as the root user.
when:
- not sudoers_nopasswd_check | skipped
- sudoers_nopasswd_check.stdout != 'not found'
tags:
- auth
- medium
- V-71947
- skip_ansible_lint
- name: Check for '!authenticate' in sudoers files
shell: grep -ir '\!authenticate' /etc/sudoers /etc/sudoers.d/ || echo 'not found'
register: sudoers_authenticate_check
changed_when: False
tags:
- auth
- medium
- V-71949
- name: V-71949 - Users must re-authenticate for privilege escalation.
debug:
msg: >
The '!authenticate' directive was found in the sudoers configuration
files. Remove the directive to ensure that all users must provide a
password to run commands as the root user each time they use sudo.
when:
- not sudoers_authenticate_check | skipped
- sudoers_authenticate_check.stdout != 'not found'
tags:
- auth
- medium
- V-71949
- skip_ansible_lint
- name: Check if sssd.conf exists
stat:
path: /etc/sssd/sssd.conf
register: sssd_conf_check
check_mode: no
tags:
- always
# NOTE(mhayden): Some systems, such as ARM, don't have grub at all. This task
# should be skipped on those systems.
- name: Check if GRUB defaults file exists
stat:
path: "{{ grub_defaults_file }}"
register: grub_defaults_file_check
check_mode: no
tags:
- always
- name: Set a GRUB 2 password for single-user/maintenance modes
lineinfile:
dest: "{{ grub_defaults_file }}"
regexp: '^(#)?GRUB_PASSWORD'
line: 'GRUB_PASSWORD="{{ security_grub_password_hash }}"'
state: present
when:
- grub_defaults_file_check.stat.exists | bool
- security_require_grub_authentication | bool
notify:
- update grub config
tags:
- auth
- high
- V-71961
- V-71963
- name: V-72217 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
blockinfile:
dest: /etc/security/limits.d/ansible-hardening-maxlogins.conf
create: yes
block: |
# Deployed by the ansible-hardening role
# V-72217 - Limit concurrent sessions for all accounts/types
* hard maxlogins {{ security_rhel7_concurrent_session_limit }}
when:
- security_rhel7_concurrent_session_limit is defined
tags:
- auth
- low
- V-72217
- name: Check for pam_lastlog in PAM configuration
command: "grep pam_lastlog {{ pam_postlogin_file }}"
register: pam_lastlog_check
changed_when: False
failed_when: False
check_mode: no
tags:
- always
- name: V-72275 - Display date/time of last logon after logon
debug:
msg: >
The 'pam_lastlog' directive is missing in {{ pam_postlogin_file }}.
This is required by V-72275.
when:
- pam_lastlog_check.rc != 0
tags:
- low
- auth
- V-72275
- name: Ensure .shosts find has finished
async_status:
jid: "{{ shosts_find.ansible_job_id }}"
failed_when: False
changed_when: False
register: job_result
until: job_result.finished | bool
retries: 30
when:
- not shosts_find | skipped
tags:
- high
- auth
- V-72277
- V-72279
- name: Remove .shosts or shosts.equiv files
file:
path: "{{ item.path }}"
state: absent
with_items: "{{ job_result.files }}"
when:
- not job_result | skipped
- security_rhel7_remove_shosts_files | bool
tags:
- high
- auth
- V-72277
- V-72279
View Git Blame Copy Permalink